Microsoft has criticised Google for making public a flaw in Windows, days before the problem was about to be fixed.
Google posted details of the problem in Windows 8.1 online in October, as part of its Project Zero plan to pressure firms into sorting out security problems. But Microsoft has said that Google’s policy of making the problem public endangered users.
“The decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result,” said Chris Betz, a senior director in Microsoft’s Security Response Center, in a long and sometimes angry blog post yesterday.
He said that Microsoft had asked Google to hold off on releasing details of the problem but that it had done so anyway. Google waits 90 days before it releases the details, which it did on January 11, though Microsoft said it had asked Google to wait until January 13 when it plans to release a fix.
With Project Zero, Google seeks to find problems in software and notify their developers of them, to keep users from harm. But if manufacturers don’t fix it within the 90 day timeline, Google makes the bugs public to encourage developers to fix them.
But Betz said that such disclosure rules don’t always help users.
“Those in favor of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves,” he said. “We disagree.”Reuse content