A senior member of the Government-backed Trustworthy Software Initiative (TSI) has heavily criticised last weekend’s controversial decision by Google to publish details of a significant flaw in Windows 8.1 only days before it was due to be patched by Microsoft.
According to TSI director of knowledge transfer Tony Dyhouse, Google’s action flew in the face of the interests of end users who were left exposed without a patch for a short period for no good reason.
Despite allegedly knowing the flaw was due to be patched imminently, Google's Project Zero team went ahead with disclosure, something a senior Microsoft exec described as a “gotcha” moment in an unusually combative blog on the affair.
“What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal,” commented Chris Betz, senior director of the Microsoft Security Response Center (MSRC).
“Google’s action could be seen as an unnecessary jibe at Microsoft,” said Dyhouse. “I don’t think they did the right thing.”
Google’s stated policy is to report flaws under a regime of full disclosure 90 days after it is privately reported, in this case on 13 October 2014.
Although Microsoft had exceeded the generous 90-day period, Google should have appreciated the complex software problem Microsoft must manage, he suggested.
“If you’re a large software vendor then you should bundle up patches rather than issuing them one by one,” he said. Clearly Microsoft was unlikely to issue an out of band patch, something Google should have known.
“If Microsoft had refused to discuss the matter then Google would have been within its rights.”
Microsoft adheres to a ‘responsible disclosure’ regime called coordinated vulnerability disclosure which places no time limits on patching, which some argue makes it too easy for software vendors to ignore problems. Meanwhile, in some cases, the flaws are potentially being exploited in attacks until patches start to appear – and beyond.
“The fundamental aim of vulnerability disclosure must be to minimise the risk to the end-user. If a software manufacturer is refusing to patch an existing vulnerability, then the threat of full disclosure can be an effective tool to encourage compliance,” agreed Dyhouse.
“On this occasion, however, Google was fully aware that a patch was due to come out in line with Microsoft’s well-known and accepted patching strategy, and needlessly put users at risk by making it public.”
The TSI promotes a policy of coordinated vulnerability disclosure where firms synchronise their disclosure and patching behavior in the interests of wider security. On that score, Google has little defence for its decision.
“Where untrustworthy software is involved, consumer safety must never be held hostage to competing corporate agendas,” said Dyhouse.
Funded since 2011 to be an influence on cybersecurity policy and now run under the auspices of Warwick University’s Cyber Security Centre, the TSI’s management board includes representatives from the Department of Business, Innovation and Skills (BIS), the Centre for Protection of National Infrastructure (CPNI), as well as private firms and experts.