Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

DAMN YOU! Microsoft blasts Google over zero-day blabgasm

Choc Factory reveals new flaw 2 days before Patch Tuesday

Microsoft has slammed Google for disclosing a security vulnerability in Windows a mere two days before Redmond planned to fix the bug.

Google revealed the flaw on 11 January, 90 days after reporting it to Microsoft; the ad giant said the bug can elevate a user's privileges to administrator-level, thanks to some inelegant action during the Windows 8.1 login process.

This isn't the first such disclosure by Google, which revealed a nasty takedown for Windows 8.1 on December 30th, after reporting it in September.

Google did so because the rules of its Project Zero security regime sees the text ad giant reveal flaws 90 days after it reports them to vendors. In the case of this new flaw, Microsoft was notified on October 13th.

Microsoft's feels Google's acted irresponsibly because it not only planned a fix for the problem on January 13th but also asked Google not to go public until that day.

“Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix,” writes Chris Betz, Microsoft's senior director for trustworthy computing.

Betz accuses Google of sticking to its 90-day-disclosure regime in order to annoy Microsoft, opining that Google's announcement “ ...feels less like principles and more like a 'gotcha', with customers the ones who may suffer as a result.”

“What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal,” he adds.

Betz calls for Google – and everybody else – to sign up to Redmond's Coordinated Vulnerability Disclosure policy.

“We don’t believe it would be right to have our security researchers find vulnerabilities in competitors’ products, apply pressure that a fix should take place in a certain timeframe, and then publically disclose information that could be used to exploit the vulnerability and attack customers before a fix is created,” he writes, adding that all stakeholders need to work in “partnership” to sort things out in ways that ensure bad guys get the smallest possible window during which to exploit flaws.

“Policies and approaches that limit or ignore that partnership do not benefit the researchers, the software vendors, or our customers. It is a zero sum game where all parties end up injured,” he writes.

We can't see a Google response to this new incident, but when this last happened the company's Ben Hawkes wrote that the 90-day deadline is an attempt to change the way bugs are handled, as “By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response.”

Microsoft clearly disagrees with that stance and the benefits it provides to customers.

Game on. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like