Microsoft and Google Duke It Out Over Security Strategies
While they share many common causes, the world's largest tech companies are not above taking veiled and not-so-veiled potshots at each other, as the latest sniping between Google and Microsoft illustrates.
Earlier this month, a researcher with Google's Project Zero security team posted an extensive analysis of a Windows software bug, along the way criticizing Microsoft's policy of being slow to release patches for older versions of its operating system. This week, Microsoft fired back by publishing details about a Chrome Web browser vulnerability, and then taking Google to task for disclosing details about the flaw before pushing out a fix to end users.
Technology companies generally adhere to a process known as coordinated vulnerability disclosure, in which vendors are first notified about hardware or software flaws ahead of a public release of information. This is aimed at giving companies time to develop and release patches before details about vulnerabilities become widely available to the public as well as to hackers.
More than four years ago, however, Google said it would release public details about some bugs more quickly so end users could adopt fixes if vendors didn't fix critical vulnerabilities within seven days. That decision prompted accusations from Microsoft that Google was increasing, rather than reducing, potential security risks to customers.
'Problematic' Vulnerability Disclosures
Using the handle "msft-mmpc," the unnamed Microsoft author also noted that Google's method for dealing with Chrome bugs could "result in the public disclosure of details for security flaws before fixes are pushed to customers."
The author said that after Microsoft informed Google about the vulnerability on Sept. 14, Google showed an "impressive" turnaround by committing a bug fix in four days and releasing a fixed build three days later. However, the author added that Google also made the patch source code available on GitHub before the fix was made available to end users.
"Although the fix for this issue does not immediately give away the underlying vulnerability, other cases can be less subtle," the Microsoft researcher said, adding later that "it is problematic when the vulnerabilities are made known to attackers ahead of the patches being made available."
'Trolling' and One-Upmanship
This week's post by Microsoft came on the heels of an Oct. 5 analysis by Google Project Zero researcher Mateusz Jurczyk of a Windows vulnerability that Microsoft fixed first for users running the latest version of Windows 10, leaving users with older versions of the operating system with a "false sense of security."
By responding with its latest critique of Google Chrome security, Microsoft chose a "petty" tactic, technology writer Paul Thurrott wrote yesterday. "What Microsoft should have done is take the high ground," Thurrott said. "Do the right thing for your shared customers and just shut up about it."
Engadget echoed those comments yesterday, describing Google's and Microsoft's security-focused critiques of each other as "trolling," questioning the benefits of such one-upmanship. The consensus seems to be that perhaps it's time for both companies to renew their focus on the true prize: the security of their end users and customers.