Google apparently has no mercy for Microsoft’s developers, and is determined to stick to its 90-day deadline for fixing software flaws, as it publicly released details of an elevation of privilege vulnerability affecting Windows 8.1.
Reported on October 13 of last year, the disclosure deadline fell on Sunday, January 11, 2015, and the file documenting it has automatically been made available to the public.
According to Google security researcher James Forshaw, who discovered the flaw, Microsoft initially said that they are aiming to provide a fix in February 2015, and asked for an extension of the disclosure deadline.
“Microsoft were informed that the 90 day deadline is fixed for all vendors and bug classes and so cannot be extended. Further they were informed that the 90 day deadline for this issue expires on the 11th Jan 2015,” he noted in the comments on the issue.
In early December, Microsoft has replied by confirming that fixes for the flaw will be provided in January’s Patch Tuesday, which falls on January 13, two days after the deadline.
This didn’t phase Google, who published the flaw’s details and a batch file proof-of-concept for Windows 8.1 Update on the predetermined date.
Google’s inflexibility when it comes to disclosing vulnerabilities its researchers have found has been recently publicly criticized by Chris Betz, Senior Director of the Microsoft Security Response Center, who said that this behavior is endangering users.
“Ultimately, vulnerability collaboration between researchers and vendors is about limiting the field of opportunity so customers and their data are better protected against cyber attacks. Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment,” he noted.
The release of the previous Windows 8.1 flaw that triggered this criticism has also set off a lively debate in the comments about the right way to perform vulnerability disclosure.