Google discloses another unpatched Windows flaw, irritates Microsoft

Google discloses another unpatched Windows flaw, irritates Microsoft

Microsoft is unhappy that Google didn't want to wait another two days before publicly releasing details about the vulnerability

Google released details of a second unpatched privilege escalation flaw in Windows 8.1 in less than a month, drawing criticism from Microsoft.

Microsoft is unhappy with the 90-day public disclosure deadline enforced by Google's security research team known as Project Zero.

Project Zero members routinely find vulnerabilities in products from other companies. These flaws get reported to the affected software vendors and if they are not patched in 90 days, Google automatically makes the vulnerability details public.

On Dec. 29, Google Project Zero disclosed an elevation of privilege (EoP) vulnerability affecting Windows 8.1 that Microsoft hadn't yet patched. The vulnerability was reported to Microsoft on Sept. 30, so the 90-day deadline expired, Google said at the time.

On Sunday, the company's researchers disclosed yet another unpatched EoP flaw in Windows 8.1, which had been reported to Microsoft on Oct. 13. This time the disclosure irked Microsoft, which planned to fix the vulnerability tomorrow. Microsoft releases security patches on the second Tuesday of every month, which has come to be known as Patch Tuesday in the industry.

As the name suggests, an EoP flaw can be exploited to gain administrator privileges on a system from a low privileged account. They are not critical vulnerabilities, like those that allow for arbitrary code execution, but they can make such flaws even more dangerous and should be patched.

"We asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix," said Chris Betz, senior director with Microsoft's Security Response Center, in a blog post Sunday. "Although following through keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a 'gotcha', with customers the ones who may suffer as a result."

The entry corresponding to this vulnerability on Google's security research tracker confirms that Microsoft was denied a deadline extension.

"Microsoft were informed that the 90 day deadline is fixed for all vendors and bug classes and so cannot be extended," the entry reads. "Further they were informed that the 90 day deadline for this issue expires on the 11th Jan 2015."

In practice, companies like Microsoft, which follow monthly or quarterly patching cycles and only rarely deviate from them to fix actively exploited, high-risk flaws, have less than 90-days to push out fixes to security issues reported by Google.

For example, if Google's researchers contact Microsoft about a flaw a few days after the company released its latest monthly batch of security updates, the company will have to develop a patch and have it ready for the next Patch Tuesday or the one after that -- in around 60 days. If it waits longer, the deadline will expire before it's next scheduled patch release, like it happened in this case.

"We believe those who fully disclose a vulnerability before a fix is broadly available are doing a disservice to millions of people and the systems they depend upon," Betz said. "Other companies and individuals believe that full disclosure is necessary because it forces customers to defend themselves, even though the vast majority take no action, being largely reliant on a software provider to release a security update. Even for those able to take preparatory steps, risk is significantly increased by publicly announcing information that a cybercriminal could use to orchestrate an attack and assumes those that would take action are made aware of the issue."

Microsoft, whose researchers also find vulnerabilities in products from other companies, encourages and practices what it calls "Coordinated Vulnerability Disclosure" (CVD), a policy where those who find vulnerabilities work with the vendor until fixes are made available and only then share details about those flaws publicly.

This might sound like the responsible thing to do, but software vendors are not equal in how they handle vulnerability reports. Some may take months or years to fix a particular flaw, and some are very bad at communicating with external security researchers.

There have been many cases in the past where different researchers independently discovered the same vulnerability, which means that given enough time malicious hackers might also find and exploit flaws found by researchers, but not yet patched by vendors. Google's deadline attempts to strike a balance between the vulnerability remediation needs of software vendors and the public interest.

"Project Zero believes that disclosure deadlines are currently the optimal approach for user security -- it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face," said Project Zero researcher Ben Hawkes in December following the disclosure of the first EoP flaw. "By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response."

Google is right, said Robert Graham, the CTO of security research firm Errata Security, in a blog post. "Since we can't make perfect software, we must make fast and frequent fixes the standard. Nobody should be in the business of providing 'secure' software that can't turn around bugs quickly. Rather than 90 days being too short, it's really too long."

Follow Us

Join the newsletter!

Error: Please check your email address.

Tags securityMicrosoftpatch managementGooglepatchesExploits / vulnerabilities



Reseller News welcomes industry figures for 2018 Hall of Fame lunch

Reseller News welcomes industry figures for 2018 Hall of Fame lunch

Reseller News welcomed 2017 inductees - Andrew Allan; Justin Tye and Mark Baker - to the second running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing landscape of the technology industry in New Zealand, while outlining ways to attract a new breed of players to the ecosystem.

Reseller News welcomes industry figures for 2018 Hall of Fame lunch
Reseller News launches Partner Marketing Workshop initiative

Reseller News launches Partner Marketing Workshop initiative

This Reseller News Partner Marketing Workshop provided a forum to discuss channel marketing in New Zealand, bringing together partners of all sizes to discuss the challenges and opportunities ahead.

Reseller News launches Partner Marketing Workshop initiative
Microsoft outlines future of modern workplace at Elevate 2018 in Auckland

Microsoft outlines future of modern workplace at Elevate 2018 in Auckland

A host of customers and partners descended on Shed 10 as Microsoft unveiled the future of the modern workplace in Auckland. Delivered through interactive sessions and thought-leader speakers, the tech giant showcased leading industry technologies to outline a roadmap for future channel success in New Zealand.

Microsoft outlines future of modern workplace at Elevate 2018 in Auckland
Show Comments