Microsoft criticises Google for outing Windows vulnerability prior to fix - MCV

Microsoft criticises Google for outing Windows vulnerability prior to fix

Author:
Publish date:
1-google_b.jpg

Google has prioritised the calling out of a rival over the digital security of its customers, Microsoft has claimed.

The search giant has chosen to publicise details of a security vulnerability to Windows 8.1 two days ahead of the release of a patch that it knew was incoming and despite requests to keep the information quiet until tomorrow.

Although following through keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha', with customers the ones who may suffer as a result,” senior director of Microsoft's Security Response Center Chris Betz said.

What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”

Most high-profile members of the software industry have signed up to what is called a Coordinated Vulnerability Disclosure (CVD), the gist of which is that security vulnerabilities are kept quiet until a fix is issued, thus reducing the opportunity for wrong-doers to take advantage of them.

The counter argument is that vulnerabilities should be publicised as and when they are discovered, both to make consumers aware of the danger and better incentivise software makers to fix the issue.

Microsoft has long believed coordinated disclosure is the right approach and minimizes risk to customers,” Betz added. We believe those who fully disclose a vulnerability before a fix is broadly available are doing a disservice to millions of people and the systems they depend upon.

Of the vulnerabilities privately disclosed through coordinated disclosure practices and fixed each year by all software vendors, we have found that almost none are exploited before a ‘fix' has been provided to customers, and even after a ‘fix' is made publicly available only a very small amount are ever exploited.

Conversely, the track record of vulnerabilities publicly disclosed before fixes are available for affected products is far worse, with cybercriminals more frequently orchestrating attacks against those who have not or cannot protect themselves.”

Related