Or, a tale of two choices.
“The bug involves the way user privilege levels are set within the operating system. It appears that anyone with authorized access to a Windows computer is able to create an ordinary user account, and then 'trick' Windows into elevating the account with administrator privileges. The attack can easily be pulled off by remote or locally and can result in significant damage, including but not limited to: malware infection, identify theft, and access to otherwise sensitive data as a result of the elevation to administrator privileges. (Source: google.com)” – Infopackets
So, Google’s security wonks discovered a severe security flaw and duly notified Microsoft. The latter asked Google not to publish the flaw for 90 days while MS coders could generate a patch and test it. Google agreed.
MS generally publishes its patches on Patch Tuesday which was to be 92 days after the notification. MS asked Google for an additional two days. Not really unreasonable considering the damage which could occur to innocent users should the flaw be published before the patch was distributed, and honestly, what would be so terrible in waiting to two additional days, compared to possible damages to individuals?
Google didn’t see it that way, maybe because its lawyers might have said Google would be negligent if it didn’t notify? Nah, I don’t buy that either. To me, common sense and common decency would have indicated remaining quiet for two additional days since Google did its due diligence in notifying MS and since MS was publishing a patch. What did those two days really mean to Google? Is it all just because of corporate bad blood and “gotcha”?
Well, MS’s side of it:
“Google revealed the details of the security flaw to the public this past Sunday (January 11th, 2015) -- a full 90 days after it made Microsoft aware of the problem. The timing of public disclosure is what has caused the spat between the two. Microsoft says it, and many other firms, promotes a philosophy called responsible security disclosure (aka Coordinated Vulnerability Disclosure), in which researchers that discover bugs should keep the details secret until the relevant software developers have had enough time to find and issue a fix.” – ibid
“CVD philosophy and action is playing out today as one company - Google - has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so. Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.” – Chris Betz
What are your thoughts about this? Is MS right about the responsibility? After all, does Google owe MS’s customers anything? Would the right thing have been to withhold publication until after MS issued the patch?
Sources:
http://www.infopackets.com/news/9479/google-exposes-severe-windows-flaw-fix-due
http://technet.microsoft.com/en-us/security/dn467923
http://blogs.technet.com/b/msrc/archive/2015/01/11/a-call-for-better-coordinated-vulnerability-disclosure.aspx