Microsoft Outraged over XP Flaw Disclosure

Microsoft recent criticized Google for publicly disclosing a remote code execution vulnerability affecting Windows XP and Server 2003. The problem was first reported to Microsoft on June 5th, but most of the world knew about it only four days later.

This did not sit well with Microsoft, as the company believes that they were ousted before any meaningful repairs could be made to combat the issue. Worse yet, the company believes that revealing the situation to the public could have put users in danger.

Windows XP, 2003 Consumers At Risk

In an emotionally-charged rebuttal, Microsoft spokesperson Mike Reavey stated that "Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk. One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause." (Source: tgdaily.com)

In other words, it was not in Google's best interest to report on something that did not involve them, especially considering the delicate nature of the situation.

These ill feelings were further amplified by the fact that Google only provided a partial analysis of the vulnerability in the first place. Microsoft called this initial analysis "incomplete" with a workaround that could be easily circumvented.

Microsoft Emphasizes Need for Cooperation

Reavey admits that it is important for researchers to work together in rooting out and solving problems in a collaborative manner, stating that "We recognize that researchers across the entire industry are a vital part of identifying issues and continually improving security, and we continue to ask researchers to work with us through responsible disclosure to help minimize the risk to customers while improving security." (Source: tgdaily.com) 



Reavey says there is a right approach, and a wrong approach to reporting certain situations.

The current state of the vulnerability only affects Windows XP and Server 2003. There are no known (current) exploitations running for Windows Vista, Server 2008 and Server 2008 R2.

Still, anything can change in the future and if it does, Google may (or may not) be there to blow the whistle on Microsoft the next time around.