Tech giant Microsoft is not happy that Google decided to publicly disclose a security bug that presents a potential security risk for Microsoft users. Google initially reported the bug directly to Microsoft and reported another bug directly to Adobe at the same time as well, according to a blog post by Neel Mehta and Billy Leonard on Google’s Security Blog.
Adobe promptly addressed their bug and issued an update. Microsoft, according to Google, did not take the same initiative to address their bug in a timely manner. Google then publicly announced the bug via the Security Blog.
“On Friday, October 21st, we reported 0-day vulnerabilities — previously publicly unknown vulnerabilities — to Adobe and Microsoft,” Mehta and Leonard wrote. “Adobe updated Flash on October 26th to address CVE-2016-7855; this update is available via Adobe’s updater and Chrome auto-update.”
Microsoft has confirmed some Windows users were under attack earlier this month by a specialized hacking group. https://t.co/kGcfUaoWvL
— CNNMoney (@CNNMoney) November 2, 2016
The Security Blog post suggests that Google disclosed the Microsoft bug as a public service announcement, more or less.
“After seven days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released,” Mehta and Leonard explain. “This vulnerability is particularly serious because we know it is being actively exploited.”
The post then explains, in detail, how the security bug can be triggered.
That’s part of the issue Microsoft has with the Google disclosure. It could instruct hackers on how to capitalize on the bug.
“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google could put customers at potential risk,” Microsoft said in a statement, according to a CNET article by Steven Musil.
In a subsequent statement, Microsoft said that Google exaggerated the threat the bug presents.
“We disagree with Google’s characterization of a local elevation of privilege as ‘critical’ and ‘particularly serious,’ since the attack scenario they describe is fully mitigated by the deployment of the Adobe Flash update released last week,” the Microsoft statement reads, according to Musil. “Additionally, our analysis indicates that this specific attack was never effective in the Windows 10 Anniversary Update due to security enhancements previously implemented.”
Google’s published policy for actively exploited critical vulnerabilities provides a timeline for when it will publicly disclose such vulnerabilities after it has notified a company that they exist.
A post titled “Disclosure timeline for vulnerabilities under active attack” on Google’s Security Blog explains that the company’s security researchers discover attackers targeting previously unknown vulnerabilities in other companies’ software on “a semi-regular basis.”
When these vulnerabilities are discovered, Google notifies the company and also assesses whether or not the vulnerabilities are “critical” and whether or not they are being “actively exploited.”
Their policy states that all critical vulnerabilities should be assessed within 60 days and that all critical vulnerabilities that are actively being exploited should be addressed within seven days. Google’s assessment was that the Microsoft bug fell into the latter category because their researchers determined it was being actively exploited.
— CNET (@CNET) November 1, 2016
Microsoft’s argument, in this case, is that it appears that the Adobe patch, which was issued within the seven-day window, addressed both the Adobe and Microsoft bugs. Therefore, no action was needed on Microsoft’s part because the bug was no longer an issue on their end.
Microsoft has been plagued by security bugs, to varying degrees, for years. In 2010, EWeek reported on persistent problems the company faced in terms of preventing attacks on its software. It seems that every time Microsoft addresses one glitch or bug, another arises. EWeek explained that one simple but significant problem that Microsoft faces in terms of security bugs is that the company is just so big that it makes it the most common target for hackers and other cyber attacks.
Whatever tensions between Microsoft and Google may arise from the two companies’ disagreement over the bug are sure to blow over. Microsoft and Google collaborate on several projects together, including a groundbreaking artificial intelligence partnership between Facebook, Microsoft, IBM, Amazon, and Google, as the Inquisitr previously reported.
[Featured Image by David Ramos/Getty Images]