Google discloses another unpatched Windows flaw, irritates Microsoft

Microsoft is unhappy that Google didn't want to wait another two days before publicly releasing details about the vulnerability

Google released details of a second unpatched privilege escalation flaw in Windows 8.1 in less than a month, drawing criticism from Microsoft.

Microsoft is unhappy with the 90-day public disclosure deadline enforced by Google's security research team known as Project Zero.

Project Zero members routinely find vulnerabilities in products from other companies. These flaws get reported to the affected software vendors and if they are not patched in 90 days, Google automatically makes the vulnerability details public.

On Dec. 29, Google Project Zero disclosed an elevation of privilege (EoP) vulnerability affecting Windows 8.1 that Microsoft hadn't yet patched. The vulnerability was reported to Microsoft on Sept. 30, so the 90-day deadline expired, Google said at the time.

On Sunday, the company's researchers disclosed yet another unpatched EoP flaw in Windows 8.1, which had been reported to Microsoft on Oct. 13. This time the disclosure irked Microsoft, which planned to fix the vulnerability tomorrow. Microsoft releases security patches on the second Tuesday of every month, which has come to be known as Patch Tuesday in the industry.

As the name suggests, an EoP flaw can be exploited to gain administrator privileges on a system from a low privileged account. They are not critical vulnerabilities, like those that allow for arbitrary code execution, but they can make such flaws even more dangerous and should be patched.

"We asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix," said Chris Betz, senior director with Microsoft's Security Response Center, in a blog post Sunday. "Although following through keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a 'gotcha', with customers the ones who may suffer as a result."

The entry corresponding to this vulnerability on Google's security research tracker confirms that Microsoft was denied a deadline extension.

"Microsoft were informed that the 90 day deadline is fixed for all vendors and bug classes and so cannot be extended," the entry reads. "Further they were informed that the 90 day deadline for this issue expires on the 11th Jan 2015."

In practice, companies like Microsoft, which follow monthly or quarterly patching cycles and only rarely deviate from them to fix actively exploited, high-risk flaws, have less than 90-days to push out fixes to security issues reported by Google.

For example, if Google's researchers contact Microsoft about a flaw a few days after the company released its latest monthly batch of security updates, the company will have to develop a patch and have it ready for the next Patch Tuesday or the one after that -- in around 60 days. If it waits longer, the deadline will expire before it's next scheduled patch release, like it happened in this case.

"We believe those who fully disclose a vulnerability before a fix is broadly available are doing a disservice to millions of people and the systems they depend upon," Betz said. "Other companies and individuals believe that full disclosure is necessary because it forces customers to defend themselves, even though the vast majority take no action, being largely reliant on a software provider to release a security update. Even for those able to take preparatory steps, risk is significantly increased by publicly announcing information that a cybercriminal could use to orchestrate an attack and assumes those that would take action are made aware of the issue."

Microsoft, whose researchers also find vulnerabilities in products from other companies, encourages and practices what it calls "Coordinated Vulnerability Disclosure" (CVD), a policy where those who find vulnerabilities work with the vendor until fixes are made available and only then share details about those flaws publicly.

This might sound like the responsible thing to do, but software vendors are not equal in how they handle vulnerability reports. Some may take months or years to fix a particular flaw, and some are very bad at communicating with external security researchers.

There have been many cases in the past where different researchers independently discovered the same vulnerability, which means that given enough time malicious hackers might also find and exploit flaws found by researchers, but not yet patched by vendors. Google's deadline attempts to strike a balance between the vulnerability remediation needs of software vendors and the public interest.

"Project Zero believes that disclosure deadlines are currently the optimal approach for user security -- it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face," said Project Zero researcher Ben Hawkes in December following the disclosure of the first EoP flaw. "By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response."

Google is right, said Robert Graham, the CTO of security research firm Errata Security, in a blog post. "Since we can't make perfect software, we must make fast and frequent fixes the standard. Nobody should be in the business of providing 'secure' software that can't turn around bugs quickly. Rather than 90 days being too short, it's really too long."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityMicrosoftpatch managementGooglepatchesExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?