Google clashes with Microsoft over Windows flaw disclosure

Microsoft argues that Google isn't cooperating on vulnerability disclosure

Google and Microsoft are butting heads over the disclosure of vulnerabilities. On Monday, Google revealed a critical flaw in Windows after it gave Microsoft a ten-day window to warn the public about it.

Google posted about the zero-day vulnerability on its security blog, saying Microsoft had yet to publish a fix or issue an advisory about the software flaw.

"This vulnerability is particularly serious because we know it is being actively exploited," Google said. It lets hackers exploit a bug in the Windows kernel, via a win32k.sys system call, to bypass the security sandbox.

The search giant originally told Microsoft about the problem 10 days ago, on Oct. 21. It waited to say anything about it publicly so Microsoft could fix the problem first. But Google has a strict policy of giving vendors only seven days to either publish a patch or issue a warning about a flaw.

"Seven days is an aggressive timeline and may be too short for some vendors to update their products," Google said in a blog post in 2013. "But it should be enough time to publish advice about possible mitigations."

Microsoft slammed Google's move. “We believe in coordinated vulnerability disclosure, and today’s disclosure by Google could put customers at potential risk," the company said in an email on Monday.

It's not the first time the two companies have disagreed over disclosing a vulnerability. In 2015, Google disclosed publicly unknown holes in Windows before Microsoft had a chance to issue patches. This prompted Microsoft to complain.

"Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a 'gotcha', with customers the ones who may suffer as a result," the company said at the time.

Brian Martin, director of vulnerability intelligence at Risk Based Security, said it would be impossible for Microsoft to come up with a patch in seven days. Fixing a Windows vulnerability can mean addressing problems in several different platforms of the OS and ensuring that the resulting patch doesn't disrupt any of the existing programming, he said.

"It's just too complex to do that in a matter of days," Martin said. However, Google had some justification in warning the public, given that hackers were already exploiting the vulnerability, he said.

"It goes back to an age-old debate of how much time you should give," he said. "In this case, because the vulnerability was being exploited in the wild, it forces Microsoft to up their schedule."

Google said that on Windows 10, its Chrome browser will prevent the problem from occurring. Using its own sandbox, the browser can block win32k.sys system calls.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags MicrosoftGoogle

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Michael Kan

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?