Microsoft has criticized Google for deliberately publishing details of a vulnerability in Windows 8.1 two days before a fix was due to be released. Google published details of the bug as part of its Project Zero initiative, which it claims gives companies enough advanced warning — 90 days exactly — to fix vulnerabilities before they go live. Microsoft, however, says it told Google that it was planning to introduce a fix using its "well known and coordinated Patch Tuesday" update, and that the search giant's behavior endangers customers.
"Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a "gotcha," with customers the ones who may suffer as a result," writes Chris Betz, senior director of Microsoft’s Security Response Center. "What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal."
Google believes time limits encourage action — Microsoft says it just makes complex situations more difficult to deal with
This is the second incident of its kind to occur in only the last few weeks. On December 29th Google revealed a similar vulnerability in Windows 8.1 before Microsoft had readied a fix, with the search giant saying at the time that it believed its 90-day time limits were fair. "On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security," Google told Engadget. "It allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face."
Following this latest release (revealed to Microsoft on October 13th, 2014 and made public on January 11th, 2015), it’s clear that Microsoft's and Google’s policies are at odds. "Those in favor of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves," writes Betz. "We disagree ... We believe those who fully disclose a vulnerability before a fix is broadly available are doing a disservice to millions of people and the systems they depend upon."