back to article DAMN YOU! Microsoft blasts Google over zero-day blabgasm

Microsoft has slammed Google for disclosing a security vulnerability in Windows a mere two days before Redmond planned to fix the bug. Google revealed the flaw on 11 January, 90 days after reporting it to Microsoft; the ad giant said the bug can elevate a user's privileges to administrator-level, thanks to some inelegant …

  1. Anonymous Coward
    Flame

    Sorry, but Google were uttely wrong.

    I understand the point where vendors are not releasing patches and MS have form in this, as do many others, but this one is them being a bunch of pricks. Vendor has stated a release date for fix, asked not to disclose until release is scheduled and they still act like a bunch of spoilt brats going well we sya we're going to do it, so nah, nah na naa nah.

    This has FUCK ALL to do with protecting the customers and working with vendors,it's simply a cheap, commercial shot aimed at there biggest rival.

    On this one, I'm with MS 100% and Google 0%

    Yes down vote Google lovers (no doubt many are busy typing away in defence now), but this is nothing but a stupid move that benefits no one other than their own over inflated ego's.

    1. Voland's right hand Silver badge

      Re: Sorry, but Google were uttely wrong.

      Yes and no.

      Depends if the release date is reasonable. Not patching stuff for years after it was first reported (as in some 2000-es Oracle vulns) is unreasonable.

      109 days instead of 90 is actually reasonable especially in this case.

      There is a mandatory freeze and do-not touch period in most institutions around Xmas. While the 90 days mandatory disclosure is somewhat reasonable, the lack of adjustment for the 15th of December to 5 of January is extremely counterproductive.

      So in this specific case I agree with Miscrosoft (which does not happen that often especially on security).

      1. big_D Silver badge

        Re: Sorry, but Google were uttely wrong.

        In this case, the release date was within 90 days (was exactly 90 days, according to the story), but Google released the information after 86 - 92 days; if we are having a response blog from Microsoft appearing in the early morning press 1 day before the 13th January (depends if you give the benefit fo the doubt and from 13th October to 13th January as 30 months or you use exactly 90 days), then I'm guessing that the Google post was on Friday or over the weekend.

        Additionally, with the 30th December Google disclosure, they didn't just warn users about a possible threat, they actually gave hackers the source code to exploit the bug! That is, IMHO, completely irresponsible, if as Google states that they are doing it to protect customers.

        By all means release PoC code after the patch has been released, to show what was done, but making code available to exploit the bug before the patch has been released? How does that protect users / customers? Surely that puts them at unnecessary risk?

        1. big_D Silver badge

          Re: Sorry, but Google were uttely wrong.

          Bleh, 3 months or 90 days, not 30 months!

        2. h4rm0ny

          Re: Sorry, but Google were uttely wrong.

          I might as well pretty much post the same thing I posted last time as the response is the same: This is a PR move by Google.

          Does Google have a competitive interest in Windows being a better OS? No, they don't. So do they therefore benefit from silently and constructively helping fix bugs in a non-destructive manner? No they don't. This is all basic logic so far. Loudly pointing out vulnerabilities in a competitor's products (to the detriment of its users)? Yes, they clearly do have a benefit because it makes their competitor look bad.

          But there is a problem that endangering those users would make Google look bad as well. So clearly what is needed is a way of pointing out those vulnerabilities but making it look like they're not the ones endangering users. Ergo, decide on an entirely arbitrary time scale and say you have given notice and it's your competitor's fault the users are harmed by your publishing this information because they could have fixed it.

          Of course the time scale is arbitrary so sometimes your competitor will be able to fix the issue in time and sometimes they wont - hits and misses. But it's necessary so that you appear to be the responsible one.

          And releasing proof on concept code publically, instead of just to the vendor so that they can more easily fix it, is a further step wrong again.

          This is PR. If it doesn't look like PR, that's because it's well done PR.

          1. Charlie Clark Silver badge

            Re: Sorry, but Google were uttely wrong.

            Does Google have a competitive interest in Windows being a better OS?

            Just as much as any other company which uses the software. So, yes is the answer.

            It's naive to think that Google's team is the only one that may have discovered this bug. It's just that others may not have condescended to report it.

            Google's real test will be when others start discovering similar bugs in its software or services.

            1. h4rm0ny

              Re: Sorry, but Google were uttely wrong.

              >>"It's naive to think that Google's team is the only one that may have discovered this bug. It's just that others may not have condescended to report it."

              I think it's pretty clear to all that the problem isn't that Google reported the vulnerability to MS. On it's own, that's a good thing. But it's not on its own.

              1. Anonymous Coward
                Anonymous Coward

                Re: Sorry, but Google were uttely wrong.

                "I think it's pretty clear to all that the problem isn't that Google reported the vulnerability to MS."

                So the problem is providing a deadline, and sticking to it?

                1. h4rm0ny

                  Re: Sorry, but Google were uttely wrong.

                  >>"So the problem is providing a deadline, and sticking to it?"

                  Sticking to a deadline reflects very well on you. When it's one you impose on yourself. Imposing a deadline on someone else... not so much. I think the word you are looking for is actually "ultimatum". Or maybe "threat".

              2. Charlie Clark Silver badge

                Re: Sorry, but Google were uttely wrong.

                I think it's pretty clear to all that the problem isn't that Google reported the vulnerability to MS. On it's own, that's a good thing. But it's not on its own.

                I think that the only problem here is buggy software which leaves users vulnerable. If this were the car industry then Microsoft could expect to be charged for every day it didn't provide a fix or a replacement.

                There is already a thriving market for undisclosed security bugs. There are two ways to dry it up: reduce the number of bugs; reduce the number of undisclosed security bugs by making more of them public.

                1. big_D Silver badge

                  Re: Sorry, but Google were uttely wrong.

                  @Charlie Clark and the security vulnerabilities in the wireless tyre pressure sensors, which were shown to be hijackable to take over the ECU? Or the regular crashing of the onboard computer system (my old Mondeo's navi/temperature/radio would regularly crash and take all controls with it - suddenly blast hot air, play white noise at full volume and stop navigating; the only solution was to turn off the ignition and remove the key, then stick it back in again and restart the motor - not something you want to do when barrelling down the outside lane of the autobahn at 220km/h!).

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: Sorry, but Google were uttely wrong.

                    "...my old Mondeo's ...barrelling down the outside lane of the autobahn at 220km/h..."

                    Hmmm... thinking...

                    "...not something you want to do..."

                    YES, that's it.

              3. Calorus

                Re: Sorry, but Google were uttely wrong.

                Yes on its own.

                Once Microsoft had been informed, it's entirely Google's courtesy to wait at all.

                They'd be within their right simply to publish on discovery, it's just courtesy that they decided to give a multi billion dollar company 3 months to come up with a fix.

                1. Tom -1

                  Re: Sorry, but Google were uttely wrong.

                  They didn't give them 3 months - and in fact Ms issued the fix in 3 months; they gave them 2 days less than 3 months, knowing that their end date was the Sunday before MSFT's monthly patch release Tuesday. The fact that they released the exploit on a Sunday, not on an ordinary business day, is a prety good indication of malice on their part.

          2. Anonymous Coward
            Anonymous Coward

            Re: Sorry, but Google were uttely wrong.

            And releasing proof on concept code publically, instead of just to the vendor so that they can more easily fix it, is a further step wrong again.

            That's a naive viewpoint. The description in most reports provide enough to create your own exploit. The PoC is for the less adept to realise "oh crap, this report isn't just theoretical waffle - I had better respond to it".

            This is PR. If it doesn't look like PR, that's because it's well done PR.

            PR for what? You don't need Google to convince the masses about the security problems in Windows, they're already panic buying (so called) security suites. Privilege escalation bug? Just give them a file with "setup" or "install" in the name is enough!

          3. ST Silver badge

            Re: Sorry, but Google were uttely wrong.

            > This is PR. If it doesn't look like PR, that's because it's well done PR.

            Google appears to be on a rampage about everyone else's security vulnerabilities. The lady doth protest too much, me thinks.

            As of today, there are 127 security vulnerabilities in Google Chrome, as listed at cvedetails.com:

            http://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-15031/year-2014/Google-Chrome.html

            Pot. Kettle. Black.

          4. danbi

            Re: Sorry, but Google were uttely wrong.

            If you are Windows user, then this "PR" move by Google actually helps YOU.

            Don't be so protective of Microsoft, they are not your friends. They could care less if you exist or not.

            The Swiss cheese nature of Windows security is scary and with all that millions of zombie Windows computers that SPAM and DDoS the Internet, it is quite understandable why Google would react this way.

            Rest assured, there are still enough hooks for the spooks left in Windows.

          5. Calorus

            Re: Sorry, but Google were uttely wrong.

            Totally true.

            It says everything that MS weren't bright enough to spot it.

        3. Def Silver badge

          Re: Sorry, but Google were uttely wrong.

          By all means release PoC code after the patch has been released, to show what was done, but making code available to exploit the bug before the patch has been released?

          Even releasing source code after a patch is still pretty irresponsible IMO. There are millions of PCs out there that either won't be patched at all, or will be patched days or weeks later. (Either by lazy fucks like me who restart their PCs once in a blue moon, or by IT administrators who like to try stuff out for a while to make sure it doesn't break anything else.)

        4. P. Lee

          Re: Sorry, but Google were uttely wrong.

          So MS were holding off until the very last possible moment before releasing the patch and hoping Google would relent? They were happy with 92 days but not 90? Doesn't Patch Tuesday roll around every week?

          My guess is that MS are playing games, with customers' security being the sacrificial pawn. They were looking to either get Google to change their policy on disclosure as a concession to MS, or to score PR points saying they were irresponsible for releasing a zero-day.

          Sorry MS, if you can't release a patch in 2.95 months (or even 1.95 months), you don't get my sympathy vote. You know Google's policy, if you asked them to hold off until 92 days, did you actually to get a reply from them to say they would? I'm guessing you didn't. If you don't get an exception to the policy, the policy stands, that's how things work in business. You don't just fling an email into the void saying you won't make a deadline and hope the third-party changes its policy to suit you. That isn't how enterprises work.

          Nice try, no cigar. Stop messing around. When you display an attitude like that, I'm glad I'm not your customer.

          1. Anonymous Coward
            Anonymous Coward

            Re: Sorry, but Google were uttely wrong.

            And who made Google the Lord High Judge? That's right - it was entirely ultra vires, they appointed themselves.

            Google - whose only attempt at an OS is Android which made all versions of MSDOS and Windows look ultra secure. Google bestrides us like great colossus, and we poor morals must be content to grovel at their feet.

            1. Anonymous Coward
              Anonymous Coward

              Re: Sorry, but Google were uttely wrong.

              And who made Google the Lord High Judge? That's right - it was entirely ultra vires, they appointed themselves.

              Like every other security researcher who submit their reports to the original vendor, rather than a commercial exploit vendor?

            2. Robert Helpmann?? Silver badge
              Childcatcher

              Re: Sorry, but Google were uttely wrong.

              Google - whose only attempt at an OS is Android which made all versions of MSDOS and Windows look ultra secure.

              Come on now, if you are going to take shots, why pass up the opportunity to beat Chrome OS with a stick? While I appreciate the idea of community pressure making security better, putting out exploit code in this manner is a step beyond unethical. It ranks up there with releasing malware.

              "Oh look! We just happen to throw this code together in the lab and haven't gotten round to disposing of it. We're just going to put it here where everyone can see while we turn our backs and let the owner take a crack at fixing it. OK, on the count of 90..." Google, j'accuse!

            3. eulampios

              @the sensational AC

              >>Android which made all versions of MSDOS and Windows look ultra secure.

              Wow, did we all miss some Android Apocalypse? Where can we read about Android epidemics similar to (or according to you even more severe than) ILOVEYOU, Mydoom, Blaster, Sobig Worm, Code Red, CIH, Klez, Melissa, Sasser, Bagle, Win32/Simile, Nimda, Conficker, Stuxnet (to mention just a few)? Or you're gonna be referring to the millions of trojaned apps that await Android user, although pretty much nobody ever had?

          2. Anonymous Coward
            WTF?

            Re: Sorry, but Google were uttely wrong.

            Doesn't Patch Tuesday roll around every week?

            Either you are joking or just ignorant. I guess the latter.

          3. cambsukguy

            Re: Sorry, but Google were uttely wrong.

            Probably impossible to get the fix out by October. November may have been possible for a stupendous flaw with a desperate need for a fix (Heartbleed level stuff).

            So really, December was the earliest reasonable release. They didn't make it, which could have been sloppiness on their part or, more likely, just the timescales required for a huge company with a massive code base running on millions of differing systems to lumber through a process.

            Perhaps the release was ready for the day after patch Tuesday in December, I don't know either.

            This gives more weight to the release-when-ready system but I still think bundling up the patches together, testing them as blocks up until some cut-off date is more reliable.

            And the end users and admins don't have continuous automagic or, worse, manual updates being requested every day or two (or three) - once a month is fine by me - extraordinary cases notwithstanding.

            1. Eddy Ito Silver badge

              Re: Sorry, but Google were uttely wrong.

              Probably impossible to get the fix out by October. November may have been possible for a stupendous flaw with a desperate need for a fix (Heartbleed level stuff).

              Well Google notified MS on 13 Oct. the Monday before Patch Tuesday so they had a day tops which is a non-starter, toss October. That effectively gave MS 29 days until Patch Tuesday in November (the 11th) and 57 days until Patch Tuesday in December (the 9th). Conveniently, since both October and December have 31 days, it put January's Patch Tuesday at 92 days from notification giving Google an opportunity to do their little dookie dance.

              Now a cynical old fart, such as yours truly, might say that the GOOG held this little exploit close to their chest and carefully chose the timing to notify MS hoping MS wouldn't have enough time to cover it or would release another unstable patch. Either way MS gets a black eye. Notice that quarterly Patch Tuesdays are always 13 weeks apart and 13*7=91 so it isn't hard for the GOOG to piss in Microsoft's corn flakes or those of anyone else who sets a fixed update schedule for that matter. You see, what their dookie dance is really about is "our flexible release system is bigger better than your rigid one". Perhaps the children over at Google should lay off the sugar and caffeine for a bit.

              1. Jeff Green

                Sorry, but Microsoft were uttely wrong.

                All those complaining that Google were sticking to an arbitrary deadline seem not to have noticed that so were Microsoft!

                What is so special about a Tuesday?

                If Microsoft had the fix for a security vulnerability and decided not to release it merely because they only release fixes on Tuesday they were 100% in the wrong. You have a fix you make it available, if you are meeting an old friend for a regular lunch every fourth Tuesday is fine.

                If Microsoft had sent a mail saying "This problem is proving very tricky to fix and we estimate we are 7 days off a working solution please can you withhold" I would have some sympathy but "We have fixed it but our marketing department thinks it is better to do things on Tuesday so please don't release the info" is crass.

                Microsoft are a huge company if they cannot fix a simple bug in their code in 3 months then they need to redeploy some of the thousands of people in other jobs into doing something useful.

          4. mtcoder

            Re: Sorry, but Google were uttely wrong.

            Well the patch has / could of been ready for 2 weeks now, but MS has a well documented patch process, which has to be in place due to it's enterprise aspects. Only are super serious deadly to OS patches ever made out of their Patch Tuesday pipeline. Everyone knows about patch Tuesday to the point hell we all call it Patch Tuesday it has it's own title and day. Lots of system admins have whole business processes that affect billions of dollars in productivity setup around patch Tuesday. Changing that process isn't something MS takes lightly.

            Also this is OS patching, which means you have about 1 billion possible hardware aspects that could cause problems, a few billion lines of code something could screw up, and you best damn well make sure your fix doesn't make a bigger hole elsewere. Testing code takes a lot of time, with it comes to top end programming. Really don't want a patch to come out then see the headline, UAC patch prevents users from installing any new products or running half their applications. Not exactly where you want to be. Also it's part of UAC so that means group policy, Azure services, Active directory, System Center, all have to be updated. It's not a super simple fix to say.

          5. Robert A. Rosenberg

            Re: Sorry, but Google were uttely wrong.

            "So MS were holding off until the very last possible moment before releasing the patch and hoping Google would relent? They were happy with 92 days but not 90? Doesn't Patch Tuesday roll around every week?"

            No it is not. It is the 2nd Tuesday of the month. Thus depending on when the report is sent in, MS can have only 2 cycles or 3 before the 90 days are up. Given this window, I can see waiting another 2 days in this case as a reasonable delay since the fix is supposedly included. Given that MS has a fixed fix release schedule (which they recently broke once to issue an emergency 'Can Not Wait Until Fix Tuesday" fix) I can see that 90 days can be a bad fit and 3 Fix Tuesdays can be a better period. OTOH: There needs to be some cap on the delay beyond 90 days.

        5. Anonymous Coward
          Anonymous Coward

          Re: Sorry, but Google were uttely wrong.

          By all means release PoC code after the patch has been released

          The PoC code is a fucking batch file - with 2 commands!

          Here it is - go and take over the world with it:

          reg add HKCU\Environment /v TEMP /f /t REG_EXPAND_SZ /d %%USERPROFILE%%\..\..\..\..\..\windows\faketemp

          reg add HKCU\Environment /v TMP /f /t REG_EXPAND_SZ /d %%USERPROFILE%%\..\..\..\..\..\windows\faketemp

      2. naive

        Re: Sorry, but Google were uttely wrong.

        To see someone defending that a company like MS can not provide fixes for serious security bugs in its Operating Systems in a timely manner, is shocking given the track record that MS leaves many back doors open for spooks from all sides to peek into users computers.

        Perhaps MS has difficulties with it because they sell licenses to the spooks for using these back doors for more than 90 days ?.

        1. Anonymous Coward
          Anonymous Coward

          Re: Sorry, but Google were uttely wrong.

          "can not provide fixes for serious security bugs in its Operating Systems in a timely manner"

          90 days is reasonably timely for a privately disclosed vulnerability in a complex OS. Proper regression testing such as testing a patch across dozens of OS versions and thousands of test scenarios takes time.

        2. cambsukguy

          Re: Sorry, but Google were uttely wrong.

          'Sell' licences to spooks, hilarious, good one!

          I suppose there are contracts and an EULA, they must be hysterical... "We guarantee that this software has security flaws. We guarantee that this software will support DDoS. You may use this software for illegal purposes. We guarantee that any published fixes will insert an equivalent exploit as soon as reasonably practicable".

          As long as they keep paying the support fees of course!

        3. John P

          Re: Sorry, but Google were uttely wrong.

          If MS had completely ignored Google and not given them any information on when a fix would be available, I would have less of an issue with what Google did and the blame would be on MS for not communicating properly with them on the matter.

          But MS did tell them that a fix was coming with a release date and asked them to delay disclosure for a couple of weeks until it was out. Google had a definitive time frame when a fix would be available and they stuck to the 90 days anyway, knowingly creating risk for users who may be vulnerable to the exploit.

          So in this case, Google are firmly in the wrong IMHO.

          1. Tom -1

            Re: Sorry, but Google were uttely wrong.

            I don't understand why you think that 92 days is a couple of weeks lonhget than 92 days. Reported Oct 13, fixed Jan 13 - that's 92 days.

        4. Tom -1

          Re: Sorry, but Google were uttely wrong.

          Publishing an exploit at 90 days when the vendor has informed you that the fix will be released on the 92nd day and asked you to delay for those two days is just irresponsible vandalism, giving all the script kiddies in the world an opportunity to have fun doing damage in the two days before the fix is issued.

      3. Anonymous Bullard

        Re: Sorry, but Google were uttely wrong.

        109 days instead of 90 is actually reasonable especially in this case.

        What if their deadline was 60 days? Should they have released it on day 79? What if it was 120 days?

        The thing that the fan boys (both Google/Microsoft) can't grasp is 90 days means 90 days and if they don't stick to it then their security reports wont get the respect they deserve.

        Security is one of the most important factors, and we've all laughed and face-palmed at the break-in reports on here and I think we can all agree that vendors also need to start taking it more seriously. Without the security reporters providing the ultimatums the vendors just wont be motivated enough to fix it, where new features are more exciting to work on. They should be grateful that they're actually reporting these bugs, rather than selling to the highest bidder (which happens more than you think).

        Google might be naughty for releasing the proof of concept, but Microsoft are equally in trouble for allowing it to happen. Maybe now Microsoft and the other vendors (including Google themselves) will take security reports more seriously, just like their users should.

      4. Paul Shirley

        Re: Sorry, but Google were uttely wrong.

        Voland's right hand:"There is a mandatory freeze and do-not touch period in most institutions around Xmas."

        When you can prove that cybercriminals all take xmas off that might be an argument. But rather a lot of them live in countries that don't do xmas. If a company wants to slack over a holdiday they'd better throw more resources at the job to make up lost time.

        Or perhaps we could stop pretending security is a normal business activity and actually accept it's high priority.

        1. LDS Silver badge

          Re: Sorry, but Google were uttely wrong.

          This is not a CERT matter to contain and counteract an attack. This is modifying code to correct a bug - a bug that has security implications. That has to be done by coders that usually don't work "on urgency" but for very special situations - coders who know well that codebase and are allowed to modify that code. And which work in normal shift, and sometimes take holidays as well.

          The last thing you want - unless the risk is too high - is hurried up code written by someone who has to get a plane in a few hours or something alike. What you want is someone working and thinking clearly to deliver the best fix in the allowed time.

          Otherwise, what you get is the endless stream of patches alike those hurried up to fix the Bash bug.

          Fixing bugs, including most vulnerabilities *is* normal business activity.

          It's pretty clear people like you does a lot of confusion about software development, lifecycle management, operations security and ermergency response.

      5. Selden

        Re: Sorry, but Google were uttely wrong.

        Thanks for saving my having to compose a nearly identical response, but yours is likely better worded. Microsoft was right, but both companies are engaged in a pissing match over this. Broader buy-in over the Coordinated Vulnerability Disclosure policy would seem to benefit everybody.

    2. Bob Vistakin
      Facepalm

      Re: Sorry, but Google were uttely wrong.

      Please Google, don't be horrid to us. By the way, thanks for moving the needle above floor noise for us with our mobile revenue.

    3. Anonymous Coward
      Anonymous Coward

      Re: Sorry, but Google were uttely wrong.

      Sigh, we've done this one before.

      Plenty of idiots thinking it's a Microsoft vs Google issure when it quite clearly isn't (to those actually familiar with the security field).

      This is standard practice, regardless of it being Google or Microsoft. In fact, 90 days is quite generous.

      1. h4rm0ny

        Re: Sorry, but Google were uttely wrong.

        >>"This is standard practice, regardless of it being Google or Microsoft. In fact, 90 days is quite generous."

        No it isn't. Symantec and all those other security companies don't generally release proof of concept code to help black hats build their exploits. They also work constructively with the affected projects or companies. And 90 days is not "quite generous". We're talking systems programming here, not a web app where you can just drop in a quick patch on deploy on your servers. When I did this sort of work we had a team of people in another building who did nothing all week but work through formal tests to check each release of software. It took a long time to do that and it was necessary. If we wanted to push out a change, that went into the process. If we stopped the process to account for a new bug, that would be holding up fixes for others - which may be more important - because it means restarting the whole release pipeline.

        That's what a lot of people who only work on web apps and on non-safety critical software don't understand. And the armchair developers are worse. Stopping everything to put in a fix for the latest discovered problem can actually make your software more vulnerable because it can delay the release of fixes for more dangerous bugs. This bug basically causes the UAC notice to not pop up. So if a user with administrative rights is persuaded to run your malware, they don't get a "Do you want to allow this program to make changes..." message when they double click the email attachment, etc. That's bad, but who is to say it should have delayed some other fix?

        Probably none of us here have seen the code and none of us therefore know whether 90 days is "generous" or not. And certainly Google don't know.

        1. Anonymous Coward
          Anonymous Coward

          Re: Sorry, but Google were uttely wrong.

          Symantec and all those other security companies...

          So who are "all those other security companies"?

          You mention Symantec - who are strongly motivated by keeping "their" reports a secret because they don't really want to help their competitors. By the way - Symantec just regurgitate reports from full disclosure reports, removing all the interesting information.

          Stopping everything to put in a fix for the latest discovered problem can actually make your software more vulnerable because it can delay the release of fixes for more dangerous bugs

          ..

          That's bad, but who is to say it should have delayed some other fix?

          I agree, the bug itself is low/medium priority compared to all the other issues their security department deal with. It's the fact that it's "Google + Microsoft" squabble that hits the headlines and gets the fanatics excited.

      2. Alan Brown Silver badge

        Re: Sorry, but Google were uttely wrong.

        "In fact, 90 days is quite generous."

        As someone who used to deal with bugs, etc I agree. The fact remains that even if a good guy found it and reported the thing, badhats may have found it and not bothered - the number of actively exploited (0-day) vulnerabilities that still crop up should be a good reminder of that.

        it's not at all uncommon to apply a fix and then find that attacks were already happening, before exploit code was released (and in some cases before the bug had been published), so I'd argue that the number of published 0-day bugs is a substantially smaller subset of the number actually being exploited.

      3. Michael Wojcik Silver badge

        Re: Sorry, but Google were uttely wrong.

        Sigh, we've done this one before.

        Yes, if only the entire IT security community hadn't had this whole "responsible disclosure" argument ad nauseum ten years ago, across all the prominent conferences and mailing lists and other forums... Oh, wait, we did.

        Well, we shouldn't be surprised that the non-experts are once again stumbling blindly over the same territory, September being eternal and all that.

        Personally, I'm firmly on Google's side in this case (and I'm no Google fan). I remember all too well the days before responsible disclosure became the norm, when firms would sit for years on known vulnerabilities while exploits circulated among the txtfile community. Responsible disclosure was what got Microsoft (and a great many other firms) off its collective ass in the first place; it's not a coincidence that Bill Gates' "Trustworthy Computing" memo came out a few months after RFPolicy started the rush to formalize disclosure policies.

        And responsible disclosure works because it's a carrot and a stick. The carrot is refraining from publishing exploits immediately; the stick is the threat to publish eventually. They only work when they're imposed by researchers, not the affected vendors. Sure, Microsoft's free to push its own disclosure policy1, but they'll have to live with the fact that they can't impose it on researchers, and that not everyone will agree that their way is the best.

        The MS Trustworthy Computing initiative and the security groups that have come out of it are a mixed bag. Some of it is, in fact, excellent. Other bits are not. Their handling of reported vulnerabilities is, in my opinion, better than the industry average; but it's not so good that researchers should feel compelled to agree to Microsoft's terms.

        1Though they might have done so a bit less ham-fistedly. Like, say, publishing it as HTML rather than as a fucking Word document. The late, great Rich Stevens once rightly excoriated Microsoft for pretending that everyone loves its stupid proprietary document format, but they'll never acknowledge that. It'd also have been good if they'd drafted something a little earlier than 2010.

    4. Anonymous Coward
      Anonymous Coward

      Re: Sorry, but Google were uttely wrong.

      Microsoft haven't done themselves any favours on the moral high ground by:

      "Microsoft patch batch pre-alerts now for paying customers ONLY"

      http://www.theregister.co.uk/2015/01/09/ms_restricts_security_pre_alerts/

    5. leexgx

      Re: Sorry, but Google were uttely wrong.

      i agree with google posting the zero day, but Not the Proof if concept code that should of been held back for a bit

    6. Tom 13

      Re: Sorry, but Google were uttely wrong.

      When giants fight, the ants are crushed beneath their feet.

      I'd agree with MS 100% and Google 0% if I were sure MS had the patch in the pipeline and aren't simply blowing smoke. I'm 80% there, but not 100%.

    7. kb

      Re: Sorry, but Google were uttely wrong.

      Considering there is a major exploit for EVERY Android system 4.3 and older (which represents the majority both in units in use AND in units currently being sold) that Google has marked as "won't fix" I think we can all see how much Google cares about security with regards to even its own customers, NONE.

      For those that haven't heard look up "Webview vulnerability" and you'll find plenty of articles. Sorry Google fans but if you spent a lot of money on that ICS phone? You're boned as Google does not care if you are pwned, we are talking less than 2 years since release, talk about p*ss poor support!

      BTW before you try to bash MSFT for not upgrading WinPhone 7? You might want to know that WinPhone 7 STILL gets security updates.

    8. Calorus

      Re: Sorry, but Google were uttely wrong.

      Narp. 90 days is a long time.

      The bad guys probably already know. 90 days is enough to time to fix a gaping security hole, if you care enough.

      What's more, if Bing had been in the same position with ChromeOS they would have stuck to their own terms too.

  2. petur
    Go

    90 days are 90 days

    Get off your lazy ass, MS.... your code has been sucking for years, time is up.

    Want to get back at Google? Do them the same favor, find their bugs and give them 90 days.

    1. Anonymous Coward
      Anonymous Coward

      Re: 90 days are 90 days

      Sure, once Google release servers and desktops used by most large businesses through out the world.

      Then see how they squirm when the are forced to release a rushed patch that may potentially take down a few million customers.

      1. Anonymous Coward
        Anonymous Coward

        Re: 90 days are 90 days

        Sure, once Google release servers and desktops used by most large businesses through out the world.

        Well, I imagine their servers already are.

        1. Anonymous Coward
          Anonymous Coward

          Re: 90 days are 90 days

          "Well, I imagine their servers already are."

          What servers? Or you mean the Google cloud service? Hardly anyone uses that.

      2. firu toddo

        Re: 90 days are 90 days

        "forced to release a rushed patch that may potentially take down a few million customers."

        Wow! You think rushing patches might cause problems?

        I work in enterprise land. We are very cautious when handling M$ patches. They do have a nasty habit of exploding in your face. Just have a search for 'withdrawn microsoft patches'. (Google not required)

        Imagine how happy our 12000 mail users would be if we broke Exchange? Or if we patched our desktops and all the Win7 boxes started to blue screen? And the sheer volume of work to sort out 10 withdrawn and reissued patches in a month makes me cringe.

        But at least the users would be secure!

        ;o)

    2. Anonymous Coward
      Anonymous Coward

      Re: 90 days are 90 days

      You do realise that any fix has to be properly tested?

      They can't rush out a fix and end up with blue screens everywhere.

      1. juul

        Re: 90 days are 90 days

        Any vendor can make a patch and test it within 30 days, if they just make an effort. This is the main issue, a lot of vendors are not taking their secure coding serious, not that the developers themself are to blame 100%, Companies need to prioritize security.

        1. Charles 9 Silver badge

          Re: 90 days are 90 days

          You want to know how quickly they can REALLY turn out a patch? See them react to an Ultra Critical bug already in the wild.

          1. cambsukguy

            Re: 90 days are 90 days

            Risk analysis.

            If it is super-critical, release a patch after very fast 'smoke' testing. Release it on its own and with a removal capability probably.

            Then continue to test it just in case you missed a problem so a further fix can be made ready (and deployed automatically perhaps).

            Then, finally, release it into the standard patch system for final deployment (of a polished version) along with the ordinary stuff.

            But, don't do all of that unless it is absolutely required.

      2. Anonymous Coward
        Anonymous Coward

        Re: 90 days are 90 days

        "You do realise that any fix has to be properly tested?"

        So you're suggesting that they don't have the infrastructure in place to perform such testing?

  3. John P

    “By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response.”

    Which doesn't apply in this case as Microsoft told them there was a fix and asked them to hold off for an extra couple of weeks until it was released.

    Seems like Google stuck to their guns just to generate a bit of bad press for MS, to the possible detriment of customers.

    1. big_D Silver badge

      And, as I noted above, with the previous disclosure, they did not help protect customers by informing them of an issue, they actually put users at risk by publishing code that exploits the issue, so that hackers could get cracking on exploiting the vulnerability...

      That sort of action totally destroys their stated aim of protecting customers and users.

      1. Voland's right hand Silver badge

        @Big_D

        Quote: they actually put users at risk by publishing code that exploits the issue

        1. The quality of software development employed by your average crime syndicate located in the Wild East is on an order of magnitude higher than the quality of the average big corporation software development located in the not so Wild, but Warm and Humid South-East.

        2. So the value of protection from not releasing the code is NIL. The description (or often the patch itself) is sufficient for an average Russian, Romanian, Bulgarian (or anywhere around there) software developer contracted to a crime syndicate to produce a working exploit in a few days (tops). In fact, I know people who are capable of doing so in an afternoon between two espressos (with no description, purely on the basis of patch analysis).

        3. The value of the exploit as a working test case is priceless. Anything else aside, the "developers" (quotes intended) in big software corps located in the "sweaty" part of the word look at testing and testcase writing as a job for lower caste subhumans (I have had "developers" threatening to quit when being told that they have to test and write tests for their code more than once). So they are _NOT_ going to write a test exploit (even if they were qualified to do it). The availability of a test exploit allows the current test staff in your average large corp to test the fix. Otherwise they would have been unable to do it.

        So the disclosure style and substance are spot on. It is the timing which is idiotic. Even google itself does a partial lock-down over Xmas. This time should have been accounted for in the "90" days.

        1. h4rm0ny

          Re: @Big_D

          You make a jump between step 1 and 2 which I do not think is supported. You argue in point 1 that some groups may exploit this even without assistance by Google. You then argue in point 2 that this means there is no reason for Google not to make it easier for all. This, to me, is an error of absolutes: a bad thing is possible so it doesn't matter if it becomes more common / probable / easier to achieve.

          In point 3, there is another issue. You propose that the release of the exploit code helps us protect ourselves. I disagree - I can look at the exploit code but there's nothing I can do to patch Windows myself. To the overwhelming majority of people the only use that can be made of the exploit code is to write malware. The only people who can use it in a beneficial way are Microsoft and that does not require a general release.

          1. Anonymous Coward
            Facepalm

            Re: @Big_D

            h4rm0ny, the Microsoft apologist. I bet if this had nothing to do with Microsoft you (and others) wouldn't even be commenting, because the actual issue here has gone over your heads.

            I would just like you, and the other "IT Experts" of this forum to take away one thing: Full responsible disclosure is a good thing, and it's something that the security industry has been fighting for years over. The vendors don't like it, because it gives them more work with little in return (for them) and it makes them look silly when it's proven that they've ignored a security problem.

            I suggest the next time you've been allocated some sort of training budget ask for a course/book covering an introduction to data security - seriously.

            1. h4rm0ny

              Re: @Big_D

              >>"h4rm0ny, the Microsoft apologist. I bet if this had nothing to do with Microsoft you (and others) wouldn't even be commenting"

              Ignoring that this is just an ad hominem reply, as a general rule I defend technology and argue against FUD. That's because I appreciate that making perfect technology is hard (having worked in the industry for a long time) and because I dislike FUD on general principles. And I see such attacks against Microsoft on these forums more often than any other company so you find me speaking out in defence of that quite often. What I seldom do is attack products. You'll find a vigorous debate by me on UNIX vs. Windows security models last year, but even there I wasn't claiming that GNU/Linux was especially vulnerable. I was a UNIX programmer for years. Of course to someone partisan, I look biased if I argue against their attacks, but I'm almost universally defensive in my posts. Which is a stark contrast to all those who will leap on any supposed problem as an opportunity to tear down and say how rubbish something is.

              About the only negative thing I have ever said about Android is how much of it is being taken closed source by Google, rather than any attacks on the software itself. I think I made some criticisms of Dart one time as well.

              So basically, yes - I do comment on things other than Microsoft which you're welcome to check. Now can we stop the ad hominems and return to discussing what rather than who?

              1. Anonymous Coward
                Anonymous Coward

                Re: @ h4rm0ny

                Your opening statement was about how a 90 day deadline was not enough, not generous, (oh the the poor put-upon corporates.)

                Compare that to the *7 day* deadline the FOSS community work under with little or even zero funding, mostly by volunteers squeezing both the security patch creation and testing into their spare hours. If the OSS project is lucky they may have someone sponsoring a dev to work a few daylight hours on it as well.

                ... thats less than 170 hrs even assuming they work 24x7 the entire time.

                A 90 day deadline not being enough for a major corporation with untold amounts of funding and resources sitting behind its security team. Thats over 500 hours of work time even if we assume they only work 8hrs a day on business days (unlikely). Its 2160 hrs (yes thousands) if you put them under the same 24x7 operational pressure the FOSS community face.

                The reality is that it takes a number of hours you can count on the fingers of one hand to develop (and test) most of these types of patches. Then some days to push them through whatever organisations QA process for formal release is, and that part is very similar in both corporate and FOSS releases.

                90 days not being generous? fooey!

                1. Anonymous Coward
                  Anonymous Coward

                  Re: The reality is....

                  ... that it takes a number of hours you can count on the fingers of one hand to develop (and test) most of these types of patches

                  Come back and comment when you have at least some idea of how complex the systems you're talking about are.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: The reality is....

                    Come back and comment when you have at least some idea of how complex the systems you're talking about are.

                    Complex? Have you even read the vulnerability report?

                    I didn't think so...

                    1. Anonymous Coward
                      Anonymous Coward

                      Re: Complex? Have you even read the vulnerability report?

                      The OS is complex, not the vulnerability! Because MS support legacy apps on new Windows they have a ton of regression testing to do. Unlike Google who just push the code out for vendors to fuck with just so Google can say "not our problem" when webview vulnerabilities are found.

            2. h4rm0ny

              Re: @Big_D

              >>"I would just like you, and the other "IT Experts" of this forum to take away one thing: Full responsible disclosure is a good thing, and it's something that the security industry has been fighting for years over. The vendors don't like it, because it gives them more work with little in return (for them) and it makes them look silly when it's proven that they've ignored a security problem."

              Speaking as someone who isn't the vendor in question but rather a customer, I don't like it either. It increases my risk.

              And as you're suggesting that I "ask to go on a course" to learn about security, here's a little information for you about the general patterns with security disclosures. Only a small minority of privately disclosed vulnerabilities are exploited prior to a patch being released and after the patch is released it remains low. Think it through from the attacker's perspective - this is all simple enough. But when an exploit is publically disclosed or becomes so, without at patch, active exploits in the wild skyrocket. Those are the actual facts of the matter. Public disclosure only increases security in the cases where there would be no patch without the vendor being forced. And as we can see - that was not the case here nor was ever likely to be.

            3. big_D Silver badge

              Re: @Big_D

              Full responsible disclosure? Yes, all for that. The problem is that the word "responsible" has been missing from the last 2 Google press releases, sorry disclosures.

      2. Alan Brown Silver badge

        "they actually put users at risk by publishing code that exploits the issue"

        2 regedit commands.

        This is a serious numpty-level fail, publishing it is justified.

  4. AndrueC Silver badge
    Meh

    This does seem like Google being unnecessarily intransigent. The problem is that agreeing to defer the release could be the start of a slippery slope. It's not like Google have sprung this on MS - they've known it was coming for 90 days. And one advantage of Google doing this is that now MS know that when Google says 90 days they mean 90 days.

    Speaking personally I can only applaud that particular view. I'm a very punctual person and when I say "I'll be there in five minutes" I mean 300 seconds not some arbitrary and variable time in the future.

    I think this is relevant here. The software industry has a bad rep for meeting deadlines already.

    1. DrXym Silver badge

      The problem with slippery slope arguments is they assume that some minor upset to the status quo will inevitably lead to the end of the world. If Microsoft had a fix and asked for extra 2 days (e.g. to align with some patch schedule) to roll it out then it is not unreasonable for Google to allow them that.

    2. LDS Silver badge

      Do you know patch releases needs to be managed and there will be other patches in the pipeline? Each patch need to be reviewed, assesed for impact, prioritized, assigned, code written, and tested, until the fix is definitive and has no side-effects? And not all vulns comes from Google only. Google can't act like an elephant and stomp over everything just because it's Google. Maybe sometimes MS is just sloppy, but maybe sometimes it jsut needs to manage the pipeline?

      Have you ever managed a big complex project and had to decide how to manage hotfixes, updates and upgrades?

      1. Charles 9 Silver badge

        But what happens when you get hit with a "drop everything" Ultra Critical? How much time can you REALLY spare then?

        1. big_D Silver badge

          @Charles 9 ; Then a fix is rushed out the door, which often breaks other things, is pulled, changed, retested, rereleased and is a complete mess.

          In an emergency, you can get it out the door quicker and protect X% of those upgrading, but Y% will have problems, which could involve crashes and instability, through 3rd party applications not working to a non-booting system.

          That is why patching, testing and release can take months to complete. Just look at the track record for patches last year, many of them caused problems because they were rushed, it looks like a few times they cut corners on testing to get patches out, only to recall them because the Y% was unacceptably large.

      2. Anonymous Coward
        Anonymous Coward

        Have you ever managed a big complex project and had to decide how to manage hotfixes, updates and upgrades?

        Well, if all of this security patching is too complex for Microsoft, then why are you still using (and begging people to use) their OS?

        1. Anonymous Coward
          Anonymous Coward

          Re: Well, if all of this security patching is too complex for Microsoft....

          Is that a "No, I haven't ever managed a big complex project and had to decide how to manage hotfixes, updates and upgrades."?

    3. big_D Silver badge

      But when the planned release is on that 90 day border, that is very mean spirited. Microsoft essentially said, hold off until day 91/92, because that is our normal patch release date and the issue will be resolved on that date.

      And looking at "90 days", would you intepret that as 3 months or literally 90 days? I had to go back and back calculate. I went: 13th October - 13 January, that is exactly 3 months, that is the 90 days, well, strictly speaking it is 92 - October and December both have 31 days and all.

  5. LDS Silver badge

    What's Google afraid of?

    It's clear Google is afraid of something, because these aggressive and nonsensical behaviours usually hide something deeper. Especially in this case when they were notified the patch was available and would have been released in the upcoming monthly update cycle. Now Google wants also to force how other companies should manage their planned updates? Or takes pleasure to disclose others vulnerabilities for stupid PR reasons? This bully approach hides something, Google wants to hurt MS as much as it can, and it's a behaviour clearly dictated by fear of something.

    This is a risky behaviour - if a "disclosure battle" starts, users will be caught in the middle. And we have already see how much old bad code still exists in *any* OS, written in the old days when security was not so important or simply because the developer was not skilled enough.

    Meanwhile my Lumia 620 got the latest update, while my Samsung Galaxy isn't receiving any updated and is blocked in some old Android release. Maybe Google should start to make available fixes for its own OS first? It's too easy to put the blame just on handset makers... you're the OS supplier, you must make fixes available.

    Now waiting for googledroids to downvote... three...two...one....

    1. Anonymous Coward
      Anonymous Coward

      Re: What's Google afraid of?

      Meanwhile my Lumia 620 got the latest update, while my Samsung Galaxy isn't receiving any updated and is blocked in some old Android release. Maybe Google should start to make available fixes for its own OS first? It's too easy to put the blame just on handset makers... you're the OS supplier, you must make fixes available.

      They have - that's why my Nexus tablet is on Android 5.0.2, whereas my Galaxy Note is stuck on 4.2.2 - and that only courtesy of CyanogenMod. Google have released the code, Samsung could have done the same if they wanted to - but they don't, because they want to sell me a new phone

      1. LDS Silver badge

        Re: What's Google afraid of?

        So, you should ask Dell, HP, Lenovo, etc. or yourself if you custom-build your system for patches for Windows? Unlike Google, MS delivers the patches directly to each and every device running a supported operating system - without requiring the hardware vendors to take care of that.

        And sure, Google releases the *generic* code - it doesn't test it for compatibility for devices out there, it shift the effort on the hw vendors, easy, eh? While MS needs to ensure Windows works with all the devices out there... a bit different, isn't it?

        1. Anonymous Coward
          Anonymous Coward

          Re: What's Google afraid of?

          So, you should ask Dell, HP, Lenovo, etc. or yourself if you custom-build your system for patches for Windows?

          They don't do custom builds! It's just packaged and configured differently. The actual build itself is exactly the same as every other bastard's "version" of Windows.

        2. Anonymous Bullard

          Re: What's Google afraid of?

          LDS, Microsoft also put the burden of writing device drivers onto the manufacturers. The difference is with phones is each device differs greater than computers do, where binaries and components are interchangeable. There is no standard with phones.

          Also, the phone manufacturers would rather sell you a new phone than let you keep your old one up to date. This isn't the fault of Android - Google manage to keep the Nexus phones up to date.

          1. LDS Silver badge

            Re: What's Google afraid of?

            How many device drivers come with Windows itself, many of which written by MS itself? A lot of them. And many others are also hosted on Windows Update. Of course MS can't write drivers for hardware that wasn't even available when Windows was released, or for which there are no availabe specs (say nVidia cards...)

            And - LOL! - "with phones is each device differs greater than computers do" - again - LOL! - under the hood phones are much more alike each other and built on the same components than computers where there are far more components (internal and external) and different ones than in any phone - especially since they last much longer and thereby there are also several generations of components to support.

            Do you believe Dell, HP & C. would not like to sell you a new PC as well? They do customize Windows install to add their drivers and their applications as well. Just the OS can still be updated without waiting for special builds because it's a far better OS than Android.

            It's Android fault it doesn't allow to be patched but by the hw manufacturer. It puts user at risks unnnecessarily. Today phones are no longer phones - are computer with a lot of data in them. Apple does patch supported models, MS does. only Google puts user at risk because it OS is only a trojan horse to gather data, and thereby it has no interest in keep it secure for all users.

            1. Anonymous Coward
              Anonymous Coward

              Re: What's Google afraid of?

              LDS: You're quite naive. The only time I have a problem with a junior is when they're unwilling to learn because they think know it all.

            2. Anonymous Bullard

              Re: What's Google afraid of?

              And - LOL! - "with phones is each device differs greater than computers do" - again - LOL!

              Don't you have anything more intelligent to respond with than "LOL"?

              A phone's firmware is specific to that phone. This isn't an Android thing, it's the way phones are. They're not designed to have swappable parts or different operating systems. They're disposable - compared to a PC. When did you last build (as in compile) an OS for a phone... and just the instructions were even vaguely the same for a different phone in the same product range?

              The problem with Android is that Google are not as strict as Microsoft are with Windows, regarding updates - I guess they were relaxed on this while they where emerging. But Android does "allow" updates, because their Nexus phones support it, as most other phones (for about a year or so - until the manufacturer abandons it).

              This does happen with PCs, but the time-scale is more generous - how much working hardware have you accumulated, but you can't use it because the drivers aren't available for your new OS?

              1. h4rm0ny

                Re: What's Google afraid of?

                >>"The problem with Android is that Google are not as strict as Microsoft are with Windows, regarding updates"

                Google don't control updates on Android and they cannot. Google's business model is to give Android away for free and make money from its use. They have no power over the OEMs and they can't push directly to end user's phones because they don't have a path to those devices. Nor would they really want one as pushing updates to a huge array of different hardware each running software that a third party (the phone OEM) has installed and which Google don't manage, is a recipe for disaster. All that Google can do is facilitate the OEMs updating the code as and when fixes come out. Which they do by releasing updates to the Android codebase.

                I don't think updates to Windows and Android is comparing like for like, tbh.

                1. Anonymous Bullard

                  Re: What's Google afraid of?

                  Google don't control updates on Android and they cannot

                  Of course they can, they can add it to the conditions of having the Google apps on their phones, effectively forcing the manufacturers.

                  I don't think updates to Windows and Android is comparing like for like, tbh.

                  Me neither, that was my initial point; Phones and PCs are different.

                  1. Charles 9 Silver badge

                    Re: What's Google afraid of?

                    That would've been a deal-breaker for the carriers, especially when Android was just getting on its feet.

              2. LDS Silver badge

                Re: What's Google afraid of?

                Does your memmory allow you to read and remember more than one sentence? There is far less variety in phones hardware than PC. All of them are built more or less around the same ARM processors, and chipsets for mobile and wifi comm.

                Sure, a lot of model with different shells, and little more. A phone firmware is specific to a given phone more for marketing reasons that technical ones. Guess most of the code is the same across a wide range of models but a few tweaks to avoid you can "upgrade" a phone just uploading a different one. Even the PC was a "closed" system until compatible "firmware" aka "BIOS" was created - and most BIOSes can be easily tweaked to work across a wide range of hardware.

                There is far less hardware Android has to support compared to Windows or Linux itself, which runs on many more different devices, processors and architectures, and a much wider range of peripherals.

                The fact is Google doesn't care about Android as on OS, it does care only it is cheap enough to be installed on as many phones as possible and funnel data to the Google black hole. If something bad happens, who cares? It's users data, not Google ones. Google makes money "stealing" and funneling data, not keeping OS updated and safe (unlike MS, which makes money selling software....)

                And Google can blame the handset maker... but this policy means there are a lot of vulnerable Android devices around. It's not a technical problem, it's just a financial and marketing decision. Google don't want to spend much money in keeping Android secure.

                Using Windows, usually it's the hardware evolution itself that makes older hardware unusable than Windows itself. My last PC has only PCIe slots, thereby I had to get rid of all the PIC cards. Windows would have supported them without issues. But I'm still using other devices several years old.

                If there is something Windows does well, is legacy support. Sure, you have to choose some good hardware and not crappy cheap one with bad drivers available only from its producer that will vanish in a few months without ever submitting drivers to MS for WHQL certification....

        3. Charlie Clark Silver badge
          Stop

          Re: What's Google afraid of?

          So, you should ask Dell, HP, Lenovo, etc. or yourself if you custom-build your system for patches for Windows?

          I think you'll find the EULA on a PC is with Microsoft and not with Dell, HP, Lenovo, etc. This makes Microsoft contractually obliged to maintain the software.

          With phones the software contract is with the manufacturer and not with Google. Unfortunately, we haven't had enough court cases to improve the distribution of security updates by those manufacturers.

          1. lucki bstard

            Re: What's Google afraid of?

            'I think you'll find the EULA on a PC is with Microsoft and not with Dell, HP, Lenovo, etc. This makes Microsoft contractually obliged to maintain the software.'

            Do you mean OS or machine?

            if you read the EULA (you did correct before you installed it?) then you will know what Microsoft is obliged to provide. If you dodn't like the EULA then don't install the software and use something else. If you feel that Microsoft software is so important to you that you cannot use another product then ask yourself what you are complaining about.

            You don't have to use their product.

            1. Charlie Clark Silver badge
              FAIL

              Re: What's Google afraid of?

              @clueless bastard

              if you read the EULA (you did correct before you installed it?) then you will know what Microsoft is obliged to provide. If you dodn't like the EULA then don't install the software and use something else. If you feel that Microsoft software is so important to you that you cannot use another product then ask yourself what you are complaining about.

              You don't have to use their product.

              The EULA that came with the software preinstalled on the machine? The software I paid for because of the volume licence that MS has with the hardware manufacturer?

              1. revdjenk

                Re: What's Google afraid of?

                I ran win8 long enough on my machine to get to a setting on the "charms" bar to make a change so I could install Linux.

                To get to that point, I had to accept the EULA, even though I never intended to use win8.

                See the problem there?

                [Oh, and I am one of many who don't have to struggle with Patch Tuesdays. Mine are delivered when necessary and needed, and I apply them, and continue on with my productivity.]

                1. h4rm0ny

                  Re: What's Google afraid of?

                  >>"I ran win8 long enough on my machine to get to a setting on the "charms" bar to make a change so I could install Linux. To get to that point, I had to accept the EULA, even though I never intended to use win8.See the problem there?"

                  Actually, no. If you want to wipe Windows off and install GNU/Linux, why do you need to enter Windows and change settings to do that? You can do anything you need from UEFI.

    2. juul

      Re: What's Google afraid of?

      Spot on about the android/handset thing, every handset maker should be force to sign over all rights to handset OS (disclosing how to install other OS's) 7 days after they no longer make updates for it.

  6. SolidSquid

    If Microsoft is telling the truth and Google decided to stick to it's 90 days even though a fix was in place and ready to release on the next patch day then Google was at least somewhat in the wrong, although I'd raise issue with the idea that you should sit on a patch for a zero day exploit for weeks just so a designated day can arrive rather than releasing when it's ready because people got so fed up with the number of patches your software needed

    1. LDS Silver badge

      It's not the number of patches, it's patch distribution needs to be managed as well. It was sysadmins to request a paced patch rollout so they can manage it and keep tests and reboots at minimum. Home system could receive a patch a day without issues, other system requires tests and time to be taken off-line , shutdown and rebooted.

      Windows Update and WSUS can deliver patch continuosly without issues, and Windows can patch itself and reboot automatically when needed. Just, in most situations, you can't really work that way.

      MS does release off-cycle patches when really needed, but that means more efforts by system maintenance teams to test and apply them.

      1. Anonymous Coward
        Anonymous Coward

        You're talking out of your arse, mate. Come back when you've actually worked on Windows.

  7. LDS Silver badge

    fors...@google.com could be a good researcher...

    But he can't write "correspondence" correctly.

  8. Anonymous Coward
    Anonymous Coward

    Got to agree with Google on this one

    A 3 months deadline for fixing critical security bugs is plenty of time IF you take security seriously

    1. Anonymous Coward
      Anonymous Coward

      Re: IF you take security seriously

      See, there is certain maximum complexity that security bugs have, there is no way for them to be any more complex that this limit and that's how we know 90 days is ALWAYS enough. IF you take security seriously. Which I'm implying MS don't. Because they've left this patch till their regular patch Tuesday instead of doing a special Google Friday release. Which they should do because GOOGLE!

    2. LDS Silver badge

      Re: Got to agree with Google on this one

      IF and ONLY IF that's the only thing you have to take care of, sure - but do you believe people working on Windows maintenance are there just to wait for Google submitting a vuln? Or maybe they are working on other scheduled tasks as well?

      Would you like someone interrupting your work and shifting priorities continuosly, just because one of your customers yells louder than others so you must always prioritizes its requests or it continuously threats you?

  9. Mystic Megabyte Silver badge
    Black Helicopters

    occam

    The simplest explanation is that the NSA had intercepted a shipment of Win8 devices, inserted the malware but had run out of sticky tape to re-seal them. Hence the delay, it's obvious innit :)

  10. dajames Silver badge

    Take security seriously

    I can understand Microsoft wanting to wait for a convenient date on which a batch of fixes can be released as a single set of updates. No doubt this reduces the cost of production, management and testing of the patches ... and for minor bugs and shortcomings such an approach will be acceptable to most users.

    Security issues are different, and deserve to be treated differently. The patches should be produced and released as quickly as possible, and should be independent of (i.e. not held up by) the scheduling of run-of-the-mill bugfixes. Yes, it costs more to do it that way ... but allowing security fixes to go unfixed for longer than is necessary is unforgivable.

    90 days sounds an awfully long time to wait for a security fix ... and we should remember that if Google can discover the bug, so can other people. There was no guarantee that the bug would remain unexploited until Google published details. The correct time to release the patch was "ASAP" not "in 90 days".

    1. Charles 9 Silver badge

      Re: Take security seriously

      Question is, what if 90 days isn't enough for ASAP? Suppose the big is intertwined such that fixing it is like untying a Gordian knot?

  11. Aslan

    Hackers are heros

    If Google wasn't telling me about these holes in Windows I know Microsoft wouldn't be. Heck Microsoft wouldn't even have been fixing the holes. I think 30 days is to long to wait for disclosure of the flaws. I could see holding off on the exploits for 45-60 days after discovery.

  12. Anonymous Coward
    Anonymous Coward

    That's a bit low ...

    ... even by Google standards.

  13. silent_count

    If this were a vulnerability that allowed people to activate Windows without paying Microsoft:

    a) There would no complaining that Google gave them only 90 days notice because there would be a patch ready to go within a week.

    b) Nobody at Microsoft would be saying, "Well yes, the patch is ready but we really should wait until 'patch tuesday' to deploy it."

    On the other hand, if this were a vulnerability whose disclosure would cost Chrome market share, I'll bet'cha Google could have found it within themselves to wait a couple of days longer.

    1. sqlrob
      Terminator

      We already know

      There was a DRM break, but not activation a few years ago. Three days. Out of Cycle.

  14. Alistair Swanson
    Meh

    Rules are rules

    If you say you are going to do something, then do it. There seem to be a lot of downvotes on here from people who disagree with that principle.

    Were all the downvoters complaining about Google's policy 91 days ago too? That would have been a more appropriate time to raise your concerns.

    1. I ain't Spartacus Gold badge

      Re: Rules are rules

      Probably a lot of the down-voters were complaining about this policy, when Google pulled the same stupid, arrogant, counter-productive stunt last year.

      If you say you are going to do something, then do it. There seem to be a lot of downvotes on here from people who disagree with that principle.

      OK. I'm going to strangle a cute little puppy every hour, unless someone brings me beer. OK. I've said it now, I've got to stick to it. Does that magically make it moral?

      MS have a monthly patch cycle. Which makes their life easier, but also their customers' lives easier. Which is the reason they did it, rather than just releasing updates as soon as they were done. They've been doing it this way for years now.

      MS told Google when the fix would get deployed. It doesn't look like a serious enough bug to break their patch cycle, so for Google to release a couple of days before that patch is irresponsible, unreasonable, and a (minor) risk to the security of users.

      It doesn't make me think worse of MS. They have improved their security massively in the last 10 years, though it's far from perfect - and all software has bugs. And they certainly earned their shocking reputation in the period before that.

      It does make me think worse of Google though. Their arrogance and lack of restraint reminds me of Microsoft of a few years ago. Also their completely piss-poor attitude to Android security means they should be dealing with their own glass house, before chucking stones at other peoples'. They deliberately set that system up to be a security nightmare. Which was just about understandable when they were trying to grow marketshare, but they've had the dominant hand in their vendor relationships for years now, and while they've acted to defend/gain control of features and data from the vendors by shoving more and more of the gubbins into Google Play Services - they've done fuck-all to address the gaping security vulnerability they've created by leaving patching to the vendors (who they fully know won't do it). At least MS make a decent attempt to test against the more common of their vendors drivers and customers' software - and set their system up to patch everybody.

      1. I ain't Spartacus Gold badge
        Happy

        Re: Rules are rules

        I await the voting with interest...

        Apple fans got accused of being mindless downvoters ages ago, but I've never had that problem when making fair criticisms of them.

        Being rude about Microsoft has been a sport for ages. If you count shooting fish in a barrel as sporting... In fact I used to get a lot of downvotes just from being nice about Windows Phone 7, back when I had one. My iPhone and my previous 'Droid were much better mobile computers, but the Lumia 710 was the best smartphone I've had at being a really good phone.

        The funny thing is that the Google fanbois can still be relied upon to leap to the defence of their favourite company. Google do an awful lot right, so I guess there's a lot to like, but they also do an awful lot wrong - so there's plenty to criticise too. In my opinion they'll be a much better company when they've been taken down a peg or two. It certainly improved Microsoft.

        1. Anonymous Coward
          Anonymous Coward

          Re: Rules are rules

          It's a shame "discussions" here have got to "CompanyX is better than CompanyY at everything".

          As soon as you mock Microsoft, for example, someone throws dirt at Google - and another gives a jab at Apple. You're all so pathetic! These companies have you all wrapped around their little finger.

          At least we all agree on one thing: Oracle are the shittiest!

          1. I ain't Spartacus Gold badge
            Happy

            Re: Rules are rules

            I'm not sure that even Oracle don't have the fanbois. Probably sad, wizened creatures - all looking rather like Gollum. They know they had their precious somewhere, but somehow seem to have mislaid it. None of them have yet noticed the coincidence that their precious disappeared just after the Oracle salesman came to visit.

            But I'm told they exist, from someone who's observed "my database is better than yours" bunfights online.

  15. Phil_Evans

    Best interests?

    From said article: MSFT: "Specifically, we asked Google to work with us to protect customers by withholding details...".

    So just like a 'free gift', I guess we are going to soon see a prOXYMORON server from Redmond soon where the interests of users can be better 'determined' by a NAT (Nefarious Attribution Table) component. Users' security interests can then be determined by another, more responsible middle-man. The proxymoron server would provide an IIS (Interests Intervention Server) connection on the user's behalf, blocking access to any malicious HTTP (Honest Totally Transparent Perspective) page that might be out there waiting to pollute your little Orwellian existence. Th entire Browsing experience would be seamless to the user.

    Or they could just say they have a problem and admit it, together with an idea of when they can be arsed to fix it.

    1. sabroni Silver badge

      Re: Best interests?

      >> Or they could just say they have a problem and admit it, together with an idea of when they can be arsed to fix it. <<

      Umm, that's exactly what happened. The problem was Google didn't want to wait the few days between their "deadline" and patch Tuesday. Next time you pull a quote from an article maybe you should read it too?

  16. Big_Ted
    FAIL

    When reading this and the comments

    All i can think is WTF......

    I have a security risk on my software/OS ?

    OK is there a fix ? great thanks....

    What the fuck do you mean I have to wait for it till you can be bothered to give it to me. I want to be able to download and install it now.

    Windows Update allows me to decide what to install when and Sysadmins have the same rights for all their kit so whats the problem ?

    MS you are big enough to be able to manage this as having all your updates / fixes posted the day you complete them. There is no reason I can see for needing to wait up to a month for a security fix.

    So WTF is the reason for making me wait ?

    1. Anonymous Coward
      Linux

      Re: When reading this and the comments

      There is no reason I can see for needing to wait up to a month for a security fix.

      Me neither!

      So I did something about it.

    2. LDS Silver badge

      Re: When reading this and the comments

      Because updating your single bedroom PC used to download porn from torrents is a bit different than updating a large number of critical systems where downtime needs to be minimized (because you may have contractual SLAs, or lose a lot of money is something goes wrong), and thereby patching must be carefully planned and executed properly (ever patched a cluster while shifting many workloads across nodes?) on many different systems in the proper order - often running complex applications which may have their migration/shutdown/restart procedures as well. Sure, you can (and should) automate most of them, still it's not something you like to perform too often - and may also mean you have to perform it outside standard office hours - maybe during the night or weekends... how many nights and weekends are you ready to spend installing patches?

      That's why sysadmins working on those system complained about patches delivered continuously. That's why MS moved to a monthly release. Often hotfixes which don't require a security disclosure are made available before they are released as full patches through Windows Update. That can't be done with security patches, because once a vulnerability is know, it becomes easily exploitable - thereby you have a very short window to implement it unless you have other ways to mitigate its risk.

      Is this so hard to understand? Could some people see beyond their nose and their little, little world?

  17. Anonymous Coward
    Anonymous Coward

    question for the lawyers

    if, in this instance, MS had asked Google to hold off because of the upcoming fix and they blabbed anyway and a user gets impacted as a result of the disclosure before they're able to apply a fix... are Google open to being held responsible for any damages?

    1. eulampios

      Re: question for the lawyers

      .... are Google open to being held responsible for any damages?

      According to Microsoft's own EULA, MS cannot be held responsible for any damages inflicted by their software...more than the license cost. Why would Google be held responsible for MS bugs?

  18. Anonymous Coward
    Anonymous Coward

    If you actually look at the bug report...

    (and it appears most here haven't)

    > Microsoft confirmed that they are on target to provide fixes for these issues in February 2015. They asked if this would cause a problem with the 90 day deadline.

    < Microsoft were informed that the 90 day deadline is fixed for all vendors and bug classes and so cannot be extended. Further they were informed that the 90 day deadline for this issue expires on the 11th Jan 2015.

    > Microsoft confirmed that they anticipate to provide fixes for these issues in January 2015.

    So at first MS wanted an extra month(!), Google said no which forced MS to move quicker. This is the effect that strongly adhering to your deadline provides.

    If MS where so concerned, then why where they first prepared to delay the release to 4 months? Also, why couldn't they have released their patch a few days earlier - instead of expecting everyone to adhere to their policies?

  19. TricksterWolf

    I have a hard time believing Microsoft's story that "we told Google in advance we needed exactly 92 days to solve this". Nopony knows that kind of detail in advance. This looks a lot like an attempt by MS to weaken the standard, which is a typical modus operandi for them.

    Ninety days is extremely generous.

    1. Anonymous Coward
      Anonymous Coward

      Yes. I think this is more a battle of egos more than anything else.

      "We are Microsoft! How dare you give us a deadline! We'll have it ready in 4 months"

      "No, we are Google! How dare you disrespect our deadline! You still have 90 days"

      "ok, but it will be 2 days late - because we are Microsoft!"

      If you've ever had to deal with anyone at Microsoft, you'll notice they are very arrogant.

  20. Anonymous Coward
    Anonymous Coward

    Who is accountable to the compromised customers.

    No one, that's right, 90 days even over the holidays (hackers love Christmas, all those servers and no one monitoring or too drunk to care).

    When MS or Google or anyone in IT starts being actually accountable for the crap they dump out on people then we could argue on semantics until then this is the best way forward. At any rate one of the main reasons why the argument of "don't want to rush the fixes they may break things" is because it is not financially motivated. If vendors actually had to pay compromised customers damages then hey it would be financially motivated. BTW I'm sure this privilege escalation existed for much longer then 90 days. It was only disclosed to MS officially over 90 days ago. Interesting fact about WinXP, it was released with 10000 known bugs when it was launched in Aug 2001 and that was with 45 million lines of code, Windows 8 is from what I can find between 30 and 80 million lines of code how many bugs was known at launch time, just saying.

    Yes I know that bad admins can break things, true but maybe we should have admins worth their salt right. You know the ones that most people hate, the ones that won't compromise on any bad practice even if the CEO or board of director members (and all management below) say otherwise. That would mean, not auto-save passwords, two factor everything, min 20 char passphrases w/up-low-num-special , no BYOD/IoT, no non-centrally managed devices, hardened everything, no facebook or any personal surfing of any sort... You know that guy, the one that gets fired for taking his job seriously.

    Ah well I guess we will always kill the messenger every time right?

    1. Anonymous Coward
      Anonymous Coward

      Re: Who is accountable to the compromised customers.

      yep, it's a balance between usability and security, with the admin as the pivot. at one end of the scale you have a secure system, and the other end you have a usable one.

      Windows has yet to find itself a place anywhere on that scale...

      1. Anonymous Coward
        Anonymous Coward

        Re: Who is accountable to the compromised customers.

        Because Windows is in the uncomfortable position of basically having an impossible demand: trying to provide highly-secure software that's still usable to a total idiot. Kind of like trying to build the ultimate front door for the mentally retarded...

        I'm sure there are people who would love to know how to solve for BOTH ends of the scale at once.

  21. W. Anderson

    Those commenters supporting Microsoft on this issue have no proof (what-so-ever) that Microsoft did actually plan a fix for said bug on January 13th when stated, or that Microsoft did ask Google to delay information release.

    Microsoft has a long and well documented history of lying and deceit about these type matters, and until the company can provide verified proof of good intentions in regard it's communications with Google or any oter strong competitor, I and most other intelligent and reasonable consumers (not Microsoft dupes and goof balls) should not make quick and probably false judgement against those entities that Microsoft virulently hates and considers "a cancer" for no logical or sane reasoning.

  22. lucki bstard

    How about you all start thinking off this in the real world and put your MS v Google spates on the back burner. A lot of people in the comments section appear to have too much time on their hands and not enough experience of the real world.

    This is about code but is also about clients. I notice a lot of comments about the software patching time (development and testing internal MS) and that is interesting to read. However have anyone thought of the clients and about their testing and patch deployment?

    Well for those who don't then try reading the official standard 'http://msdn.microsoft.com/en-us/library/cc750077.aspx' from MS.

    Then in the real world think of terms such as 'change freezes' (common over major holidays), patch testing before entering production (you do do due diligence on your patching?), and also patch cycles. If your not aware of what those terms means then please look them up. In real times that means machines, unless an emergency change can be pushed through, (you do do change management correct?) may be exposed anything from 30 days to for ever; depending on the company and their patch schedule.

    To put this into context, who does Google help in this instance, nobody; and that is what is wrong. Especially as for all of us, our clients should be our number one priority, in this case Google has failed big time.

    And for all the software developers please before you criticize put a disclaimer in that you have never written code that later needed revising. Everyone makes mistakes, its how they are responded to that is important.

    1. Richard 12 Silver badge

      Google got you the patch a month early

      MS wanted to delay to mid-February.

      Google pushed them to fix it now.

      In fact, Google pushed them into fixing it at all.

      Now, perhaps MS will put more effort into detecting and fixing these earlier.

      Perhaps MS will also put more effort into finding and disclosing security problems in Google's products - and giving Google a fixed 90 days to fix them.

      In both these scenarios the customer wins.

  23. Marketing Hack Silver badge
    FAIL

    Got to agree that Google was out of line on this one.

    If MS scheduled a release of a fix in a period that was slightly longer than 90 days and asked for a delay in releasing the zero-day until then, then I think that is reasonable. Especially given the impact of the Christmas holiday on development and distribution productivity.

  24. Leeroy Silver badge

    Fire with fire

    I'm sure that MS can find some equally exploitable code In one of Google's applications, maybe even Android ?

    Just to be bastards about it they should implement a 60 day policy for fixes after reported. Draw the line at providing proof of concept code but demonstrate the flaws.

    Would be good if Google responded with a 30 day ultimatum :p

    WE WIN... ?

  25. MissingSecurity
    Stop

    So WAIT!

    Are are you all suggesting it's OK for MS to demand that Google extend their Zero day policy by two days for the sake of keeping MS's patch Tuesday in line, when "supposedly" Microsoft HAS A FIX, and can't just release it? At least they have control over that process right?

    Look, this is nothing new in the security community, some people want to disclose everything and some nothing, but guess what, we still are paid by companies trying to make money and quite frankly, a little forced competition is good.

    This wasn't really a Google PR stunt, not by a long shot. This is actually MS taking a well defined policy of there competitor and trying to make themselves look like saints.

    We know two things:

    1) MS managed to complete a patch for this in 90 days (so you can't say the time frame is unreasonable)

    2) MS patching policy didn't line up with Google's release policy.

    MS can control it's release schedule if it wants, Google can control is Zero Day policy if it wants, stop blaming each other when they both have a plenty of control for there users.

  26. L05ER

    Good.

    in a perfect world this would spur an exploit cold war of sorts... with microsoft and google blowing through their respective cash hordes. pouring over each others software... each trying to defame the other (not that M$ could lose much fame over the quality of its code). it would be glorious.

    billions pumped back into the economy and we all get better software... that's a win-win in my book.

    but we all know no one can be bothered anymore... i used exactly one capital letter in this entire post, for example. so they'll cry about it, maybe sue someone and move on.

  27. Duffaboy

    Google are right to do this

    Mid december MS released a patch which trashed ie9 we are still awaiting the fix. So hats off to google it might be a commerical swipe but its got to be done.

  28. DougS Silver badge

    Lots of Google apologists still think they "do no evil" I guess

    Asking for a two day extension to allow releasing the patch on your regularly scheduled patch Tuesday isn't too extreme. What if they found the fix was pretty involved and would take another month or two?

    When this first surfaced and people suggested Google was trying to make Microsoft look bad I dismissed it. Based on the evidence of this and the Aviator browser I have to rethink that. I think Google is using their security team as a weapon to make others look bad.

    I guess they don't care because if someone finds a bug in Google code it is either internal code where they can fix it on their own schedule and don't have to do the complicated regression testing that is required when there is a public API exposed, and if it is Android it doesn't matter because only a minority of devices that have the bug will ever receive an update that fixes it anyway.

    1. MissingSecurity

      Re: Lots of Google apologists still think they "do no evil" I guess

      No one is really being an apologist. I stated it before, Microsoft have control over there patching schedule, Google over their Zero day release schedule. These two are Major competitors, so they don't have any need to support one another.

      If this is such a big deal, why was MS releasing Patch notes a WEEK in advances for upcoming security updates? I'm sure half the people blaming Google for this release, were in the last article discussing how MS took away notification systems for non-paying users, and how that made them vulnerable.

      Yes, by proxy, Google got in a Jab, MS are trying to make it out to be Google fault, but in the end this is why we have competition in the market place. Security is no exception.

  29. Someone Else Silver badge
    Headmaster

    “What’s right for Google is not always right for customersthe Product. We urge Google to make protection of customersthe Product our collective primary goal,” he adds.

    There...FTFY

  30. Anonymous Coward
    Anonymous Coward

    I am going to have to side with Google on this one. Microsoft knew about, fixed it, and put off sending out the update. Google needs to stick to their 90 day rule otherwise every software vendor will ask for extensions.

  31. Winkypop Silver badge
    Devil

    Google

    Do no evil *

    * conditions apply

  32. Anonymous Coward
    Anonymous Coward

    Am I the only one

    that thinks all MS security fails should be disclosed as soon as they are found?

  33. Windows8

    sharpsone@hotmail.com

    Google is/are a bunch of pricks! The trust end-users place in the security of their data stored on a local system or cloud is sacred. We want to use our computers/devices and we want the data to be secure from prying eyes unless we decide to share it openly and willingly. Google crossed a line, corporations shouldn't sell one another out in hopes of stealing market share. Unfortunately this is a dirty tactic by Google and MS will likely retaliate at some point. I dont want the place holder of my data fighting with another entity for my dollars. Especially if they are willing to cut each others throats to make a few dollars. Google you suck! You will Never Ever earn a penny from the hard earned money I make. I will stick with Redmond, tried, true and clearly looking out for the best interest of consumers.

    1. mrweekender

      Re: sharpsone@hotmail.com

      I'm sorry is this a satirical post? If it is, hat tipped, if not you sir are a buffoon - I like the word buffoon and to be honest I could have used it to reply to a large number of comments on this topic. Both MS and Google couldn't give a flying fuck what any of you think - get over it.

  34. Mahou Saru

    I wonder if this is more about trying to make Google sign up for...

    Coordinated Vulnerability Disclosure

    "Under no circumstances will Microsoft release details of an unpatched vulnerability unless evidence of public attacks exists, as outlined in subsection F, Exceptions to the Vulnerability Public Disclosure Process, below."

    So as long as MS responds they don't need to release a patch unless the exploit surfaces or the details are known.

    MS: sign this

    Goo: err no

    MS: well we won't release our patch until Tuesday

    Goo. o O (hmmm if we break our own deadline it will just give them more ammo to press us to sign it)

    Goo: releases details as stated in their terms and conditions.

  35. danbi

    What would you expect from Microsoft?

    Typical Microsoft nonsense. Even if the patch was released today without disclosure, most windows computers won't be protected... And criminals will just continue to make use of that "small" vulnerability.

    They should be thankful to Google for sharing that knowledge, and not abusing it themselves...

  36. Displacement Activity
    Meh

    So MS can't tell the difference between 90 days and 3 months...

    Nothing to see here - move on.

  37. Richard Cranium

    Google were grossly irresponsible but...

    I find myself in the most unusual position of condemning Google and praising Microsoft! Ouch!

    Google know MS release schedule, MS know Googles 90 day bug fix deadline and had asked for a couple of days extension to fit with that schedule. Who benefits from Google disregarding that request? Google (score points against MS) and the hackers (get a couple of days to break my system). Who benefits from a couple of days delay? You, me and every other Windows user less at risk.

    Yes, MS could patch more frequently but that is disruptive to users, monthly is normally fine. And I often put my PC into sleep mode rather than shut down overnight just doing a full shut-down 2 or 3 times a week on main PC, less frequent on always-on but less used Laptop. I know about Patch Tuesday and take care to shut down then as the patches only get installed at shut-down and reboot.

    I would expect MS to do an out-of-band update if a vulnerability is being actively exploited - and they do. That's the responsible approach and I commend them for it. Suppose they decided to bring Patch Tuesday forward a couple of days in the face of Googles intransigence? (BTW did Google just go ahead or tell MS first?) - I'd probably not reboot 'till Patch Tuesday anyway so I'd have been vulnerable

    But: should MS go public with their complaint about Google before the patch has gone out? Surely that just advertises the bug more widely in case any hacker missed Google's announcement. I guess there may be an argument that if Joe public knows there's an un-patched vulnerability he can do something to protect himself - good luck with that...

  38. Zombieman
    Trollface

    Schedules, bloody schedules

    Whilst Google and Microsoft are doing the PR equivalent of slapping each other in the face with a wet fish, people with exploits keep coming and have an almost total disregard of anyone's schedules, 90 days, calendar dates, day of week/month, whatever. They pay attention "a bit" hence the phrase "patch Tuesday, exploit Wednesday" that has come about.

    IMHO if a patch is available, let it free as soon as you've tested it suitably (more than recent months please Microsoft *grin*) - any worthy sys admin has tools in place to control patching (hint for MS: that WSUS thing you have) so if they want to deploy monthly they can just let the updates build up until they are ready but still have the opportunity to respond to "zero day" problems.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019