Google Reports Windows Vulnerability 2 Days Early

Google Reports Windows Vulnerability 2 Days EarlySticking to its 90-day rule in disclosing known security vulnerabilities to the public as part of Project Zero, an initiative to help improve online security, Google announced a Windows 8.1 security flaw two days prior to Microsoft’s planned Patch Tuesday patch, angering Microsoft execs and putting the public at higher risk for security breaches for the two days before the patch was released.

Protect Systems and Data Prior to Attack. Home users: Protect your PC and selected files

Google vs. Microsoft: Who’s to Blame if Something Goes Wrong?

At first, it seems as if Google is the bad guy here, alerting not just the public but hackers as well to the two-day window of opportunity to exploit this vulnerability. Why not wait the extra two days and announce this flaw on day 92, when the patch to fix this issue is available, instead of day 90. Does two days really matter?

Then you think about Microsoft. Yes, the patch was scheduled to be released on their standard monthly Patch Tuesday but why did it take 92 days to resolve this issue? Google did its part, notifying Microsoft privately to this issue and sticking to its 90-day plan. Microsoft argued the importance of “Coordinated Vulnerability Disclosure,” wherein Google would privately notify Microsoft to the security flaw, working together only to have Google announce the flaw once the fix has been published. That seems the responsible way to handle these issues but this is not the first time Microsoft has missed Google’s 90-day deadline for fixing privately reported security flaws.

One thing is a given: security updates are coming all the time and missing one can make you vulnerable to attack. That’s why we recommend installing InstantRecovery on your systems (or InstantRescue at home) before a security breach. In the case you miss Patch Tuesday – or Patch Tuesday results in system failure – you can reboot to a known state in less than 30 seconds, restoring selected data in its most recent state at the time of system failure. Save hours of time rebuilding systems. Learn more about InstantRecovery or download a free trial. Home users: Download a free trial of InstantRescue.

Who’s side are you on: Google or Microsoft?

Related: Patch Tuesday Sparks Crash/Boot Loop – If Only Windows Users Had This

Category: InstantRecoveryInstantRescuePC ProtectionSystem Recovery

Tags:

4 comments

  1. This occurred over the holidays so staff was most likely lower than normal. Google was notified a fix was coming prior to the 90 day mark. This is not a critical hack as it is difficult to gain access to the system so releasing the patch before Tuesday release was not necessary. Google definitely should have waited. People will argue Microsoft should have made the deadline, peoples computers are at risk. It was two days and they knew. If Microsoft didn’t make the deadline then release it but they did it because they despise Microsoft and that imo makes them the bad guy here.

  2. It’s Microsoft’s fault, they had the agreed to 90 days to fix the issue, (89 days too many), it’s their OS, so it’s their fault. 90 days is way too long to have an issue on hand and not fix, the Linux community would have tackled this & a patch would be released in days.

    There’s no need to blame another corporation over the failure of another, this is getting way out of hand. Microsoft needs to get their act together rather than worrying over whom is going to leak that a flaw is in their software.

    If they’d get their software fixed, then there would be nothing to tell. Don’t blame Google if a mass Windows exploit causes disruptions of service to millions.

  3. Let’s be smart here. If your BANK announced an exact method for breaking into accounts that would be available for only 2 days, no idiot would DARE defend them. Security through obscurity is practiced far more than people realise; and it is fairly strong in doing so.

    But what is going on here is actually corporate warfare; there ARE (or well, likely were) long standing exploits in the Linux kernel, and even more so in various distros. Of course, given core security, few people consider these exploits to be of much worry. In most cases, the exploits would require a user to “be an idiot” and temporarily give root permission to a process.

    Oops, that’s 99.9% of the intended audience for typical computing.

    Sure, running around logged in root (administrator for windows) is super safe! That’s why most distros make it the default user. Err wait, they don’t. They’ll push you into a “limited user account” (more windows references) and try to keep you from being an idiot and staying logged in the root account for extended periods of time because it is “unsafe.” And you, as the user, now have to deal with having a heavily locked down account or… f’ it, I’m just going to run around in root and expose myself to the world.

    Who is at fault here? Google. This has nothing to do with what is best for the public, it’s just about making a bigger deal out of bashing Microsoft while ignoring their own faults. The problem is less about the software and more about the USERS.

  4. There are many times when Linux ‘security issues’ are leaked for the world to see, and it affects a lot more than just 0.01% of all Internet users, many servers which we all conduct business on runs Linux. Not just a few ‘uber geeks’ in dark corners, actually Linux user share is close to 2% as of this post, not counting servers.

    So it’s OK to expose Linux vulnerabilities and not those of Microsoft?

    Of course there’s a part of this that benefits Google, which also uses a modified version of Linux for their OS’s, but the fact is, is there are vulnerabilities, the open source community wants to know so that they can be FIXED.

    In 2-3 days max, not 90 frigging days! How can it take so long for six & seven figure engineers to roll out a fix to a flaw, known or unknown? When many of those who discovers the fix for Linux OS’s doesn’t get a red cent?

Leave a Reply