Follow us:

Microsoft Pri0

Welcome to Microsoft Pri0: That's Microspeak for top priority, and that's the news and observations you'll find here from Seattle Times technology reporter Matt Day.

January 12, 2015 at 8:58 AM

Microsoft criticizes Google for releasing Windows bug

The rivalry between Microsoft and Google has spread to the realm of software bugs.

For the second time in a few weeks, Google security researchers posted details about a Windows security flaw before Microsoft fixed the bug. Microsoft didn’t publicly reply to Google after the first case.

But after Google detailed another security vulnerability Sunday, two days before Microsoft’s release of its regular slate of software fixes, a Microsoft official accused the Mountain View, Calif., company of trying to embarrass Microsoft rather than protect customers.

Google’s “Project Zero,” its security unit dedicated to finding and exposing bugs, on Sunday revealed a Windows 8.1 security flaw that can allow low-level users of a network to gain administrator privileges and access sensitive functions.

Google says it follows a consistent formula with its security efforts. Once researchers discover a flaw, they alert the company whose software is involved, and give them 90 days to fix the error before Google makes the bug public (along with code that could allow people to exploit it).

In this case, Google alerted Microsoft to the problem on October 13. Microsoft, Google says, replied that it was on track to fix the problem by February 2015. Google said its 90-day deadline wasn’t negotiable.

Part of why Microsoft bristled at this release: the company told Google it was now planning to fix the flaw as part of its regular “patch Tuesday” slate of software updates this week, said Chris Betz, senior director of Microsoft’s Security Response Center, in a blog post. Google didn’t budge.

“Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha,’ with customers the ones who may suffer as a result,” Betz said. “What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”

Google’s supporters argue that setting firm deadlines helps spur action by companies like Microsoft, particularly when flaws are live and potentially already exploited by folks with bad intentions. There’s a lengthy debate about the policy on Google’s December post revealing the earlier Windows flaw.

Google didn’t immediately respond to a call and email seeking comment.

Comments | More in Security & privacy | Topics: google, microsoft, security

COMMENTS

No personal attacks or insults, no hate speech, no profanity. Please keep the conversation civil and help us moderate this thread by reporting any abuse. See our Commenting FAQ.



The opinions expressed in reader comments are those of the author only, and do not reflect the opinions of The Seattle Times.


The Seattle Times

The door is closed, but it's not locked.

Take a minute to subscribe and continue to enjoy The Seattle Times for as little as 99 cents a week.

Subscription options ►

Already a subscriber?

We've got good news for you. Unlimited seattletimes.com content access is included with most subscriptions.

Subscriber login ►
The Seattle Times

To keep reading, you need a subscription upgrade.

We hope you have enjoyed your complimentary access. For unlimited seattletimes.com access, please upgrade your digital subscription.

Call customer service at 1.800.542.0820 for assistance with your upgrade or questions about your subscriber status.

The Seattle Times

To keep reading, you need a subscription.

We hope you have enjoyed your complimentary access. Subscribe now for unlimited access!

Subscription options ►

Already a subscriber?

We've got good news for you. Unlimited seattletimes.com content access is included with most subscriptions.

Activate Subscriber Account ►