Microsoft Slams Google for Unveiling 'Critical' Windows Bug

John Lister's picture

Microsoft has criticized Google for revealing details of what the search giant has dubbed a "critical" security flaw in Windows. The two companies dispute whether Google gave Microsoft enough time to fix the problem before going public.

The controversy lies in the fact that Microsoft has yet to release a fix for the problem and has not even said if one exists.

The bug applies to 32-bit editions of Windows and allows an unauthorized local privilege escalation. The effect is to undermine a security feature known as "sandboxing," which is designed so that if a hacker accessed a particular part of an operating system or application, they would then not be able to access other parts of the machine.

As an analogy, it's a little like having locks on every room in a house so that if somebody breaks in, they can't get past the initial room.

Google Only Waited One Week

Google says it discovered the bug and told Microsoft about the problem on Friday, October 21st, 2016. It says all three conditions have been met to trigger its policy of going public about bugs after just seven days following the initial report.

These conditions are: the relevant software producer hasn't revealed the problem itself; the potential risks from the bug make it a critical issue; and there's evidence hackers are not just aware of the problem but are actively exploiting it. (Source: googleblog.com)

Microsoft Says Bug Not Critical

Microsoft disputes the classification of the bug as "critical". It says previous updates to Windows 10 mean that the attack method Google describes wouldn't work. It also says a recent update to Adobe Flash would stop the attack having any effect. (Source: cnet.com)

The dispute has reawakened a long-running debate about the principle of responsible disclosure. Supporters of the principle say security researchers shouldn't publicize bugs until a fix is available, otherwise they might tip off would-be hackers. Critics say that keeping bugs quiet means developers have less incentive to fix bugs quickly or avoid them in the first place.

What's Your Opinion?

Was Google right to go public with the bug now? How should security researchers balance the need for developers to have time to develop fixes against the right of the public to know about flaws? What's a reasonable time for software firms to fix bugs once they are told about them?

Rate this article: 
Average: 5 (6 votes)

Comments

Dennis Faas's picture

Providing that there is "proof of concept" which effectively demonstrates the bug and it follows all the other protocol mentioned in the article, I see no reason to hold back on making a press release announcing such a bug. The fact is, whistle blowing gets things done. Microsoft needs to be accountable for fixing the bug and getting that bug fixed on time, especially if others (hackers) are actively exploiting it.

gbruce40_3626's picture

Protocol is a what allows Governments to hide problems from voters.
Google is, in my opinion, a much more believable company than Microsoft. As you say, "whistle blowing gets things done". So good for Google, they may force Microsoft to do the right thing in a timely manner.