Google Exposes Severe Windows Flaw Before Fix Due

John Lister's picture

Microsoft has publicly lashed out at Google for revealing a severe security flaw in Windows 8.1 before it was able to release a fix. The public disclosure has reawakened a longstanding dispute about how to go about reporting security flaws. Comments on Google's website suggest that the same bug also affects Windows 7 Professional 64bit, with Service Pack 1; if true, it's equally likely the bug also affects other earlier versions of the Windows operating system, including Windows XP, which is no longer supported by Microsoft and will therefore remain unpatched.

The bug involves the way user privilege levels are set within the operating system. It appears that anyone with authorized access to a Windows computer is able to create an ordinary user account, and then 'trick' Windows into elevating the account with administrator privileges.

The attack can easily be pulled off by remote or locally and can result in significant damage, including but not limited to: malware infection, identify theft, and access to otherwise sensitive data as a result of the elevation to administrator privileges. (Source: google.com)

Fix Due in January's 'Patch Tuesday'

Microsoft is due to release a fix for the problem in this month's standard monthly security update, which starts rolling out Tuesday, January 13th (today).

Google revealed the details of the security flaw to the public this past Sunday (January 11th, 2015) -- a full 90 days after it made Microsoft aware of the problem. The timing of public disclosure is what has caused the spat between the two.

Microsoft says it, and many other firms, promotes a philosophy called responsible security disclosure, in which researchers that discover bugs should keep the details secret until the relevant software developers have had enough time to find and issue a fix.

Google Accused of Inflexible Deadline

Google supports the idea of responsible security disclosure, but believes it may allow developers too much room to drag their feet before finding and releasing fixes. Its policy is to inform developers as soon as it finds a bug and give them 90 days to find the fix before going public, which it believes is a reasonable deadline.

Microsoft says that in this case, Google refused a specific request that it hold off two extra days until the fix was distributed to users in its regular monthly security update. It says that although Google stuck rigidly to its own published timetable, its decision to refuse Microsoft's request "feels less like principles and more like a 'gotcha,' with customers [being] the ones who may suffer as a result. " (Source: technet.com)

Google has not commented publicly on this specific incident.

What's Your Opinion?

Should Google have waited the extra two days before going public with this announcement, knowing that Microsoft was planning to release a fix only a few days away? Or, do you believe that Google has the right to stick to its 90-day deadline to help ensure that software firms deal with incidents more quickly? Can you think of a better solution that gives the right to full disclosure to the public, but also keeps would-be hackers from learning about and exploiting the same bugs before they are properly fixed?

Rate this article: 
Average: 4.9 (8 votes)

Comments

alan-b's picture

MickySoft ignores some security issues for years before they fix them.

It is time they learn to work to a dead-line,
and 90 days is more than generous.

Douglas Godbey's picture

Since the expressed thought that the fault is in Win 8.1, Win7 AND XP, MS has had a boat load of time over and above the '90 days'. They've had several YEARS to fix it. As far as I'm concerned, Google just held MS Developer's feet to the fire! After all, MS has proven itself to be rather lazy about software releases in the past!

Way to go, Google Gang!

doliceco's picture

The public should be informed as soon as anyone discovers a security flaw in any software. How many computers can be affected adversely over a period of even 90 days before a fix is announced? With terrorist hackers now threatening our country's IT, it's not only home and business computer users who are at risk, but the very infrastructure of the whole country (utilities, financial systems and even government systems themselves).

Boots66's picture

Well thank goodness I don't rely on any of you for my software safety - I am NOT going to give Microsoft any excuse for not doing their due diligence at all, but from this article, it was simply grandstanding on Google's part to be so irresponsible to put this out in the public domain, if they were aware that Microsoft did have a valid fix for it that would be out in two days - Sorry but I am far from a Google fan - they are nothing more then a mega company that will do whatever they can get away with and do not give a tinker's d___, about person privacy or safety.
I always recommend that anyone be very careful in any dealings with Google and read careful anything that Google issues our in the way of rules of use

doulosg's picture

Call them (Google) Microsoft II, or The New Empire.

If this were an isolated incident, it would be easy to side with Google, especially against Microsoft. But Google are beginning to act with the same arrogance that plagues Redmond, and Adobe, and every other software firm that begins to think that they own the internet and simply do what they want with us.

Yeah, they could have waited 2 days for Patch Tuesday. Do no harm, Google.

RedDawg's picture

If it was always so simple as fix a few lines of code yes. But how many other parts of code in (how many hundreds of thousands or millions of lines of other code) call the offending bug need to be tested as well. Testing must be complete to insure nothing breaks or causes another bug. I think a reasonable request for time should be respected. This time Google screwed up big time! Exposing a bug when a fix is in the pipes for a scheduled release was OUT OF LINE!

raymond_tissier_3601's picture

An occasion at THE HIGH COURT in LONDON comes to mind, Room 213 I believe, wherein one can obtain injunctions,a truly nerve wracking and grim task indeed, going before a craggy, old, miserable, bewigged LION, of a Judge. My wife a wispy fashionable type spoke quietly; " Muh Ludd, i wish to obtain a injunction"... the Judge growled back rattling her paperwork in the air; "This is a nonsense! Find an attorney and be back here in the morning"... my wife replied meekly "but Muh Ludd, its 5:15, i haven't time to find a attorney. "TIME" boomed the judge! "TIME!!.. WHY YOU'VE PLENTY OF TIME"!!! "USHER!Remove this woman..."

So it is with Microsoft, the time allowed has been a more that generous 90 days, a ridiculous amount of time with a hundred million people's security at risk, 30 days would be more appropriate, AND NO EXTENSION OF TIME EITHER!!!

As for Microsoft and Google's gentleman's agreements, they are adversary's,

"LET THE JOUSTING CONTINUE".

w4bms9_2757's picture

I concur the 30 day time line is better then 90 but I have a question, can it do the right job in that short time,why not have a compromise of 60 days, but allow anyone that knows about a problem to say then that there is a problem, just so people can be aware of the problem and take steps to protect themselves.

guitardogg's picture

Okay, this is bullsh!t. Both sides need to ask themselves, what is best for the millions of users out there. Having a deadline is reasonable, and 90 days is probably good for most cases. A 2 day extension, so it lines up with the established patch cycle, should have been a no brainer for Google. Google should entertain all reasonable requests for extensions, when the alternative is putting millions of us at risk! I'm not defending Microsoft, but I'm for anything that helps protect those of us who don't really have a choice but to use Google and Microsoft products!

w4bms9_2757's picture

Heck no, what Google is doing is the right thing. Microsoft has always had a problem getting things right and this is no different.Google has taken the right stand of 90 days before they release any problem report, and I hope and Pray that they keep to that stand of the time line. And Microsoft get it together and make sure that your products are good before you release them for use. and you should START with WINDOWS 10. If you have the right mind set to do what is right.