Microsoft has pointed the finger at Google for its decision to disclose a flaw before Redmond released a fix.
Chris Betz, senior director of Microsoft Trustworthy Computing has said that the company believes in coordinated vulnerability disclosure, and asks that researchers privately disclose vulnerabilities to software providers, working with them until a fix is made available before sharing any details publically.
In a blog, Betz named Google for its release of a vulnerability in a Microsoft product, two days before its planned fix on its own monthly cycle. Saying that this was done “despite our request that they avoid doing so”, Betz said Microsoft specifically “asked Google to work with us to protect customers by withholding details until Tuesday January 13th, when we will be releasing a fix”.
He said: “Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”
He said that those in favour of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves, but he disagreed, saying that releasing information absent of context or a stated path to further protections, unduly pressures an already complicated technical environment.
“It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a ‘fix’ before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack. We are in this latter camp.
Betz acknowledged that responding to security vulnerabilities can be a complex, extensive and time-consuming process, and some of the complexity in the timing discussion is rooted in the variety of environments that security professionals must consider.
He said: “To arrive at a place where important security strategies protect customers, we must work together. We appreciate and recognise the positive collaboration, information sharing and results-orientation underway with many security players today. We ask that researchers privately disclose vulnerabilities to software providers, working with them until a fix is made available before sharing any details publically.
“It is in that partnership that customers benefit the most. Policies and approaches that limit or ignore that partnership do not benefit the researchers, the software vendors, or our customers. It is a zero sum game where all parties end up injured.”
Commenting, Rob Graham of Errata Security said that it is “nice to see Google doing to Microsoft what Microsoft did to everyone else a decade ago”.
He said: “I enjoyed reading Microsoft’s official response to this event, full of high-minded rhetoric why Google is bad, and why Microsoft should be given more time to fix bugs. It’s just whining. They are upset over their inability to adapt and fix bugs in a timely fashion. They resent how Google exploits its unfair ad
vantage. Since Microsoft can’t change their development, they try to change public opinion to force Google to change.
“But Google is right. Since we can’t make perfect software, we must make fast and frequent fixes the standard. Nobody should be in the business of providing ‘secure’ software that can’t turn around bugs quickly. Rather than 90 days being too short, it’s really too long. Microsoft either needs to move forward with the times and adopt ‘agile’ methodologies, or just accept its role of milking legacy for the next few decades as IBM does with mainframes.”
