Google releases more security flaws displaying Microsoft OS' security vulnerabilities despite the fact that the Redmond giant criticized the revelation that the search giant made on its system a week ago. Microsoft dislikes how Google's security team discover bugs in Windows and disclose them to the world before Microsoft could come up with a patch to fix the issues.
It was last summer when Google's "Project Zero" team began to learn about the flaw in Microsoft's system. The team is made up of world-class security engineers who are tasked with finding security holes in the software system of a company. They would scour the Internet for global vulnerabilities found in the Web, apps and communication services. After finding a vulnerability, Google informs the company involved with the issue and gives them 90 days to address the flaw. If the 90-day deadline is not met, they reveal the issue to the public.
Google had so far revealed two bugs. The first vulnerability, which is more sinister, allows attackers to become an impostor by impersonating a user in order to decrypt sensitive data on PCs with Windows 7 and Windows 8.1. The second vulnerability allows attackers to view information on power settings. Microsoft has no plans to roll out any fixes for the latter as both companies believe that it doesn't seem to pose any threats.
Microsoft had planned to release a fix for the bug in time when it conducts its monthly Patch Tuesday cycle for the month of January. That day fell two days beyond the 90-day deadline that was set by Google. However, Microsoft admitted that the patch was buggy in itself and would therefore have to be released in February.
As Google's Project Zero follows a strict 90-day policy, it has no other option but to disclose the vulnerability in question. Since November when Google began finding flaws in Microsoft's software system, the search giant had already discovered 15 flaws. Google also seemed to have the habit of releasing information about the flaw even before Microsoft could come up with a patch.
In an official blog post, Senior Director Chris Betz of the Microsoft Security Response Center criticized the way Google has revealed the vulnerabilities in public and has called for a better way of working and collaborating when solving issues.
"We ask that researchers privately disclose vulnerabilities to software providers, working with them until a fix is made available before sharing any details publicly," said Betz. "It is in that partnership that customers benefit the most. Policies and approaches that limit or ignore that partnership do not benefit the researchers, the software vendors, or our customers. It is a zero sum game where all parties end up injured."
