Microsoft Comments On Security Flaw Revealed By Google

[HardOCP News]

Microsoft doesn't seem to be happy with Google after the search giant publicly disclosed a bug found in Windows 8.1 just two days before Microsoft was going to issue a fix.

With all that is going on, this is a time for security researchers and software companies to come together and not stand divided over important protection strategies, such as the disclosure of vulnerabilities and the remediation of them.

 

[cyclone3d]

Didn't Google give them 90 days to fix it before they released details?

Pretty sure that us plenty long enough to wait.

From what I gather, MS was dragging kicking and screaming in order to fix a vulnerability that should have been fixed right after Google alerted them of the problem.

 

[Eulogy]

You... didn't read the article, did you?

 

[Deleted member 238539]

So i read this, and it just sounds like Microsoft would like people to not flaunt their issues out in public. Which makes sense, at the same time MS looks like it needs to open up a two way communication path and reply back to some of these companies that point out issues and not just say, "Hey, thanks, we are working on it!". The need to also say, "Hey, remember that thing we thanked you for, it is coming out on a patch tuesday on "X" date." Seems to me google pointed something out, and MS never got back to them when it would be fixed.

 

[cyclone3d]

You... didn't read the article, did you?

I did. What the article didn't mention is when the flaw was reported. I am pretty sure I heard something about this a while ago though.

 

[cyclone3d]

So i read this, and it just sounds like Microsoft would like people to not flaunt their issues out in public. Which makes sense, at the same time MS looks like it needs to open up a two way communication path and reply back to some of these companies that point out issues and not just say, "Hey, thanks, we are working on it!". The need to also say, "Hey, remember that thing we thanked you for, it is coming out on a patch tuesday on "X" date." Seems to me google pointed something out, and MS never got back to them when it would be fixed.

I am pretty sure this is what I heard about it as well.

 

[Sprtfan]

From what I remember reading from before, Google gave Microsoft 30 days before they went public and Microsoft was going to roll out the fix with a major patch that was going to be 32 or 33 days.

 

[cyclone3d]

From what I remember reading from before, Google gave Microsoft 30 days before they went public and Microsoft was going to roll out the fix with a major patch that was going to be 32 or 33 days.

Ok, that may be the case. My recollection of the time given is probably wrong then.

 

[dandirk]

CVD philosophy and action is playing out today as one company - Google - has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so. Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.

IF MS really requested a 2 day delay to meeting their VERY standard update/patch release schedule then I would tend to agree with them... Google was a dick.

IF MS wasn't so clear they had a fix on THAT patch Tuesday or any other type of miscommunication, then Google was probably in the right (though I would ask why not wait 2 days for their monthly patches anyways)?

 

[ktk]

hew

 

[andrewaggb]

meh, asking for a 2 day extension to release the fix with other fixes sounds pretty reasonable to me... considering the mess that android updates are. If you get them at all... google needs to look in the mirror sometimes.

 

[Ur_Mom]

Sounds like a big case of mis or non communication. Of course, it could just be companies being dicks to other companies just because... But, if Google & Microsoft security groups had an open communication, this would have been avoided. There are times when even the biggest competitors need to communicate and work together. Security is one of them. Tarnish the security reputation of one, and the trust of them all goes down....

 

[arnemetis]

They had 90 days. They could of released it that first patch Tuesday, or the second. It doesn't take 3 months to fix a vulnerability. Yeah yeah android is a mess too, but Microsoft procrastinated. Whatever level of management decided to let this go long enough to even need to request the extension should be canned. In the end, it shows that Microsoft doesn't really care about security and would rather keep to their schedule and regular sluggishness.

 

[heatlesssun]

They had 90 days. They could of released it that first patch Tuesday, or the second. It doesn't take 3 months to fix a vulnerability.

I don't think you can arbitrarily say that every vulnerability in something as complex as Windows can always be properly assessed, coded, tested and deployed within 90 days. For instance, during the assessment it could be discovered that the initial vulnerability report was incorrect or not exhaustive. IIRC, when Google publicly disclosed this they had only looked at Windows 8.1 and not other versions.

Obviously there needs to a sense of urgency when dealing with security flaws and maybe Microsoft is too slow about it. But there has to be a well defined and methodical process in place as well and rushing it is a bad idea. Microsoft has issued a number of broken updated recently and that shouldn't have been the case.

 

[Quix]

Is it just me or does this article seem like Microsoft is stuck in the past, expecting younger and more agile Google to stick to established practices? It seems like a clash of ideology more than anything else.

 

[ManofGod]

Is it just me or does this article seem like Microsoft is stuck in the past, expecting younger and more agile Google to stick to established practices? It seems like a clash of ideology more than anything else.

Younger and more "agile" Google? *Snorts*

 

[pavementeater]

I don't think you can arbitrarily say that every vulnerability in something as complex as Windows can always be properly assessed, coded, tested and deployed within 90 days. For instance, during the assessment it could be discovered that the initial vulnerability report was incorrect or not exhaustive. IIRC, when Google publicly disclosed this they had only looked at Windows 8.1 and not other versions.

Obviously there needs to a sense of urgency when dealing with security flaws and maybe Microsoft is too slow about it. But there has to be a well defined and methodical process in place as well and rushing it is a bad idea. Microsoft has issued a number of broken updated recently and that shouldn't have been the case.

Wait someone said methodical process in figuring something out....wait what?

Everything you said is true and unfortunately these days people forget how complicated an OS really is. Beside no matter how good a piece of software is or an OS is it takes time to shore up and push out a Security update when you have millions of clients who are effected by the issue ..
The saddest part of the story to me is this is not the first time Google has pulled this shite with Microsoft and other software makers so it wont be the last.
Google should be fortunate that no one has gone and pulled the same stunt on them.

 

[Ur_Mom]

Everything you said is true and unfortunately these days people forget how complicated an OS really is. Beside no matter how good a piece of software is or an OS is it takes time to shore up and push out a Security update when you have millions of clients who are effected by the issue ..

It's Microsoft. If they don't patch it in time, they are slow idiots. If they patch it quick and it causes issues, Microsoft is a bunch of idiots and should have taken their time. For a patch and testing, it takes time. It's a lose/lose for some people. But, hey - It's Micro$haft (or whatever the put down name of the week is). It's expected people are going to shit on them.

They have a talented group of developers and programmers up there. They are working on a lot of stuff, and some things have a higher priority and others need more testing than others. Google did a shitty move.

 

[tazeat]

Wait someone said methodical process in figuring something out....wait what?

Everything you said is true and unfortunately these days people forget how complicated an OS really is. Beside no matter how good a piece of software is or an OS is it takes time to shore up and push out a Security update when you have millions of clients who are effected by the issue ..
The saddest part of the story to me is this is not the first time Google has pulled this shite with Microsoft and other software makers so it wont be the last.
Google should be fortunate that no one has gone and pulled the same stunt on them.

Yeah, replacing an XSS in a web app is not the same as a pushing a fix to millions of customers running on dozens of different Windows SKUs... It needs to be tested, verified, then a fix needs to be planned, then implemented for each affected platform, then tested. And only then it can be pushed in to the normal patching cadence. Doing an OOB patch for something that's not like OMG HUGE RCE 0Day is not going to happen. Forcing millions of customers to do an out of cadence reboot on server SKUs without good reason is NOT going to happen. The responsible thing would be to wait until a week after the patch to be released so all affected customers can have a chance to update their systems.

 

[potency]

We urge Google to make protection of customers our collective primary goal.

I needed a good laugh.

 

[Freebo]

Why simple up out the code in first place, report it and make it public there is a issues but posting how to do it or the code for it is just wrong.

 

[Freebo]

They have a talented group of developers and programmers up there. They are working on a lot of stuff, and some things have a higher priority and others need more testing than others. Google did a shitty move.

Pretty much spot on.

 

[pxc]

Too bad Microsoft. Only Oracle's atrocious response to vulnerabilities saves MS from looking worse.

 

[Ur_Mom]

Too bad Microsoft. Only Oracle's atrocious response to vulnerabilities saves MS from looking worse.

With Java? They are pretty quick to update that. At least 6x a week Java needs updated. Probably because they have a huge backlog, though.

 

[ianken]

Younger and more "agile" Google? *Snorts*

Hey man, that agility is what allows them to fucking break the media stack on android with every other release. Or whip with memory leaks.

 

[jwcalla]

Microsoft has been antagonizing Google and its partners a lot in recent years so I can see how MS is not going to get any deference from Google when they need it. You can't piss in somebody's eye all day long and then expect a favor back. JMO.

 

[mi7chy]

Payback for all those silly Scroogle ads. From a customer point of view competition is beneficial and Microsoft needs a kick in the butt to work harder and not take being a big bully for granted. And, they need to fix the glitches in Internet Explorer.

 

[Pieter3dnow]

MS needs to start getting serious about security, this shows that they rather blame Google then fix things in a timely manner.

MS is not asked to walk on water or make wine out of water, the sad part is written down here:

Let’s face it, no software is perfect. It is, after all, made by human beings. Microsoft has a responsibility to work in our customers’ best interest to address security concerns quickly, comprehensively, and in a manner that continues to enable the vast ecosystem that provides technology to positively impact peoples’ lives. Software is organic, usage patterns and practices change, and new systems are built on top of products that test (and in some cases exceed) the limits of its original design. In many ways that’s the exciting part of software within the rapidly evolving world that we live in. Stating these points isn’t in any way an abdication of responsibility. It is our job to build the best possible software that we can, and to protect it continuously to the very best of our ability. We’re all in.

MS has had over 20 years to optimize their code instead of bloating their operating system this something which happened on other OS (non MS OS) but MS never had any intention on pursuing this while less lines of code means less change of problems.

How can you say you are "all in" while you keep including non essential things in the OS which even has kernel access. It is the most backwards approach to creating a secure operating system.

Troublesome is that a "professional" writes such a piece which contradicts everything that has happened over the past 20 years.

And let me be clear if it didn't happen in the last 20 years more then likely it won't happen the next 20 years.

 

[Semantics]

Hey man, that agility is what allows them to fucking break the media stack on android with every other release. Or whip with memory leaks.

I'm sorry you have to buy a new phone to get the updates because google leave it up to carriers to distribute updates.