Google vs Microsoft: Game of Flaws

As part of its Project Zero security initiative, Google disclosed a few vulnerabilities in Windows, some ahead of a planned patch. Google simply adhered to its “publicize in 90 days after private vendor disclosure” policy, but where are end users’ interest in this “game of flaws”?

An unlikely spat between Microsoft and Google took place earlier this month when Google publicized a serious vulnerability in Microsoft products. The disclosure was made as a part of Project Zero, which launched last summer. After finding a number of flaws in software used by many end-users while researching other problems such as the critical “Heartbleed” vulnerability, Google decided to form a full-time team dedicated to finding such vulnerabilities – not only in Google software but also in any software used by its users. The project discloses vulnerabilities publicly together with the code required to exploit them, but only 90 days after the original developers are notified of these bugs’ existence. This is a well known and generally accepted rule of the game. The data on the Microsoft vulnerability was disclosed just two days ahead of Microsoft’s planned patch release. Understandably, Microsoft was not happy.

The Bug One

The vulnerability was serious: it was a 0day bug in Windows 8.1 that would allow low-level users to escalate their privileges in the system, getting access to sensitive functions they would not otherwise have. The full data is available at Google Security Research.

Microsoft not so happy

After the disclosure, Chris Betz, senior director of the Microsoft Security Response Center, responded with a lengthy blogpost slamming Google for irresponsible behavior, saying that Google “has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so.”

The decision to stick to Google’s disclosure timeline, said Betz, “feels less like principles and more like a ‘gotcha,’ with customers the ones who may suffer as a result.”

Additionally, Betz called for a more coordinated approach to releasing data on vulnerabilities, citing the end users’ interest.

Google’s response: Here go more bugs

Instead of dueling with words, Google laid down a handful of other security flaws, including a bug in the CryptProtectMemory memory-encrypting function in Windows 7 and 8.1. Again, this was done strictly 90 days after disclosing them to the vendor.

Google’s James Forshaw who discovered both these bugs, said that Microsoft prepared an update for the CryptProtectMemory bug, but had to pull it due to “compatibility issues.” In other words, it was botched and the release postponed till February.

Opinions split

Unsurprisingly, opinions on this matter are split. Some praise Google for keeping their word and not giving any extra privileges to vendors, even one as globally important as Microsoft. Three months seems to be a sufficient timeframe to fix any bug, both in Google’s view and many experts.

Others, however, side with Microsoft, believing that the “one size fits all” approach isn’t good for some vulnerabilities, and it may take a vendor more time to fix the most serious problems. Besides, Google only had to wait two days before the patch would have been released.

The real questions are: How hard are these bugs to fix? And how much did Microsoft’s layoffs of its testing-focused Windows and Office software engineers over the summer contribute to its present problems.

There are also those who believe Google isn’t exactly a neutral party here. In some areas it directly competes with Microsoft, so it can be seen as lucrative for Google to enforce its 90-days rule here with extra zeal.

What this boils down to is Google’s standard 90 days disclosure for everyone vs Microsoft’s standard Tuesday patch-day. What, if any, priority is placed on the user’s interest in this battle? Google isn’t exactly perfect when it comes to vulnerabilities in its own code. Google is currently at odds with a security firm that discovered a new Android Wi-Fi bug last fall. Google downplays the flaw’s severity, refusing to release a patch as soon as possible, while the security researchers consider it quite dangerous. So far they have postponed their advisory several times, expecting Google to release the update, but to no avail. Apparently, the advisory is going ahead now.

It should be mentioned that ZDNet’s Ed Bott suggested Google amend its standard rule and adjust the deadline ” to correspond to the Patch Tuesday after the 90-day deadline expires”, since not just Microsoft, but also Adobe – which is also extremely popular and quite vulnerable software – has Tuesday as their standard patch release day. There’s no word yet if Google plans to heed this suggestion.