Google’s security researchers have published another pair of Windows security flaws that Microsoft hasn’t got a fix for, continuing the disagreement between the companies about when and how to disclose security bugs.
The first bug affects Windows 7 only and results in minor information disclosure. Microsoft says, and Google agrees, that this does not meet the threshold for a fix. Windows 8 and up don’t suffer the same issue.
The second bug is more significant. In certain situations, Windows doesn’t properly check the user identity when performing cryptographic operations, which results in certain shared data not being properly encrypted. Microsoft has developed a fix for this bug, and it was originally scheduled for release this past Tuesday. However, the company discovered a compatibility issue late in testing, and so the fix has been pushed to February.
Had the fix worked correctly, Microsoft would have released a patch prior to disclosure. But thanks to the compatibility issue, Google’s 90-day deadline was reached yesterday, prompting the advertising company to publish the bug.
Last time this happened, Microsoft wrote a blog post criticizing Google’s decision. This time around, the company’s response is more reserved. It issued a statement saying:
We are not aware of any cyberattacks using the two cases publicly disclosed. We’re working to address the first case, CryptProtectMemory bypass. Customers should keep in mind that to successfully exploit this, a would-be attacker would need to use another vulnerability first. We are not planning on addressing the second case, which may allow access to information about power settings, in a Security Bulletin.
But this statement does nothing to address the underlying disconnect between the two companies’ policies. It appears that Google is going to continue to publish flaws that haven’t yet been patched, and Microsoft’s users are going to continue to be left exposed as a result. While many regard Google’s behavior as somewhat objectionable—especially in the earlier case when a minor delay on Google’s part would have avoided the exposure window—the reality is that Google (or any other group that has discovered a flaw) is the company in the driving seat. It’s not Google’s users that are being put at risk; it’s Microsoft’s.