Microsoft on Sunday decided to criticise Google's decision to publicly disclose a vulnerability in Windows 8.1
two days before the company planned to issue the fix.
On Sunday, Microsoft's Senior Director of the Microsoft Security Response Center, Chris Betz, published an official blog post, "a call for better coordinated vulnerability disclosure", taking on Google's irresponsible action of disclosing a 90-day-old bug before the company not only planned a fix for the problem on January 13, but also asked Google not to go public until that day. But for Google, the disclosure was made as a part of its Project Zero security initiative that stipulates a 90-day deadline for the fix before the public disclosure of the bug.
"Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a 'gotcha', with customers the ones who may suffer as a result. What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal," wrote Betz on MSRC blog post.
Notably, this is not the first time that Google disclosed any such vulnerability of Microsoft's Windows 8.1. On December 31, a Google's Project Zero researcher Ben Hawkes defended an earlier vulnerability thread that went live automatically after 90-day deadline expired on December 29 from September 30, when the issue was first reported to Microsoft.
"Firstly, just to make this absolutely clear, the ahcache.sys/NtApphelpCacheControl issue was reported to Microsoft on September 30. You can see this in the "Reported" label on the left hand panel of this bug. This initial report also included the 90-day disclosure deadline statement that you can see above, which in this instance has passed," commented
Hawkes on the thread.