The rivalry between Microsoft and Google has spread to the realm of software bugs.
For the second time in a few weeks, Google security researchers posted details about a Windows security flaw before Microsoft fixed the bug. Microsoft didn’t publicly reply to Google after the first case.
But after Google detailed another security vulnerability Sunday, two days before Microsoft’s release of its regular slate of software fixes, a Microsoft official accused the Mountain View, Calif., company of trying to embarrass Microsoft rather than protect customers.
Google’s “Project Zero,” its security unit dedicated to finding and exposing bugs, on Sunday revealed a Windows 8.1 security flaw that can allow low-level users of a network to gain administrator privileges and access sensitive functions.
Google says it follows a consistent formula with its security efforts. Once researchers discover a flaw, they alert the company whose software is involved, and give them 90 days to fix the error before Google makes the bug public (along with code that could allow people to exploit it).
In this case, Google alerted Microsoft to the problem on October 13. Microsoft, Google says, replied that it was on track to fix the problem by February 2015. Google said its 90-day deadline wasn’t negotiable.
Part of why Microsoft bristled at this release: the company told Google it was now planning to fix the flaw as part of its regular “patch Tuesday” slate of software updates this week, said Chris Betz, senior director of Microsoft’s Security Response Center, in a blog post. Google didn’t budge.
“Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha,’ with customers the ones who may suffer as a result,” Betz said. “What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”
Google’s supporters argue that setting firm deadlines helps spur action by companies like Microsoft, particularly when flaws are live and potentially already exploited by folks with bad intentions. There’s a lengthy debate about the policy on Google’s December post revealing the earlier Windows flaw.
Google didn’t immediately respond to a call and email seeking comment.