Microsoft: ‘We urge Google to make protection of customers our collective primary goal’

3 min. read

Published onJanuary 12, 2015

published onJanuary 12, 2015

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

On December 31st, aGoogle researcherdiscovered and discloseda privilege escalation bug in Windows. The researcher even reveals a PoC (Proof of Concept) program for the Windows 8.1 weakness. In it, he details how to take advantage of the vulnerability.

Today, Microsoft has issued a call for ‘better coordinated vulnerability disclosure.’ Basically, the issue is straightforward. Some people, including Google, believe that full public disclosure convinces software vendors to fix vulnerabilities quickly and allows affected customers to take quick actions to protect themselves. This is not always “black and white” especially when it’s the competitor’s software you are exposing.

Microsoft disagrees with this method. In fact, Microsoft believes a software vendor should be able to fully assess the potential vulnerability, evaluate the issue against the threat landscape, and issue a fix before disclosing the information to the public. This would prevent an attacker from utilizing the vulnerability when there is no solution to fix the issue.

“Those in favor of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves. We disagree. Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment,” Microsoft’s Chris Betz stated in an official blog post. “It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a “fix” before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack. We are in this latter camp.”

Betz singles out Google in his blog post, stating that Google released information on a vulnerability before the planned fix, which was set to take place on Patch Tuesday. In fact, the vulnerability was disclosed by Google despite Microsoft’s request not to.

“Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal,” Betz explains.

What’s right for Google is not always right for customers.

Betz further adds that Microsoft does not believe it is right to have security researchers find vulnerabilities in a competitors’ products, apply pressure for the need of a security fix or patch within a certain time frame, and them publicly disclose the information about the vulnerability, allowing customers to be attacked before a fix is even created.

Anyone involved in software development knows that responding to security vulnerabilities can be a complex, extensive and time-consuming process. Microsoft urges Google, as well as other companies, to work together, because ultimately it is all about the customer.

“Let’s face it, no software is perfect. It is, after all, made by human beings. Microsoft has a responsibility to work in our customers’ best interest to address security concerns quickly, comprehensively, and in a manner that continues to enable the vast ecosystem that provides technology to positively impact peoples’ lives,” Betz adds. You can read his entire blog post at the VIA link below.

Radu Tyrsina

Radu Tyrsina has been a Windows fan ever since he got his first PC, a Pentium III (a monster at that time).

For most of the kids of his age, the Internet was an amazing way to play and communicate with others, but he was deeply impressed by the flow of information and how easily you can find anything on the web.

Prior to founding Windows Report, this particular curiosity about digital content enabled him to grow a number of sites that helped hundreds of millions reach faster the answer they’re looking for.

User forum

0 messages

Sort by:LatestOldestMost Votes

Comment*

Name*

Email*

Commenting as.Not you?

Save information for future comments

Comment

Radu Tyrsina

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low#

Copilot in Outlook will generate personalized themes for you to customize the app#

Microsoft will raise the price of its 365 Suite to include AI capabilities#

Death Stranding Director’s Cut is now Xbox X|S at a huge discount#

Outlook will let users create custom account icons so they can tell their accounts apart easier#

Microsoft: ‘We urge Google to make protection of customers our collective primary goal’#

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

Microsoft: ‘We urge Google to make protection of customers our collective primary goal’