A senior director in Microsoft's Trustworthy Computing group has publically criticized Google for revealing information about a security flaw in Windows 8.1 just two days before the software giant was set to release a patch. Google knew the patch was coming, but it ignored Microsoft's pleas and disclosed the vulnerability anyway, leaving millions open to a potential attack.
"We asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix," Microsoft senior director Chris Betz writes in a new post to the Microsoft Security Response Center blog. "Although [this revelation] keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a 'gotcha', with customers the ones who may suffer as a result. What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal."
Good luck getting the "don't be evil" folks to be anything but: that "timeline for disclosure" is spelled out in the search giant's Project Zero security initiative, which Google announced last July. Ironically, Project Zero aims to make zero-day attacks a thing of the past, and it does so by establishing a timeline between the times in which a security vulnerability is discovered, is communicated to the responsible firm, and is then communicated publicly.
As you must know, Microsoft issues security patches on the second Tuesday of every month, so it planned to patch this vulnerability tomorrow, on January 13. But that date is two days after Google's artificially created timeline. So Google went ahead and disclosed the bug anyway, even though Microsoft asked it not to. And even though Google's timeline is 100 percent arbitrary.
"The focus should be on protecting customers," Mr. Betx explains. Exactly so. What Google did was irresponsible and dangerous. And this isn't the first time Google's Project Zero has revealed a Microsoft security flaw before Microsoft could issue a patch. This isn't an isolated incident, it's just the way Google does things.
Thank goodness these immoral simpletons don't make a mobile OS.
Oh, right.
