Continuing a controversial policy, Google on Friday disclosed a major security vulnerability in a Microsoft product before it was fixed.
So how did we get here?
Almost five years ago, Google announced that it would turn its recommendation for fixing zero-day vulnerabilities into a policy: When the firm discovered a vulnerability, it would reveal it to the software’s maker and then give them 90 days to fix it. If the 90 days expired with no fix, tough: Google would then announce it to the world.
You can see why this is problematic: Once a vulnerability is public, hackers know where to probe and they can quickly release exploits that put users and their data in danger. But Google believes that informing users of vulnerabilities is safer, and that in doing so it will “improve both the state of web security and the coordination of vulnerability management.”
As a result, Google has run afoul of Microsoft several times for revealing security vulnerabilities before the software giant was ready with a fix. Microsoft’s Terry Myerson famously called out Google publicly in late 2016after Google discovered a major vulnerability in Windows.
“Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” he wrote at the time. “We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure.”
Myerson is right, of course. But Google keeps doing it.
And they did it again this past week by divulging details about a security vulnerability in the Just-in-Time (JIT) compiler in Microsoft Edge, the web browser built-in to Windows 10. Google says it told Microsoft about the flaw in November, and then it waited 90 days to see what happened.
Microsoft, for its part, says that it originally intended to release the fix in January’s Patch Tuesday series of updates. But the fix was more complex than originally expected and they needed more time. So Google gave them 14 more days. Which just expired. So here we are. Again.
Microsoft now says that it will fix this vulnerability in the March Patch Tuesday updates. It’s unlikely that it will require an out of band patch, meaning one that comes outside the normal schedule, because the JIT flaw is rated as a “Medium” threat, not a Critical one.
Anyway, let’s all give Google a hand. It makes way more sense for users to know about a flaw they cannot fix or mitigate than it does to give a credible software vendor the time they need to actually fix the flaw. Right?