Last week, Google faced a barrage of criticism from Microsoft for publicly disclosing a security bug in Windows 8.1, claiming that it had asked the company from withholding details as they were planning on releasing an update to fix it. Today, Google has gone and done it again, by pointing out two bugs in the Windows operating system.
The first vulnerability pointed by Google allows attackers to impersonate a user and decrypt data on machines running Windows 7 and Windows 8.1. The second vulnerability, which only affects machines on Windows 7, allows attackers to interfere with power functions.
Both disclosures come as a result of Google’s Project Zero, which scours the Internet to identify vulnerabilities in apps and communication services. If issues are found, then Google gives companies a period of 90 days to address and fix them, after which a public announcement is made. The bug in the Windows operating system was apparently identified to Microsoft on 17th October 2014, meaning that it had passed the 90-day deadline.
However, it seems as if this hasn’t gone down well with Microsoft at all. In an official blogpost, Chris Betz, senior director of the Microsoft Security Response Center said,
“We asked Google to work with us to protect customers…until we released a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result. What’s right for Google isn’t always right for customers. We urge Google to make protection of customers our collective primary goal.”
This isn’t the first instance of Google highlighting vulnerabilities in the Windows operating system, with another identification last year on December 29th. However, such actions have sparked a widespread debate on consumer security and transparency.
Microsoft claims that Google is simply compromising user security by making vulnerabilities public before a fix has been found while Google maintains that it allows companies enough time and its aims are to provide transparency for users who should be aware of the potential security problems that their devices face.