Google’s decision to disclose the security vulnerability in Windows 8.1 hasn’t been welcomed by Microsoft. Disagreeing with the method opted by Google, Microsoft issued a call ‘for ‘better coordinated vulnerability disclosure’.
In an official blog, Microsoft’s Chris Betz said, “Those in favor of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves. We disagree. Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment”.
In fact, the Microsoft believes that the software company should be given a time period under which it is able to fully assess the potential vulnerability, evaluate the issue against the threat landscape and issue a fix for the vulnerability, before making it public. According to Microsoft, following the stated pattern will definitely keep the attackers at bay from utilizing the vulnerability when there is no particular patch found.
Further emphasizing the point, Microsoft stated that only the software development company knows how stressful the entire process of fixing the vulnerability is. It is not only complex, extensive, but definitely a time-consuming process, which cannot be attempted and resolved in a given period of time. Making its demand stronger, Microsoft urges Google as well as other companies to come together and work on the deadline time given to the company to fix up the patches, as at the end, it’s all about the safety of the customers.
Explaining its point, Betz added, “Let’s face it, no software is perfect. It is, after all, made by human beings. Microsoft has a responsibility to work in our customers’ best interest to address security concerns quickly, comprehensively, and in a manner that continues to enable the vast ecosystem that provides technology to positively impact peoples’ lives”.
In the meantime, the ongoing debate between Microsoft and Google highlights the importance of coordination and the time consumed in evaluating and fixing the security vulnerabilities. It also highlights the need to protect users against the positive effects of forcing the software company to speed up the patch.
Notably, the disclosure made by Google was a part of its ‘Project Zero’ security initiative, under which it provides companies a period of 90 days to fix the vulnerabilities before they are disclosed publicly. Security flaw found in the Windows 8.1 long-on mechanism was considered the easiest way out for attackers to escalate their privileges on a user’s computer, effectively taking over the computer.