tech2 News StaffJan 13, 2015 08:06:40 IST
Microsoft has criticized Google for disclosing the Windows 8.1 security bug out in the public just before it was going to fix it. Microsoft also revealed that the company had requested Google to withhold the details until January 13, as they planned to release the fix that day.
Google revealed the bug on January 11, that lets anyone elevate user privileges owing to some hole during Windows 8.1 login process. Those not in the know-how, Google’s Project Zero is known for tracking software vulnerabilities and then report them to vendors. It gives vendors 90-days window or else makes the flaw public.
In an official blogpost, Chris Betz, senior director of the Microsoft Security Response Center said, "We asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal."
This isn't the first time as Google had gone ahead and published an unpatched issue. Just recently, on December 29, it had openly published a Windows 8.1 vulnerability that gives low-level users administrator rights. Given that the security flaw has been revealed without any fix, it could pose a threat to some Windows users.
There has been a huge debate over consumer security and transparency. While Microsoft believes that Google is simply compromising user security, Google says it gave Microsoft enough time and aims at providing transparency by informing users of the security problems their devices face.
Microsoft, which usually releases fixes on Tuesdays, has further explained in the blog post the reason for the delay. Betz writes, "Responding to security vulnerabilities can be a complex, extensive and time-consuming process. As a software vendor, this is an area in which we have years of experience. Some of the complexity in the timing discussion is rooted in the variety of environments that we as security professionals must consider: real world impact in customer environments, the number of supported platforms the issue exists in, and the complexity of the fix."
"Vulnerabilities are not all made equal nor according to a well-defined measure. And, an update to an online service can have different complexity and dependencies than a fix to a software product, decade old software platform on which tens of thousands have built applications, or hardware devices. Thoughtful collaboration takes these attributes into account," he explained further.
Tech2 is now on WhatsApp. For all the buzz on the latest tech and science, sign up for our WhatsApp services. Just go to Tech2.com/Whatsapp and hit the Subscribe button.