Microsoft is so annoyed that Google deliberately published vulnerability details in Windows 8.1 before a patch was ready that it has taken it's complaint public.
The Redmond, Wash.-based company had asked Google to hold off on relasing details until a fix was ready. However, Google announced the issues on Jan. 11, two days prior to the fix being released, a move it has defended by reiterating the rules of its security research project dubbed as "Project Zero."
It was Oct. 13, 2014, when Microsoft was notified about the bug issue. Using Project Zero as its initiative, Google reports the bug to the affected company and begins to observe a 90-day disclosure policy. When the policy reaches its deadline, the bugs will then be made known to the public.
"Microsoft were informed that the 90-day deadline is fixed for all vendors and bug classes and so cannot be extended," said Google in its Google Security Research page. It added that Microsoft was informed that the 90-day deadline expired on Jan. 11, 2015.
Seeing that the deadline was reached, Google revealed the security flaw, a move which Microsoft believes made the situation more difficult to deal with. A fix is part of the upcpming Patch Tuesday fixes, part of Microsoft's regular release of security fixes.
"Microsoft has long believed coordinated disclosure is the right approach and minimizes risk to customers," said Chris Betz, senior director at the Microsoft Security Response Center. "We believe those who fully disclose a vulnerability before a fix is broadly available are doing a disservice to millions of people and the systems they depend upon. "
Google, on its part, believes that its 90-day time limit was fair and that it encourages action. It believes that the current optimal approach to promote user security is achieved by strictly adhering to disclosure deadlines.
"It allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face," defended Google.
It's obvious that Microsoft doesn't agree with Google's reasoning, which it describes as "less like principles and more like a gotcha." The company believes that in taking such action, it is the customers who suffer as a result.
Interestingly, some people also feel annoyed with Google's action and told the search company to solely concentrate on its own project. Comments on Google's release of the information can be read under Issue 118 on the Google Security Research page.
"Google, better concentrate on your google+ project. Its a big crap, confused platform. Rather spending time on investigating others security issues, make google+ really a useful one or just shut down google+," said gravito on the Google Security Research page.
