Google Is Doing A New Thing To Tick Off Microsoft: Exposing Bugs In Windows 8

allheart55 (Cindy E)

Administrator
Joined
Jul 12, 2014
Messages
7,354
Location
Levittown, Pennsylvania
3ba6783fafed35a72ecbc3a6887cfdfc._.jpg



REUTERS/Robert Galbraith Microsoft CEO Satya Nadella. Archrivals Google and Microsoft are going at it in public again.



Microsoft is not happy that Google's security folks are finding bugs in Windows (particularly Windows 8) and telling the world about them before Microsoft can fix the problems.

Publicly discussing bugs in this way (in geek-speak, it's called "full disclosure") is not something new or unique to Google. Security researchers have been doing this for ages when they think a software vendor is dragging its feet on fixing dangerous bugs.

The problem here is that Microsoft says it was not dragging its feet.

The flaw was discovered by Google's "Project Zero," which was founded last summer as a group of world-class security researchers looking for security holes in other company's software. The work is generally considered to be a good thing, helping make the internet a safer place.

However, Project Zero has a strict 90-day "fix it or we'll disclose it" policy.

Microsoft says it planned to release a fix for the bug as part of its usual monthly Patch Tuesday cycle in January, two days after Google's 90-day deadline. However, Microsoft also told Google that the patch itself was buggy and would be released in February, according to records made public by Google.

Microsoft tries to release all patches on a predictable monthly cycle, to make it easier on enterprise customers who need to test each patch before deploying it.

On Jan. 15, 90 days after Google first told Microsoft about it, Google disclosed the bug. There was no patch available.

Microsoft software since about November, and it wasn't the first time Google released information about a bug before Microsoft had a fix ready.

Google doesn't just pick on Microsoft. The team frequently finds bugs in Apple's products, and other software too.

Project Zero keeps a public database that lists all the bugs in all the software it finds.

View gallery

.
Google/Business Insider Interestingly, these Google security gurus aren't disclosing bugs found in Google's own software in the same way. Their database [URL='https://code.google.com/p/google-security-research/issues/list?can=1&q=label%3AVendor-Google&colspec=ID+Type+Status+Priority+Milestone+Owner+Summary&cells=tiles']comes up blank
when searching for a list of bugs found in Google software.


The situation has caused Microsoft to cry foul.

In a blog post blasting Google, Chris Betz, a director of Microsoft's own security research group, wrote:

One company - Google - has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so.

Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.

It's not likely that many enterprises will be hacked because of Google's decision to release the code before Microsoft could patch it, though that is a risk.

Still, the whole thing shows how businesses are caught in the middle of the games these big competitors are playing.

http://finance.yahoo.com/news/google-doing-thing-tick-off-130524050.html[/URL]
 
Back
Top