Microsoft is unhappy with Google and the publication of a vulnerability in Windows 8.1

Let's recap. Last summer, Google announced the formation of a research group called 'Project Zero' in charge of detecting and alerting about security problems in its software or that of other companies. On September 30, this team alerted Microsoft to the existence of a vulnerability in Windows 8.1 that could allow third parties to gain control of a Windows 8.1 machine operational. It did so by accompanying the notice of a 90-day time limit for those in Redmond to solve it before making it fully public.

The latter was what ended up happening last week. After those 90 days without Microsoft being able to finish fixing it, the vulnerability was made public by the Google research group, allowing anyone to know about it and detailing how it could be exploited. That has not been liked in Redmond, where they were already working on a solution. So little has it been liked that Chris Betz, senior director at the Microsoft Security Response Center (MSRC), has decided to publish a note regretting the action of those from Mountain View and calling for a better understanding between the security teams of the companies.

Betz is very critical of Google's performance in the matter. Apparently, from Redmond would have asked the 'Project Zero' team to delay the publication of the ruling until January 13, at which time they planned to distribute a solution through its well-known Tuesday patches.Unfortunately, those from Mountain View did not comply with the request and that has motivated their response defending a better way of collaborating in this type of situation.

At Microsoft they consider the strategy followed by Google to be wrong of having a research team find vulnerabilities in competing products, adding pressure with a time limit for them to be resolved and threatening to publish it if it is exceeded. Not all vulnerabilities pose the same level of threat and often they do not have a quick solution or their application is more or less complicated, so establishing a countdown for their publication is not the best way to encourage their solution.

From Redmond advocate more for researchers to privately alert companies of potential vulnerabilities and work with them on a fix without demanding limits temporary or threaten publication.

Via | Microsoft