Microsoft knocks Google's vulnerability disclosure attitude

By JC Torres/Jan. 13, 2015 3:30 am EST

We're used to rival companies trading blows, subtly or otherwise, to gain an upper hand, but there are times when the criticism becomes real and serious. Like the case of Microsoft Security Response Center senior director Chris Betz, who has taken to the company blog to slam Google's Project Zero vulnerability management. The heart of the issue is that Google publicly disclosed a serious security exploit two days before Microsoft could roll out its fix, even when Redmond explicitly asked Google to temporarily suspend its 90-day policy.

Project Zero is Google's effort to make the tech world a better place by using full disclosure to help fix security holes. It may sound counterintuitive, but proponents of such a full disclosure mentality believe that it forces the vendors' hands at quickly patching up their software instead of waiting when or if the exploit has actually been exploited. To some extent, this is a reaction to the software culture of the past, where "security through obfuscation" meant that vendors never really disclosed security issues and sometimes never fixed them up either. After all, if no one knows about them, they can't do any harm, right?

Today's Microsoft is a different Microsoft and, while it would be foolhardy for the company to stick to such an archaic mentality, it's not exactly advocating full disclosure either. Instead, it is preaching what it calls Coordinated Vulnerability Disclosure or CVD, which is a sort of compromise, at least between vendors. Software makers can talk among themselves about security issues they might find in others' software but they should also keep quiet about those until the software has been patched. Then they can disclose the vulnerability to the public.

Microsoft's argument is that CVD is a more responsible and customer-oriented method because it actually protects customers better. If a vulnerability is disclosed before a fix can be released, users are left exposed and defenseless against a potential new weapon. On the other hand, there is also some merit to Google's approach, as a time-constrained deadline does ensure that companies do not become too lax since the vulnerability isn't known to the public. Google does observe a period of 90 days when it approaches a vendor and waits for them to issue a fix, though it does sound almost like a hostage situation.

Microsoft's gripe, however, is probably also because it already had a fix ready, according to it, but that it was just waiting for regularly scheduled "Patch Tuesday" to release it. It just so happens that Tuesday was 2 days after Google's 90-day deadline. Microsoft asked Google to stay its hand and obviously the search giant didn't concede. Should Google have made an exception just to sync with Microsoft's arbitrary schedule? Or should have Microsoft rolled out the fix immediately given the severity of the bug? This is a security policy debate that has hounded not just companies but also software researchers, and we are unlikely to see a resolution soon, unless these two giants do decide on a way to reconcile their differences of philosophies.

SOURCE: MSDN

VIA: CNET