Google is facing strong criticism after releasing details of a Windows bug before Microsoft came up with a patch.
The security flaw was discovered by Google’s Project Zero team and potentially allows lower-level users on Windows 8.1 systems to launch an executable as if they had elevated privileges.
Google setup the Project Zero research team to pressure vendors into releasing fixes in a timely manner. Upon discovering a vulnerability, Google informs the firm responsible and gives it 90 days to patch the system. In this case, Microsoft missed the deadline and so Google published details of the flaw.
While Microsoft has received a fair amount of condemnation for not addressing the vulnerability sooner, but the vast majority of heat has been aimed at Google for releasing the details and potentially inviting the bad eggs to exploit the bug.
“Automatically disclosing this vulnerability when a deadline is reached with absolutely zero context strikes me as incredibly irresponsible and I'd have expected a greater degree of care and maturity from a company like Google,” one user wrote on the Google forum.
Google defended its position in a statement to Engadget:
“Project Zero believes that disclosure deadlines are currently the optimal approach for user security - it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face. By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response.”
Microsoft was also quick to comment on its lack of action, saying in a statement:
“We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer.”