Early this week, Microsoft was publicly displeased with Google for revealing a Windows security hole that would allow hackers to gain control of computer systems. Now Google’s Project Zero disclosed two more Microsoft bugs. That makes at least four disclosures against Microsoft in the last few weeks.
Project Zero is Google’s initiative that pinpoints security problems and then notifies companies that they exist, giving them 90 days to mend or disclose the problem. If they do nothing, Google reveals them online. The more sinister of the two latest disclosures, revealed on Thursday, allows attackers to impersonate a user and decrypt or encrypt data on Windows 7 and Windows 8.1.
The other vulnerability is less of an issue, as it only allows attackers to see information about power settings. Both Google and Microsoft agree that it isn’t much of a problem, so Microsoft isn’t rolling out any fixes, though it might be considered in the future.
Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.
To Microsoft’s point, if a company lets Google know it’s working on a fix but it isn’t ready — and Google publicizes it anyway — then potential attackers could prey on that security weakness.
It’s unclear how Microsoft feels about these latest developments, but the tech giant probably hasn’t completely come around on Project Zero in just a week’s time. Read more…