Let’s not for a minute attempt to deny the fact that Google and Microsoft have a long history of feuding. In this instance, the feud is about how discovered vulnerabilities were handled. If Google discovers a security flaw, they report the bug to the software vendor regardless of whether the vendor is Microsoft or anyone else. While not stated in the Project Zero announcement from July 15, 2014, it appears that Google typically allows a vendor 90 days to formulate a patch. Once the 90 days have elapsed, then Google makes the vulnerability public. Microsoft believes they have a right to not only request more time but to castigate Google if they adhere to their 90 day policy.
In this particular instance, Google has made public information on the NtApphelpCacheControl bug found in Windows 8.1.
Funnily enough, or perhaps not-so-funnily, it appears that most of the reports being filed about this feud seem to have some rather basic information incorrect. Just like in a game of ‘telephone’ once one reporter got the story wrong, a lot of the rest simply followed suit. While I love finding source information, it never fails to irritate me when I find that in most of the trending articles, the information is simply a rehash of what someone else wrote an hour or two earlier. While these incorrect articles may pass Copyscape, what they don’t do is pass on the correct information.
Microsoft is seemingly ticked off that Google has made public a bug that was reported to them over 90 days ago. The vast majority of the reports indicate that Microsoft is up-in-arms because they ever so politely asked Google to refrain from making the NtApphelpCacheControl vulnerability public because they plan to release the patch in 92 days (on Tuesday, January 13, 2015) as opposed to the 90 day deadline that they were given.
There are so many things wrong with this that I’m not even sure where to begin.
The NtApphelpCacheControl vulnerability was an issue sent to Microsoft on September 30, 2014. Keeping to their 90 disclosure deadline, Google released the information publicly on December 29, 2014 and not January 11, 2015.
So, just to be perfectly clear, the NtApphelpCacheControl vulnerability about which everyone is reporting does not appear to be the catalyst for this recent bashing of Google by Microsoft.
Microsoft, in case you didn’t know, has a rather well known “Update Tuesday” schedule where security patches are released on a scheduled time frame, typically the second Tuesday of each month. Yep, that’s what I said, typically once a month. For more information on Microsoft’s approach to Windows updates, feel free to read this InfoWorld Tech Watch article.
Since the newest “Update Tuesday” isn’t scheduled until tomorrow (January 13th) simple math indicates that the vulnerability must be a different one.
Enter the second bug, reported to Microsoft on October 13, 2014, involving an elevation of privilege issue. This vulnerability was made public yesterday on January 11, 2015. THIS appears to be the issue in contention as there is notification that Microsoft requested an extension on this bug’s 90 day deadline.
“Okay,” you are probably thinking. “What difference, really, does it make whether the reporters have the information on the specific vulnerability correct or incorrect?”
Notwithstanding my abhorrence of shoddy and/or lazy reporting, it makes a difference because not only have the news reports got the actual vulnerability incorrect, but they have failed to report that there are two issues, not just one, past the 90 day disclosure. Additionally, I have found no indication that the NtApphelpCacheControl issue publicly reported in December has been fixed, or rather, will be fixed with a patch tomorrow.
Does it occur to no one else that these bugs might not actually be addressed when the patches are released tomorrow? Most of the news articles that I have read seem to take for granted that Microsoft has some basis for being angry at Google for adhering to their stated 90 day disclosure deadline because the problems are already solved.
Call me cynical if you will but until the patches are actually released, I can’t believe they exist. It seems to me that Microsoft might be attempting to escalate the feud between the two companies. While it has been said that there is no such thing as bad publicity, by publicly decrying Google’s policy, the company has merely brought these security issues more into the limelight. How long does it take for vulnerabilities to be exploited?
On the other hand, it also occurs to me that Microsoft, by focusing media attention on a vulnerability which could be patched tomorrow, 92 days after being reported, they keep the eyes of the public off the issue which has now remained unfixed for over 100 days.
One of Microsoft’s biggest arguments is that they plan to release a patch for the one issue “only two days late” during their monthly security update. This monthly update is scheduled for Tuesday, January 13th . The company, as far as I can tell, has not released any statements about the NtApphelpCacheControl issue. There is no outcry about Google making that vulnerability public, nor is there any indication that a patch will be released anytime soon. If the NtApphelpCacheControl vulnerability does not get addressed during tomorrow’s update then most likely it will not be fixed until the February update.
Perhaps, if Microsoft were as hell-bent on actually fixing these bugs as they seem to be about creating additional dissension, then perhaps they might have sent out the patches before causing a public stir. Regardless of which company you agree with, there remain several truths. Google found a vulnerability and gave the vendor 90 days to release a patch before making it public. Microsoft did not release a patch within that time frame. Google made the issues public.
Each company has differing opinions about correct procedure and arguments to back up those beliefs. I’m certain that each reader will have his own opinion. Which company is more in the right? Who is the ‘bad guy’ here? What should or should not have happened? I plan on leaving these questions open to debate. Your opinions and comments are more than welcome.
One final word, though. Software vendors across the industry have adopted a set of practices sometimes known as Coordinated Vulnerability Disclosure (CVD). This means that not only Google, but Microsoft – as well as other vendors – routinely inform each other of vulnerability issues privately. This allows the vendor to work on a fix before the bug becomes public knowledge, thereby not creating an environment that eases exploitation. Google has taken the stand that issues should be fixed within a set amount of time once the vendor has been informed. Microsoft appears to have a different policy.
Again, who do you think is right?