Microsoft criticizes Google for spilling information about Windows 8.1 bug

Microsoft has criticized Google for publicly disclosing a vulnerability in Windows 8.1 before I had a chance to fix it. The flaw, which could allow an attacker to gain elevated privileges on a system, was reported by Google's Project Zero team on December 29, 2023. However, Microsoft said it was only given 90 days to fix the bug. issue, which expired on January 27, 2024.

In a blog post, Microsoft’s senior director of security response, Chris Betz, said Google’s policy of automatically disclosing security flaws after 90 days was “less like principles and more like a ‘gotcha,’ with customers potentially suffering as a result.” He argued that Google should have coordinated with Microsoft and other vendors to ensure customers were protected before making details public.

Betz also stated that Microsoft planned to release a fix for the bug on February 10, 2024, as part of its monthly security update cycle. He said Google's disclosure had put customers at potential risk and did not take into account the complexity of testing and deploying patches to millions of devices.

Google's Project Zero is a team of security researchers who look for vulnerabilities in popular software products and report them to vendors. The team has a policy of giving vendors 90 days to fix issues, after which they publish technical details and proof-of-concept code on their website. Google says this policy is designed to improve transparency and accountability in the security industry and encourage vendors to patch their products faster.

However, some vendors and security experts have criticized Google for being too rigid and not taking into account the real-world challenges of developing and deploying patches. They also argue that Google should not disclose vulnerabilities that hackers are not actively exploiting, as this could give them an advantage over defenders.

Microsoft and Google have clashed over security issues in the past. In 2010, Google accused Microsoft of copying its search results and using them in its own search engine, Bing. In 2012, Microsoft accused Google of bypassing Internet Explorer users' privacy settings and tracking their online activities. In 2013, Microsoft launched a campaign called "Scroogled," which criticized Google for scanning Gmail users' emails for advertising purposes.

Microsoft has expressed disappointment with Google for disclosing a Windows 8.1 vulnerability two days before releasing a patch.

Google's Project Zero team, which looks for security flaws in various software products, has a policy of disclosing the details of any flaws 90 days after notifying the vendor.

So when Microsoft was informed of a problem with Windows 8.1 on October 13, it asked Google to keep it confidential until January 13, when it planned to roll out a fix as part of its regular Tuesday patch.

However, Google decided to publish information about the bug (and the code needed to exploit it) on January 11.

"We're asking Google to work with us to protect customers by withholding details until we... publish a fix," Microsoft Security Response Center director Chris Betz wrote in a blog post.

He added that this is a time for security researchers and software companies to collaborate, not to divide over important protection strategies such as vulnerability disclosure and remediation.

Microsoft follows the practice of Coordinated Vulnerability Disclosure (CVD), which encourages those who find them to report flaws directly to the vendors of the affected product, in order to “narrow the field of opportunity so that customers and their data are better protected,” Betz said.