{"id":3531,"date":"2015-01-27T17:40:41","date_gmt":"2015-01-27T17:40:41","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=3531"},"modified":"2020-02-26T10:59:34","modified_gmt":"2020-02-26T15:59:34","slug":"google-vs-microsoft-game-of-flaws","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/google-vs-microsoft-game-of-flaws\/3531\/","title":{"rendered":"Google vs Microsoft: Game of Flaws"},"content":{"rendered":"<p>An unlikely spat between Microsoft and Google took place earlier this month when Google publicized a serious vulnerability in Microsoft products. The disclosure was made as a part of <a href=\"http:\/\/googleprojectzero.blogspot.ru\/\" target=\"_blank\" rel=\"noopener nofollow\">Project Zero<\/a>, which launched last summer. After finding a number of flaws in software used by many end-users while researching other problems such as the critical \u201cHeartbleed\u201d vulnerability, Google decided to form a full-time team dedicated to finding such vulnerabilities \u2013 not only in Google software but also in any software used by its users. The project discloses vulnerabilities publicly together with the code required to exploit them, but only 90 days after the original developers are notified of these bugs\u2019 existence. This is a well known and generally accepted rule of the game. The data on the Microsoft vulnerability was disclosed just two days ahead of Microsoft\u2019s planned patch release. Understandably, Microsoft was not happy.<\/p>\n<p style=\"text-align: center\">\n<\/p><p><strong>The Bug One<\/strong><\/p>\n<p>The vulnerability was serious: it was a 0day bug in Windows 8.1 that would allow low-level users to escalate their privileges in the system, getting access to sensitive functions they would not otherwise have. The full data is available at <a href=\"https:\/\/code.google.com\/p\/google-security-research\/issues\/detail?id=123\" target=\"_blank\" rel=\"noopener nofollow\">Google Security Research<\/a>.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Google vs Microsoft: Game of Flaws #security<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FWfi3&amp;text=+Google+vs+Microsoft%3A+Game+of+Flaws+%23security\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p><strong>Microsoft not so happy<\/strong><\/p>\n<p>After the disclosure, Chris Betz, senior director of the Microsoft Security Response Center, responded with <a href=\"http:\/\/blogs.technet.com\/b\/msrc\/archive\/2015\/01\/11\/a-call-for-better-coordinated-vulnerability-disclosure.aspx\" target=\"_blank\" rel=\"noopener nofollow\">a lengthy blogpost<\/a> slamming Google for irresponsible behavior, saying that Google \u201chas released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so.\u201d<\/p>\n<p>The decision to stick to Google\u2019s disclosure timeline, said Betz, \u201cfeels less like principles and more like a \u2018gotcha,\u2019 with customers the ones who may suffer as a result.\u201d<\/p>\n<p>Additionally, Betz called for a more coordinated approach to releasing data on vulnerabilities, citing the end users\u2019 interest.<\/p>\n<p><strong>Google\u2019s response: Here go more bugs<\/strong><\/p>\n<p>Instead of dueling with words, Google laid down <a href=\"http:\/\/www.zdnet.com\/article\/microsoft-fumes-google-discloses-another-windows-security-flaw\/\" target=\"_blank\" rel=\"noopener nofollow\">a handful of other security flaws<\/a>, including a bug in the CryptProtectMemory memory-encrypting function in Windows 7 and 8.1. Again, this was done strictly 90 days after disclosing them to the vendor.<\/p>\n<p>Google\u2019s James Forshaw who discovered both these bugs, said that Microsoft prepared an update for the CryptProtectMemory bug, but had to pull it due to \u201ccompatibility issues.\u201d In other words, it was botched and the release postponed till February.<\/p>\n<p><strong>Opinions split<\/strong><\/p>\n<p>Unsurprisingly, opinions on this matter are split. Some praise Google for keeping their word and not giving any extra privileges to vendors, even one as globally important as Microsoft. Three months seems to be a sufficient timeframe to fix any bug, both in Google\u2019s view and many experts.<\/p>\n<p>Others, however, side with Microsoft, believing that the \u201cone size fits all\u201d approach isn\u2019t good for some vulnerabilities, and it may take a vendor more time to fix the most serious problems. Besides, Google only had to wait two days before the patch would have been released.<\/p>\n<p>The real questions are: How hard are these bugs to fix? And how much did Microsoft\u2019s layoffs of its testing-focused Windows and Office software engineers over the summer contribute to its present problems.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Google disclosed #bugs in Microsoft products after 90 days. Opinions split. #security<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FWfi3&amp;text=Google+disclosed+%23bugs+in+Microsoft+products+after+90+days.+Opinions+split.+%23security\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>There are also those who believe Google isn\u2019t exactly a neutral party here. In some areas it directly competes with Microsoft, so it can be seen as lucrative for Google to enforce its 90-days rule here with extra zeal.<\/p>\n<p>What this boils down to is Google\u2019s standard 90 days disclosure for everyone vs Microsoft\u2019s standard Tuesday patch-day. What, if any, priority is placed on the user\u2019s interest in this battle? Google isn\u2019t exactly perfect when it comes <a href=\"https:\/\/threatpost.com\/several-vulnerabilities-found-in-google-app-engine\/109749\" target=\"_blank\" rel=\"noopener nofollow\">to vulnerabilities in its own code<\/a>. Google is currently <a href=\"https:\/\/threatpost.com\/android-wi-fi-direct-vulnerability-details-disclosed\/110650\" target=\"_blank\" rel=\"noopener nofollow\">at odds with a security firm that discovered a new Android Wi-Fi bug last fall<\/a>. Google downplays the flaw\u2019s severity, refusing to release a patch as soon as possible, while the security researchers consider it quite dangerous. So far they have postponed their advisory several times, expecting Google to release the update, but to no avail. Apparently, the advisory is going ahead now.<\/p>\n<p>It should be mentioned that ZDNet\u2019s Ed Bott <a href=\"http:\/\/www.zdnet.com\/article\/years-first-patch-tuesday-highlights-conflict-between-microsoft-and-google\/\" target=\"_blank\" rel=\"noopener nofollow\">suggested<\/a> Google amend its standard rule and adjust the deadline \u201d to correspond to the Patch Tuesday after the 90-day deadline expires\u201d, since not just Microsoft, but also Adobe \u2013 which is also extremely popular and quite vulnerable software \u2013 has Tuesday as their standard patch release day. There\u2019s no word yet if Google plans to heed this suggestion.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As part of its Project Zero security initiative, Google disclosed a few vulnerabilities in Windows, some ahead of a planned patch. Google simply adhered to its &#8220;publicize in 90 days after private vendor disclosure&#8221; policy, but where are end users&#8217; interest in this &#8220;game of flaws&#8221;?<\/p>\n","protected":false},"author":209,"featured_media":15780,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[2280,22,38,601,753],"class_list":{"0":"post-3531","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-disclosure","10":"tag-google","11":"tag-microsoft","12":"tag-patch-tuesday","13":"tag-project-zero"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/google-vs-microsoft-game-of-flaws\/3531\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/google-vs-microsoft-game-of-flaws\/3531\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/google-vs-microsoft-game-of-flaws\/3531\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/disclosure\/","name":"disclosure"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3531","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=3531"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3531\/revisions"}],"predecessor-version":[{"id":33445,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3531\/revisions\/33445"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15780"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=3531"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=3531"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=3531"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}