Microsoft criticizes Google for leaking Windows 8.1 bug information
Microsoft ha criticado a Google por revelar públicamente una vulnerabilidad en Windows 8.1 antes de que tuviera la oportunidad de solucionarla. La falla, que podría permitir a un atacante obtener privilegios elevados en un sistema, fue reportada por el equipo Project Zero de Google el 29 de diciembre de 2023. Sin embargo, Microsoft dijo que solo se le dio un plazo de 90 días para solucionar el problema, que expiró el 27 de enero de 2024.
In a blog post, Microsoft’s senior director of security response, Chris Betz, said Google’s policy of automatically disclosing security flaws after 90 days was «less like principles and more like a ‘gotcha,’ with customers likely to suffer as a result. «. He argued that Google should have coordinated with Microsoft and other vendors to ensure customers were protected before making details public.
Betz also stated that Microsoft planned to release a fix for the bug on February 10, 2024, as part of its monthly security update cycle. He said Google’s disclosure had put customers at potential risk and did not take into account the complexity of testing and deploying patches for millions of devices.
Google’s Project Zero is a team of security researchers who look for vulnerabilities in popular software products and report them to vendors. The team has a policy of giving vendors 90 days to fix problems, after which they post technical details and proof-of-concept code on their website. Google says this policy is designed to improve transparency and accountability in the security industry and encourage vendors to patch their products faster.
However, some vendors and security experts have criticized Google for being too rigid and not taking into account the real-world challenges of developing and deploying patches. They also argue that Google should not disclose vulnerabilities that hackers are not actively exploiting, as this could give them an advantage over defenders.
Microsoft and Google have clashed over security issues in the past. In 2010, Google accused Microsoft of copying its search results and using them in its own search engine, Bing. In 2012, Microsoft accused Google of circumventing Internet Explorer users’ privacy settings and tracking their online activities. In 2013, Microsoft launched a campaign called «Scroogled,» which criticized Google for scanning Gmail users’ emails for advertising purposes.
Microsoft has expressed disappointment with Google for disclosing a Windows 8.1 vulnerability two days before releasing a patch.
Google’s Project Zero team, which looks for security bugs in various software products, has a policy of disclosing details of any flaws 90 days after notifying the vendor.
So when Microsoft was informed of a problem with Windows 8.1 on Oct. 13, it asked Google to keep it confidential until Jan. 13, when it planned to roll out a fix as part of its regular Tuesday patch.
However, Google decided to release information about the bug (and the code needed to exploit it) on January 11.
«We are asking Google to work with us to protect customers by withholding details until … we release a fix,» Microsoft Security Response Center director Chris Betz wrote in a blog post.
He added that this is a time for security researchers and software companies to collaborate, not to divide over important protection strategies, such as vulnerability disclosure and remediation.
Microsoft follows the practice of Coordinated Vulnerability Disclosure (CVD), which encourages those who find them to report flaws directly to the affected product vendors, in order to «limit the field of opportunity for customers and their data to be better protected,» said Betz.
