In a tenuous war on security (or lack of security), Google has outed another flaw in Microsoft's Windows operating system, just days after catching industry flack for doing exactly the same thing.
In December, Google released information about a flaw in Windows 8.1 through its Google Security Research page. And then this month, just 2 days before a critical patch released during Microsoft's Patch Tuesday, the Search company did it again, allowing a gush of information to be publicly available even though Microsoft had contacted Google to ask for a delay until the patch was well on its way to protect customers. Google declined and made the data available anyway.
Today, we see that Google has done it yet again. On the company's Google Security Research page for Issue 128, full disclosure is now available showing a critical Security Bypass/Information Disclosure flaw in Windows 7 and 8.1. Google has continually updated the page with notes since the flaw was originally detected and communicate to Microsoft. The notes show that as recently as yesterday, the same day Google derestricted the exposure, Microsoft and Google were in communication about the vulnerability.
The notes say that Microsoft had intended to fix this flaw in its January updates, but had to pull the security update for compatibility reasons. I'm sure pulling the update saved customers a lot of headaches this month, considering Microsoft's poor track record in 2014 for delivering updates that broke systems. However, customers can't be too happy with Google's insistence to follow its letter of law instead of protecting the public.
At issue is Google's policy. According to Google policy, 90 days after a flaw of this severe type is identified and reported, information will be publicly disclosed. And, apparently, stopping disclosure must be like stopping a nuclear missile launch because the company has yet to heed direct requests and pleas from Microsoft to hold off.
Microsoft is planning to deliver the pulled update during February's Patch Tuesday, but Google's dictatorial decision may force it to release it out-of-band.
Some believe that 90 days is enough time to fix any flaw, but as we've seen with the last two instances, apparently 3 months isn't enough time for Microsoft.
Where do you stand on this? Should Microsoft do a better job delivering security patches quicker? Or, is Google just being a bully?
