Skip to main content

Google engineers found over half the bugs in Microsoft's latest security update

Google engineers found over half the bugs in Microsoft's latest security update


32 of 57 vulnerabilities identified in this month's massive update were reported by researchers at the rival company

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.


Microsoft is having one of its biggest "Patch Tuesday" monthly security updates ever, issuing fixes for a whopping 57 flaws in Windows, Internet Explorer, Microsoft Office, and other products. And who does Microsoft have to thank for more than half of these reported problems? Google.

Google engineers often find and report security vulnerabilities in Microsoft products, but they outdid themselves this month. Mateusz "j00ru" Jurczyk, a self-described "Windows hacker" and security engineer at Google, is credited for reporting 32 issues with Windows which Microsoft deemed "important," or one step below "critical." A second Google security engineer, Gynvael Coldwind, collaborated on reporting five of those bugs.

Google engineers are regularly credited in security updates, but this month's count is unusually high. (Google engineers reported a bug a month in October, November, and December, and none in January.) The total number of bugs Microsoft fixed this month is close to the all-time record of 64.

Microsoft welcomes bug reports from outsiders, which is why it has appended an "acknowledgements" section to every security update since 2000. "When you see a security professional acknowledged in a Microsoft Security Bulletin, it means that they reported the vulnerability to us confidentially, worked with us to develop the patch, and helped us disseminate information about it once the threat was eliminated," the company says.

Google engineers have uncovered many Microsoft bugs before, but they don't always do it quietly

Google engineers have uncovered plenty of Microsoft bugs before, but they don't always do it so quietly. In June of 2010, a Google engineer reported a serious Windows vulnerability, but gave Microsoft only five days before publishing the full attack code. Irked, Microsoft announced a bug disclosure policy for "non-Microsoft products" and started publishing bug reports on Google products. In July of 2012, a Microsoft engineer claimed to have discovered a massive botnet spreading spam and malware through Android devices; Google denied the claim.

Jurczyk did not immediately respond to an email asking him why he and his colleague spent so much time poking around Windows, although the bugs may have been discovered in the course of researching other products such as Google Chrome's embedded PDF viewer.

If the bugs had been more serious, the pair might have opted for a splashy blog post showcasing their technical prowess. But for minor security issues, Google's engineers seem content with reporting the bugs to Microsoft in the interest of protecting consumers.

The security researchers also get a boost to their own reputations. "If you're curious about the 32 found bugs in Windows found by either Mateusz Jurczyk or Mateusz Jurczyk and myself, you might want to go to SyScan this year," Coldwind wrote on Google+, referring to the security conference coming up in April.

Update: A Google representative referred us to a list of security flaws discovered by Google engineers in non-Google products and sent us this statement: "Keeping Internet users safe is about more than just making sure our own products are secure. We frequently report flaws we discover while testing our products and services on various platforms. Reporting bugs to software vendors in a responsible manner is part of a healthy security community."