Google and Microsoft Patch Spat
Google has revealed two more previously unpublished flaws in Windows systems that could make them vulnerable to attack. The announcement is the latest round of a controversy that developed recently between the two technology giants and follows a similar announcement last week.
In all cases, Microsoft was working on patches for the problems, but the patches had not yet been released to the public. Google has a strict policy of releasing vulnerabilities to the public 90 days after discovery. In all cases, Google discovered the flaws and passed the information to Microsoft initially. Microsoft then started working on solutions. When the 90 day window passed, Google released the information. In one case, the patch from Microsoft was already complete and awaiting delivery on Microsoft's regular "patch Tuesday" schedule when Google revealed the flaw. In another case, the patch was finished but incompatibilities discovered in the testing phase required rework.
Microsoft denounced Google's decision to release vulnerability two days before patch delivery, stating that Google's action “… feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result.”
The debate centers around the difference between fulling disclosing a vulnerability as soon as you find it (as some experts recommend) and working behind the scenes to fix the problem without calling it to attention of potential attackers. Microsoft advocates a policy they call Coordinated Vulnerability Disclosure, in which “the finder allows the vendor the opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before any party discloses detailed vulnerability or exploit information to the public.”
Google settled on its 90-day rule as a compromise between immediate disclosure and simply putting the schedule at the discretion of the patch vendor. Microsoft says the 90 days is arbitrary, and an occasional 92-day exception would be in the public interest. On the other hand, Microsoft is also making arbitrary business choices: They don’t really have to wait until Tuesday to release a patch, and for that matter, the time it takes to develop and test a patch is ultimately a function of how much work time and internal resources they assign to the problem.
Clearly Google is not acting purely out of altruism. The two companies are fierce competitors in the search business. But perhaps more importantly, Google is in the operating system business now too, with Android tablets and Chromebook systems battling various Windows devices for market share.
The unspoken part of this standoff is the strange image of two giants rolling about wrestling to see who gets to be king. Microsoft always used to get things their way. A “partnership” with Microsoft was something one could not afford to decline, and the terms of that partnership were invariably dictated by Microsoft. Google’s action reinforce what we already knew: Those days are over.