US Internet giant Google has made public more Microsoft security bugs public.
The search giant has made public a bug found Microsoft’s operating system in Windows 7 and 8.1 after its deadline of 90 days passed.
Microsoft has heavily criticized Google and its 90-days security disclosure policy after the firm publicly revealed two zero-day vulnerabilities in Microsoft’s Windows 8.1 operating system one after one just days before Microsoft planned to issue a patch to kill the bugs. But, seemingly Google don’t give a damn thought.
Once again, Google has publicly disclosed a new serious vulnerability in Windows 7 and Windows 8.1 before Microsoft has been able to produce a patch, leaving users of both the operating systems exposed to hackers until next month, when the company plans to deliver a fix.
One of the problems affects both Windows 7 and Windows 8, while the other is regarded a less serious and only affects Windows 7. The Windows 7 security vulnerability is, as pointed by Ars Technica, not regarded as serious enough to warrant a fix from Microsoft, but it’s a different story for the second problem that has been exposed — a problem with the CryptProtectMemory function. This particular problem could lead to user data becoming exposed due to it not being properly encrypted.
There’s something of an irony in the fact that while Microsoft kicked up a stink after Google exposed one vulnerability two days before the patch was scheduled to be released, this second serious problem was also due to be fixed in the same Patch Tuesday update. Unfortunately for Microsoft, and possibly for users of Windows, a problem was discovered with the patch itself so it was pulled at the last minute.
On Sunday, before the latest disclosures, Microsoft published a statement criticizing Google for its actions:
Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.
To Microsoft’s point, if a company lets Google know it’s working on a fix but it isn’t ready — and Google publicizes it anyway — then potential attackers could prey on that security weakness.
It’s unclear how Microsoft feels about these latest developments, but the tech giant probably hasn’t completely come around on Project Zero in just a week’s time.