After Google posted detailed information about a second Windows vulnerability in less than two weeks -- before Microsoft was able to patch the flaws -- Microsoft today lashed out, calling its rival's move a "gotcha" that puts users at risk.
Some security experts sided with Google -- saying that in a changed world, patching must speed up -- while others saw the search giant's decision to reveal vulnerability information, including proof-of-concept attack code, as arbitrary and counter-productive.
No matter who's in the right, if anyone, Google's policy of automatically releasing bug information 90 days after reporting it to Microsoft has reignited a smoldering debate about how security researchers should handle their discoveries.
But Microsoft was clearly peeved Monday.
"Google has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well-known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so," said Chris Betz, senior director of the Microsoft Security Response Center (MSRC), in a blog post early today.
"Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix," added Betz. "[Google's] decision feels less like principles and more like a 'gotcha,' with customers the ones who may suffer as a result."
Project Zero is composed of several Google security engineers who investigate not only the company's own software, but that of other vendors as well. After reporting a flaw, Project Zero starts a 90-day clock, then automatically posts details, including sample attack code in most cases, if the bug has not been patched.
There are currently five such vulnerabilities in the group's "Open" category: two in Windows and three in Apple's OS X.
The two that affected Windows 8.1, and which Microsoft took exception to, were both uncovered and reported by James Forshaw, a noted researcher who joined Google and Project Zero last August. Ironically, Forshaw was awarded a $100,000 bounty by Microsoft in October 2013 for demonstrating a new way to circumvent Windows' defensive technologies.
Microsoft and Google have been at odds before over vulnerability disclosure policies.
In 2010, Microsoft pitched its concept of "coordinated vulnerability disclosure," or CVD, a name change for what had it had earlier called "responsible disclosure." Under that policy, which under the latter moniker harks back decades, researchers are to wait until a patch is available before going public.
Around the same time, Google proposed that there should be a hard deadline of 60 days to patch a problem.
Both companies had reacted to an increasingly-heated discussion among researchers and vendors about disclosure, prompted in part by an incident that year when Google security engineer Tavis Ormandy went public with a critical Windows XP bug just five days after reporting it to Microsoft.
Although the public debate about vulnerability disclosure practices had waned in the interim, it had never really disappeared, said Chet Wisniewski, a security researcher with Sophos, in an interview. Now that the discussion has again gone mainstream, years of progress towards what Wisniewski saw as a more civil debate could easily be ruined. "Holding back a bug is never appropriate, but neither is always disclosing a bug," Wisniewski argued. "Everyone gets the most leverage when disclosure is coordinated."
Wisniewski took exception to Google's practice of automatically revealing information and its inclusion of proof-of-concept code that demonstrated an exploit, which cyber criminals could use or leverage to build their own attacks.
By disclosing information after 90 days, no matter how close a developer like Microsoft was to patching, Google "tries to puts pressure on vendors without being a dick," said Wisniewski. "They say, 'It will be automatic, so you can't accuse us of being vindictive.' But I don't agree that humans should not be involved.
"And patching something as big and complicated as Windows is not like patching a Web app or Yahoo Mail," Wisniewski continued. "The 90 days is arbitrary, but what concerned me the most was that Google dropped proof-of-concept code. That's unnecessary and a bit show-offy."
John Pescatore, director of emerging security trends at the SANS Institute, backed Google's 90-day approach. "It's good that Google is pushing the envelope. "The world is really changing, and it's worthwhile to revisit the norms of disclosure," Pescatore said in an interview.
But Pescatore's point wasn't that pressure to patch will motivate vendors like Microsoft. Instead, he called out corporations as the weak link. "Attacks are not taking advantage of missing patches, they're taking advantage of vulnerabilities that haven't been patched by customers," Pescatore said. "It's time for this process to speed up. Not Microsoft's process, but those of enterprises. The race is not before the patch comes out, but after, when enterprises apply the patch. IT is so stuck in the old days."
And Pescatore contrasted how that IT mindset -- bolstered by Microsoft's monthly patch schedule -- is increasingly out of sync with reality. "I think part of this debate is about Microsoft not driving the world anymore," opined Pescatore. "iOS and Android are now in the mode of pushing stuff out constantly. The world, other than corporate IT, has gotten used to that, with the exception of Windows."
Not surprisingly, Microsoft saw things very differently, reiterating its long-standing position that it, and other vendors, should be given as much time as necessary to fix flaws. "The focus should be on protecting customers," said Betz. "Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment."
Betz said nothing about Pescatore's point about slow customer patching, however.
Betz also implied that Google wouldn't like it if the shoe were on the other foot. "We don't believe it would be right to have our security researchers find vulnerabilities in competitors' products, apply pressure that a fix should take place in a certain timeframe, and then publicly disclose information that could be used to exploit the vulnerability and attack customers before a fix is created," Betz wrote.
Microsoft will ship its January Patch Tuesday slate of updates tomorrow at around 10 a.m. PT. While Betz said that the bug that went public Sunday would be fixed then, he did not claim the same about the Windows 8.1 vulnerability Forshaw had reported, then disclosed, late last year.
Because Microsoft suddenly halted its public distribution of pre-Patch Tuesday alerts last week -- those alerts sometimes hinted at the bugs that would be quashed -- it was impossible for outsiders to predict whether the second Windows 8.1 vulnerability will also be addressed.