Following Microsoft’s Criticism, Google Divulges More Security Loopholes in Windows
Oh, Google! Why won’t you leave Microsoft alone?
Early this week, Microsoft showed public disapproval towards Google for disclosing a flaw in Windows security that could enable hackers to gain access of various computer systems. Now the company has revealed another couple of flaws in Microsoft products – making it a total of four divulged flaws in last couple of weeks.
Google is able to do this with an initiative dubbed Project Zero. This initiative essentially identifies security loopholes in different projects and notifies parent companies about them. The parent companies are provided 90-day duration to make amends and if they fail to do so, all security concerns are divulged online – ouch!
The first of most-recent disclosures which was revealed on Thursday is related to both Windows 7 and Windows 8.1. It allowed attackers to pose as any random user and decrypt/encrypt data on these operating systems. The second flaw allows attackers to see information regarding power settings.
According to Google, it notified Microsoft about both these issues on Oct. 17, 2014 and so the 90-day period to make amends is obviously over. Speaking of the former issue, a Google spokesperson stated that Microsoft ensured them that a fix would roll out in January 2015 update which it didn’t:
Microsoft informed us that a fix was planned for the January patches but has to be pulled due to compatibility issues. Therefore the fix is now expected in the February patches.
As for the latter issue, both Google and Microsoft believe that it’s not much of a problem and Microsoft may address it sometime in future.
Speaking of previously divulged vulnerabilities, a Microsoft spokesperson criticized Google for its actions:
Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.
On a personal note, I believe that no one knows a system’s vulnerabilities than a parent company. And it’s highly unethical on part of Google to divulge something as sensitive to public. Surely, Microsoft must be doing all it could to address issues such as these, but making common people (including attackers) know all about it, doesn’t make any sense.