(LiveHacking.Com) – Microsoft will be issuing a series of security bulletins today (Patch Tuesday) to address security vulnerabilities in its products. One of these fixes will be for a vulnerability that Google intentionally disclosed to the public last week.
Security experts at Google found a bug which could allow an attacker to gain elevated privileges on a Windows 8.1 machine. After the vulnerability was found, Microsoft was informed of the problem, which was dubbed Windows Elevation of Privilege in User Profile Service.
According to Google standard security policy the bug was subject to a 90 day disclosure deadline. “If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.” On October 13th 2014 Microsoft was told about the bug and the 90 day clock started ticking.
Then on November 11th Microsoft contacted Google and told it that a patch would be ready for the vulnerability in February 2015. The cryptic comment attached to the bug report read, “Microsoft confirmed that they are on target to provide fixes for these issues in February 2015. They asked if this would cause a problem with the 90 day deadline.”
Google told Microsoft that “the 90 day deadline is fixed for all vendors and bug classes and so cannot be extended. Further they were informed that the 90 day deadline for this issue expires on 11th Jan 2015.”
Microsoft further replied that it would release a patch in January. This demonstrates the power and need for the 90 day disclosure deadline. It forced Microsoft to act quicker. That is the purpose of the deadline.
But there is another problem, Microsoft’s update process is known by everyone in the security industry. It releases security fixes on the second Tuesday of the month, Patch Tuesday. The release of patches for operating systems and software applications that are used by millions of people is a heavy task. These releases require lots of testing and a top notch change management system.
The whole of Microsoft’s security engineering is geared towards Patch Tuesday. The problem is that for January, Patch Tuesday falls on January 13, but Google insisted on disclosing the details of the vulnerability on January 11, exactly 90 days after Microsoft was told of the problem.
According to Chris Betz from the Microsoft security response center, “Google has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so.”
“Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix,” he added.
It does seem foolish of Google to behave in such a way. Google also understands the problems of releasing patches to software applications, services and operating systems, and it should (but doesn’t seem to) understand that the protection of consumers is the primary goal.
The idea behind the 90 day disclosure is to ensure that vendors actually take security seriously, but to disclose a vulnerability just two days before a major corporation releases the required patches is officious bureaucratic behavior. In these cases the spirit of the principle needs to be applied and not the letter.