Microsoft scolds Google for lack of flexibility in vulnerability disclosure

Microsoft is not pleased with Google’s recent release of the details of a zero-day Windows 8.1 vulnerability and the code that can be used to exploit it, and has criticized the company’s lack of flexibility when it comes to vulnerability disclosure.

“Ultimately, vulnerability collaboration between researchers and vendors is about limiting the field of opportunity so customers and their data are better protected against cyber attacks,” noted Chris Betz, Senior Director of the Microsoft Security Response Center. “Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment.”

Microsoft pointed out that the bug was initially reported to Microsoft on September 30, and Google’s (automatic) public disclosure came on December 29, falling neatly within the maximum 90 days Google is willing to sit on zero-day vulnerability knowledge to make vendors patch before the disclosure.

Betz says that Microsoft has asked Google to withholding details about the flaw until Tuesday, January 13, when a fix is to be released as a part of the company’s scheduled Patch Tuesday.

“Although following through [with the vulnerability release] keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result,” he complained in a blog post, pointing out that what’s right for Google is not always right for customers.

“We believe those who fully disclose a vulnerability before a fix is broadly available are doing a disservice to millions of people and the systems they depend upon,” he noted, adding that vulnerabilities publicly disclosed before fixes are available are frequently exploited by cyber crooks.

“Responding to security vulnerabilities can be a complex, extensive and time-consuming process. We don’t believe it would be right to have our security researchers find vulnerabilities in competitors’ products, apply pressure that a fix should take place in a certain timeframe, and then publically disclose information that could be used to exploit the vulnerability and attack customers before a fix is created,” he said, and called for a partnership between researchers and vendors that is concentrated on protecting the customers.

In this particular case, Google’s publishing of vulnerability details might have been a touch premature, but let’s not forget that private disclosure of vulnerabilities and a long period of grace given to vendors or service providers who aren’t that keen on reacting is counter productive to customer security, as evidenced by the recent Moonpig API flaw debacle.

Luckily for Microsoft customers, this latest vulnerability disclosure involved a flaw that cannot be exploited by a remote attacker, and he or she would need to know the valid logon credentials in order to take advantage of it locally.