Google Reveals Another Microsoft Vulnerability Before Its Fixed

Posted on February 19, 2018 by Paul Thurrott in Windows 10 with 96 Comments

Google Reveals Another Microsoft Vulnerability Before Its Fixed

Continuing a controversial policy, Google on Friday disclosed a major security vulnerability in a Microsoft product before it was fixed.

So how did we get here?

Almost five years ago, Google announced that it would turn its recommendation for fixing zero-day vulnerabilities into a policy: When the firm discovered a vulnerability, it would reveal it to the software’s maker and then give them 90 days to fix it. If the 90 days expired with no fix, tough: Google would then announce it to the world.

You can see why this is problematic: Once a vulnerability is public, hackers know where to probe and they can quickly release exploits that put users and their data in danger. But Google believes that informing users of vulnerabilities is safer, and that in doing so it will “improve both the state of web security and the coordination of vulnerability management.”

As a result, Google has run afoul of Microsoft several times for revealing security vulnerabilities before the software giant was ready with a fix. Microsoft’s Terry Myerson famously called out Google publicly in late 2016after Google discovered a major vulnerability in Windows.

“Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” he wrote at the time. “We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure.”

Myerson is right, of course. But Google keeps doing it.

And they did it again this past week by divulging details about a security vulnerability in the Just-in-Time (JIT) compiler in Microsoft Edge, the web browser built-in to Windows 10. Google says it told Microsoft about the flaw in November, and then it waited 90 days to see what happened.

Microsoft, for its part, says that it originally intended to release the fix in January’s Patch Tuesday series of updates. But the fix was more complex than originally expected and they needed more time. So Google gave them 14 more days. Which just expired. So here we are. Again.

Microsoft now says that it will fix this vulnerability in the March Patch Tuesday updates. It’s unlikely that it will require an out of band patch, meaning one that comes outside the normal schedule, because the JIT flaw is rated as a “Medium” threat, not a Critical one.

Anyway, let’s all give Google a hand. It makes way more sense for users to know about a flaw they cannot fix or mitigate than it does to give a credible software vendor the time they need to actually fix the flaw. Right?


Tagged with ,

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (96)

96 responses to “Google Reveals Another Microsoft Vulnerability Before Its Fixed”

  1. obarthelemy

    3 months is not enough to fix a vulnerability ? Maybe the problem is not Google but MS ?

    • ing222

      In reply to obarthelemy:

      I agree. A company the size of Microsoft and you're telling me they couldn't patch their own code in 3 months (plus 14 days) time?

      • Sprtfan

        In reply to ing222:

        I think there is this strange concept that everything can be fixed faster by just throwing more programmers at a problem. That really is not how it works. Even if that is true, that is not a valid excuse for putting people at greater risk for no reason.

    • Chris Payne

      In reply to obarthelemy:

      This is a horrible thought. You have no idea what else is going on at Microsoft. Maybe this is a very deep and insidious bug, that requires a lot to fix. Maybe they're working on a bigger security issue. Maybe they were in the middle of spectre/meltdown. Who knows.

      Paul is right here that assigning an arbitrary time to fix a bug just because Google found it is really stupid. Google is trying to be a bully, ransoming security. Demanding MS's lunch money just because they are google. This policy benefits no one except maybe the person in charge of Google's hubris division.

      • obarthelemy

        In reply to unkinected:

        But assigning no deadline would be stupider. " Hey, we found this exploit, but take however long you want to fix it, we'll come back to you if we ever see it being actually exploited (we'll do the free monitoring for you, on top of the free security audit), then you can start working on it, and maybe keep the damage down to only a few million machines over however long it takes for you to patch it". That's the only way to not assign an arbitrary deadline.

        One could argue for a longer deadline, but frankly 3 months seems plenty for all but the most complex bugs. And it would still b "an arbitrary deadline"?

        • Chris Payne

          In reply to obarthelemy:

          I entirely disagree. Responsible disclosure includes working with the offending company to come up with a timeline for resolution. One that is informed by the company's priorities and the issue's severity. And frankly, for a large company like Microsoft, I trust them to fix issues more than most (including Google).

          Assigning a random deadline as an outside party that has no basis on anything is no better than demanding ransom as a kidnapper. Arguably worse, since as @lvthunder mentioned, it gives ammunition to hackers.

          What I'm getting at is proper communication is the answer. If google is trying to be responsible, they would work with MS, not shame them.

        • Marius Muntean

          In reply to obarthelemy:

          Ever since the Windows Insider program, MS got used with others being free guinea pigs and test/monitor their products. It's time MS puts some effort of their own!

        • jimchamplin

          In reply to obarthelemy:

          And your’e completely certain it’s not a complex issue. Thanks for the insider info Dave Cutler.

      • lvthunder

        In reply to unkinected:

        Actually it benifit's the hackers every time they do this. They get an unpatched exploit to use for free from Google.

    • lvthunder

      In reply to obarthelemy:

      Probably not when your security team is working on the Spectre and Meltdown mess.

  2. BlackForestHam

    Thankfully even Paul agrees that nobody uses Edge. So, in this specific case, moot point. But the point is not lost; yet, I like that a competitor is strong arming MSFT onto accountability. Microsoft will always be the company that released a compiler with bugs galore, deciding devs should be unwitting beta testers. Evil favors no one particular tech company.

  3. Chaoticwhizz

    This policy issue really makes both Google and Microsoft look bad. That Microsoft couldn't fix a security issue in their own browser in 104 days that Google gave them doesn't seem super encouraging. This also comes off as hypocritical on Google's part since they can't or won't patch millions of Android phones just because they aren't running Android 8.1

    However, the security-conscious sees Google's side slightly more. If you find an security exploit, it's probably a safe bet that you are not the first to find it or the only one to know about it.

    • Winner

      In reply to Chaoticwhizz:

      Your comment implies you dont' really understand how Android works and who is responsible for which patches.

      • jimchamplin

        In reply to Winner:

        The OS vendor should be the only source for OS updates. That Google allowed OEMs and carriers to insert themselves into the process was a fail stew of their own creation.

        So in the end, Google is responsible for not being able to patch those installations of Android.

        • Waethorn

          In reply to jimchamplin:

          For good or bad, Android's customization is what carriers and phone manufacturers wanted, which is why Windows Phone failed.

          Also, Google doesn't release compiled code - only source code via AOSP. So no, they are NOT responsible for what gets added, anymore than Linus Torvalds is responsible for what Red Hat includes in RHEL.

          • jimchamplin

            In reply to Waethorn:

            Reading comprehension is something to strive for.

            I said should be. The OS vendor should be the only source. Having these incompetent middlemen is why it’s such a nightmare.

      • Waethorn

        In reply to Winner:

        Your comment implies you do. Google releases patches for the Android Open Source Project. That's all. What an OEM loads on their phone isn't AOSP, but a heavily-customized, compiled version of Android that is built with support and feedback from carriers on how their networks work so that the radio firmware is compatible and if the carrier requires apps to be preloaded on branded phones.

    • Lateef Alabi-Oki

      In reply to Chaoticwhizz:

      The Pixel and Nexus phones (Google's Android phones) get monthly security updates. So, they definitely live by their own rules. Google has no control over hardware they don't make. If Samsung chooses not to update their hardware in a timely manner, there's not much Google can do about it.

      • skane2600

        In reply to mystilleef:

        They live by their own rules? So if they find a security problem and they don't fix it within 90 days, they announce it anyway? How would we know? Having monthly updates says nothing about whether a particular vulnerability has been detected or fixed.

    • obarthelemy

      In reply to Chaoticwhizz: "they can't or won't patch millions of Android phones just because they aren't running Android 8.1"

      That's untrue, Google release security patches for older versions of Android too, as well as updates to anything and everything that can be updated indepedently of the OS.

  4. Bdsrev

    Google seems to be run by children, it's embarrassing at this point. Microsoft takes security very seriously, arguably more so than Google. Google doing this yet again is just ridiculous. There are literally hundreds of millions of Android devices that aren't getting security patches

  5. hrlngrv

    MSFT has lobbyists. Why not push US Congress for laws and EU for regulations to require, say, 180 day waiting periods between reporting bugs and publicizing bugs?

    Alternatively, you could put your beliefs into practice and stop using Google Chrome and any & all Google services until Google changes its policy. That's called a boycott.

    Still, complaining is fun.

  6. tbsteph

    Google can be evil. Any questions?

  7. wright_is

    ... ... ... That's a one-handed clap for Google.

    Given the problems with Meltdown and Spectre in January, plus the alleged complexity of the problem, I don't see why Google didn't ask Microsoft how long they needed and if they didn't reach Microsoft's annointed fix date, then I wouldn't have a problem with them releasing (limited) information.

    If Microsoft had contacted them and said that it was more complex than originally thought and they needed a, reasonable, amount of extra time to fix it, I don't see the problem with that. If, on the other hand, MS were to push it forward a month every month for 6 months, for example, I can understand Google being irritated.

    Given that Google don't have access to the source code of Edge, I don't see how they can judge that the problem can be fixed in the time they defined...

    After all, the Meltdown/Spectre bug was held back (by Google among others) for what? 6 months?

  8. nbplopes

    The problem I have with Google approach is that there is no way to ascertain if they hold themselves to the same standard as they seam to impose others.

    A company with a vested interest in the same market while policing competitors when it comes to security it rises questions of transparency.

    I am not arguing that the policy is not good one. Just saying that it should be much more transparent, starting by not being Google alone enforcing the policy as it seams to be the case.

    So I would say, if the security concern of Google is pure, and it’s not just about showing how bad others are, maybe they should be open to the idea of a security consortium dealing with these matters. The same for MS and other companies with shared security concerns and goals.

  9. dcdevito

    I personally think Google does this for PR. I can see this being justified IF (and I mean a huge "IF") they had any Windows based applications. But they don't, so to me this is just David poking Goliath.

    But Google does take security vulnerabilities for Chrome OS quite seriously, and if Chrome OS was the ONLY system Google was maintaining, then I can see Google using this as a PR stunt to remind the world how much faster and easier Chromebooks get updated.

    But then there's Android. Sure Pixels are updated in a reasonable time frame, but how do we know? Is Google regularly acknowledging known Android bugs and turning fixes around? [Insert Shruggie].

    • BravoCharlie

      In reply to dcdevito:

      All good points. Maybe maintaining a name and shame list of the slow-to-update Android devices (and a list of unpatched vulnerabilities) would better serve the Internet community.

  10. Todd Logsdon

    I bet they wouldn't have a problem if they followed Google's lead and ONLY supported the most current flavor of the OS and then on top of that push off responsibility and leave it as the manufacturers of the hardware problem to deal with getting anything updated on the customer's devices.

  11. burog25c

    I'm with the policy as long as Microsoft and other vendors do the same to Android. Oh wait, that wasn't what Google intended? Too bad.

    • markbyrn

      If an Android vulnerability is exposed, Google may readily fix it but the vast majority wont see the fix in a timely manner if it all due to OS fragmentation.

  12. AnOldAmigaUser

    I do not disagree with Google in thinking that there needs to be some time limit, if only to light a fire under people; but if the firm is notified, and is working in good faith to resolve the issue, I think they should hold off on publicly releasing the vulnerability. It is elitist in the extreme for them to think that average users have any understanding of this stuff. They are unaware of how technology works to begin with. If there is no known exploit in the wild, what purpose is served by releasing it, other than notifying the bad guys?

    This "holier than thou" crap from Google is just one more reason I do not want to do business with them when I can avoid it.

  13. chrisrut

    Yeah, I'll give Google a hand - it only takes one finger, BTW...

  14. Lateef Alabi-Oki

    If a "credible software vendor"can't figure out how to fix a security vulnerability in 3 months, then I not only question their credibility, I question their competence.

    Google is right to embarrass and shame Microsoft. Fix your shitty code instead of whining and complaining. Just because they're Microsoft doesn't mean they get VIP treatment.

    • hytran77

      In reply to mystilleef:

      The Heart Bleed bug in Open SSL took two years to be fixed after it was discovered. Thank goodness that vulnerability wasn't exposed after an arbitrary and baseless 3 months because two-thirds of the Internet could've been exploited. This isn't about brand tribalism for the sake of embarrassment and shame, but for the security of users.

      • Tony Barrett

        In reply to hytran77:

        OpenSSL doesn't have the might, money and power of Microsoft behind it. Microsoft make billions out of those 'users' you talk about. They spend billions on R&D. They have some of the best and most talented minds on the planet. They've had a global monopoly on desktop software for decades. They have a lock-tight grip on the Windows source code. What happens? The moan and wine that 'it's more complicated than we thought'. Sorry, no dice, no tears and no sympathy. If MS valued the security of their users with such high regard, they wouldn't ship half-baked, beta quality, bug riddled software with gaping security holes in it, but that's how they treat Windows (and thus their users) these days. Windows 'as a service' no longer means they have to put the effort in they used to. All they want now are people to pay monthly subscriptions for everything, and sod the security.

    • TheOneX

      In reply to mystilleef:

      It has nothing to do with credibility or competence, only the complexity of the vulnerability at hand. The more complex it is the longer it is going to take to fix and test. The more lines of code that need to be changed the longer it is going to take to fix and test. Programming isn't something where just throwing more people at the issue is going to fix it any faster.

  15. Winner

    But of course that means Microsoft can't respond within 90 days to fix vulnerabilities. Perhaps they should work on their agility?

    • skane2600

      In reply to Winner:

      What a wonderful software world it would be if any bug in a complex software product could be fixed within 90 days without introducing any new bugs or compromsing the original software requirements. In recent years how often have we seen rolling bug fixes by all companies because they rush to fix their problems without adequate thought or testing?

  16. Skolvikings

    I see this from both sides...

    On the one hand, sometimes these fixes take more than 90 days to analyze, determine what's wrong and how to fix it, then to properly develop and test the fix.

    On the other hand, some companies will never take any action, thus the need to force their hand and do the public disclosure.

    I'm not sure how to reconcile the two. Perhaps Google should wait 120 days instead of 90? Or perhaps if the vulnerability involves a "trusted" company's software (e.g. Microsoft) and there are open lines of communication, Google would extend public disclosure more than 14 days?

  17. Marius Muntean

    It's not Google's fault MS is full of idiots not willing to fix a problem in 104 days! They would have fixed it if that bald moron hadn't fired so many engineers...Pathetic!

  18. RonH

    Why does Google get to decide how long MS or any other company needs to fix bugs?

    Google is trying to control too much. They decide which sites to promote, that all sites need to be https ( not a bad thing), which ads get blocked (now that one is a stretch)

    Companies need to work together for all customers, and not harm us by trying to harm their competition.

  19. ndwilder

    Easy: quit tying aspects of the browser and other MS programs directly into the subsystem of the OS allowing all of these vulnerabilities in the first place. Focus on making the OS more secure/stable, instead of working to include features no one asked for. We still don't have a Blue Screen Viewer built in, or a reliable method for the OS to tell us why it shit the bed, and still generating BSODs like: "page fault in non paged area" with zero clue or explanation as to why. MS is a GIANT company...if it wants to fix issues like these in 90 days, it can. Similar to how often they are changing the basecode of the OS now.

  20. TheOneX

    This 90 days policy has one goal, and that is to put a bad light on other companies. The thing is you only hear about the vulnerabilities that don't get fixed in that time, you don't hear about the hundreds that do get fixed in that time. Coming from a programming perspective odds are if Microsoft can't get it fixed in 90 days it isn't because Microsoft didn't put in the necessary resources. It is because not everything is that simple.

    90 days is a very short time period to fix any bug of significance while also making sure it is well tested. When it comes to security you want to make sure it is well tested. If you don't you might create a new even bigger vulnerability. Who knows maybe the reason they were not able to get it fixed in time was because they were trying to fix an even bigger security vulnerability introduced by Intel.

    Anyways, everyone who thinks what Google is doing is a good thing does not have the right knowledge or perspective to really be forming an opinion on the matter. Fixing a security vulnerability is not always as simple as just changing a few lines of code. Sure it could be that simple, but if it was we would never have heard about it. It would just silently install in the background, and you the user would have no idea what vulnerability it was fixing. The vulnerability could instead require a whole re-write of that module of code. In which case 90 days probably is not enough time to get it fixed, and tested.

  21. mikeghou

    I doubt I'm the first so say so, but no big deal since no one uses Edge anyway

  22. randallcorn

    Steve Gibson says TNO "Trust No One"

    I have always said all companies have issues. It is what they do when they have the issues is what is good or bad. Now everyone form your own opinion of what I have just said.

  23. ben55124

    Does MS check for Chrome/Android vulnerabilities? They should escalate that effort to the point of mutually assured destruction. Google will learn that they too live in a glass house, though they don't have to worry about physically bumping into walls like Apple.

    • JudaZuk

      In reply to ben55124: - I do agree , but this will never happen with Satya Nadella at the helm... he has zero passion and fighting spirit and will just continue to let Apple, Google or who ever want to lie , talk smack, and walk all over Microsoft with no response, no fighting back, no harsh words or anything

      Satya in my opinion seem to only care about short term goals that pleases the stock market and daytraders, and to go on book tours instead of standing up for the company he is suppose to be the leader of.

      I miss Ballmer, at least he has passion and cared about Microsoft as a company.

  24. SmithPM

    A question. Has this also happened to Apple (they were told about a bug by Google and couldn't fix it in time)? I suspect also that Microsoft is more prone to such bugs, as they, being a software company that likes to sell new software, seem to prefer to write new applications whenever they release a new version of Windows (as a trivial example, the bundled e-mail client, but there are many others).

  25. jimchamplin

    Go home, Google.

    You can’t even get fixes to your own Android users.

  26. IanYates82

    This serves no one.

    Like others have said, the deadline forces action. But 90 days at this time of year also includes Christmas and new year holidays, so effective working time and available patch Tuesdays is less than if we started the clock in April (for example)

  27. gvan

    Google is the least trustworth in tech right now. I work hard to limit my dependence on Google for that reason.

  28. mrdrwest

    Final word sarcasm: Priceless...

  29. AnthonyE1778

    I am about 90% sure this is a PR move for Google. Locked in a battle for dominance, it seems that Google cannot wait to expose vulnerabilities that happen to be exploitable from their rival's software. Google also has this dominance syndrome, in that it thinks it is the internet security police and then decides to weild a power and authority that it gave itself in trying to threaten and boss around other companies. Again, for PR... so Google can look like the all-seeing, benevolent company that looks out for its consumers' safety while stepping all over MS and their attempts to fix a very complex problem.

    • BravoCharlie

      In reply to AnthonyE1778:

      I agree. I would be interested to know whether they have taken this hard line approach with any vulnerability which didn't impact a competing product. Disclosing vulnerabilities in your competitors products - especially a browser is a serious conflict of interest. If Google is genuinely trying to improve security for the internet community, rather than serving it's own agenda then they should ask an independent third party (like NIST) for permission to disclose.

  30. Vic116

    Hardly anyone uses Microsoft Edge so this is no big threat. Just use Chrome until it's fixed. It's not like there is no workaround.

    • Angusmatheson

      Unless you are using Windows S then you have to use Edge
      In reply to Vic116:

      • Marius Muntean

        In reply to Angusmatheson:

        If anyone is using S willingly, then it must have a serious problem.

      • Nicholas Kathrein

        In reply to Angusmatheson:

        So now we are worried about Paul and the other 6 people using Windows S?

        • NazmusLabs

          In reply to Nicholas_Kathrein:

          Nope. It affects everyone. Think for a second: what component do you think Windows, the OS itself, use to handle HTML, Javascript, and CSS natively and in its applications? MS IE & MS Edge, correct. What do you think powers things like when you Sign in to an app like Office, or Spotify and, with the latter, you have the option to sign in with facebook, which pops open the Facebook log-in screen in the app window itself? What APIs do you think the apps and the OS call? Guessed it again...MS Edge/MS IE. EdgeHTML and MSHTML are integral part of Windows like the Webkit engine is in iOS. It effects EVERYONE even if you never open Edge.

    • NazmusLabs

      In reply to Vic116:

      Incorrect: Much of MS Edge's components are built on Internet Explorer, both of which are integral part of the entire OS. Anytime the OS needs to handle javascript, render HTML pages in applications, (i.e. Logging in to an app like Office that displays a sign in screen), it is handled by the engine that make up MS Edge.

      These security flaw is an OS flaw. This is why Edge isn't updated through the Windows Store. It cannot be the way it's built. When ever you read Windows Update patch notes, you always see something like "Fixes security vonurability in Microsoft Edge AND Internet Explorer that allows malicious..."

      Look, please stop the cynism and understand that MS Edge is not only a browser; it's the OS's native web rendering platform, including the Javascript Engine that has since gone Open Source.

      • Vic116

        In reply to NazmusLabs:

        What you say may be true, but If I use Chrome to browse the web then Chrome handles Javascript and renders HTML. Office may be vulnerable but not everybody has it or uses it. Also this vulnerability only applies to Windows 10 and perhaps Windows 8 users. MS Edge is only a browser, it can be replace with another browser, although some of its components are used in other places.

        • NazmusLabs

          In reply to Vic116:

          Right, what you say about using other browsers is absolutely true. As for office, it was just an example I gave of an app that uses the Window's native web APIs. Even if they don't have office, they are very likely still using another app or game that calls OS's native web APIs, which are powered by edge and IE.

          Friends, my point was that even if we don't use the browser, we should keep up with security patches for the OS's native browser because it can also affect the security of the OS and apps thuat use them. Similarly, if we're running Android, we should keep Blink patches because most android apps use blink to show HTML content.

          Fun fact for those who are curious.

          Not too long ago, even Steam used MS IE's engine to display it's store page (i.e. It used the OS's native web view tech). But only recently they started using a custom web engine taken from Chrome's Blink engine, which is probably because they have SteamOS and needed to build the native browsing into steam itself.

    • jimchamplin

      In reply to Vic116:

      You’re 100% sure Chrome doesn’t have a similar issue? That’s the whole problem here. How does anyone know that Google is holding themselves to the same standards? They might have found the same vulnerability and simply “failed to mention it” to make a competitor look bad.

  31. Tony Barrett

    I think Google are doing MS a favour. MS couldn't write a secure operating system if Sat's nads depended on it. MS are only interested in adding new features to entice more people to the platform, not fixing bugs or security issues. Google informed MS, and would have given them 3 months to issue a patch. That's 3 patch Tuesday's. MS do nothing, Google release the information. Sorry MS, you're a big, grown up, rich and powerful company who can surely fix a problem and release a patch in three months with all the resources at your disposal, or are your coders too busy on the latest Paint3D feature, or wrestling with the half-baked People app. If the security of the end user of your software was your top priority, then you'd be doubling down on fixing security holes big enough to drive a truck through.

  32. Sprtfan

    The question is not if Microsoft should have patched the system in 90 days or not. The question is who does this hurt? Ultimately, this doesn't really hurt Microsoft much but could hurt customers and some of the customers are probably Google customers too.

    Also, not all problems are one size fits all. We have no idea how hard some problems are to fix and how much effort was put into trying to fix it and what might have been discovered to be a major flaw before releasing. Putting the same arbitrary time frame to fix every problem is silly. If Google was really concerned about keeping everyone safe, all they would have to do is ask for proof that the problem was being worked on, when is going to be released, and why was it delayed? This tactic has always seemed more like marketing than security.

    • Marius Muntean

      In reply to Sprtfan:

      What customers?? Who on earth is using that JUNK Edge?? You've got the wrong website. Windows Central is in another place.

      • Sprtfan

        In reply to Marius_Muntean:

        With that logic I guess they should never bother to patch it at all then? I was also addressing the bigger issue at hand of how Google handles these situations and how it is not beneficial to end users. This is the type of uninformed response I'd expect from some fanboy over on Android Central, not here.

  33. Waethorn

    Remember: it was Microsoft that laid off their internal QA testing in favour of the Insider Program, and it was Microsoft that laid off much of their security division and integrated the rest into their existing code writing team.

  34. Waethorn

    If Microsoft can't fix a security problem in 104 days, users should be aware of that.

    • Sprtfan

      In reply to Waethorn:

      You can just as easily say that if a security problem can't be fixed in 104 days then the hackers should be made aware of it? Releasing this information did nothing to benefit anyone other than someone trying to find an exploit to take advantage of. Microsoft has a fix and they are still going to release it at the same time that they were going to before.

      • Waethorn

        In reply to Sprtfan:

        You don't understand security. If someone at Google can find the flaw 90 days before it goes public, so can someone else - maybe even before Google finds it. Google waits for a patch. Hackers don't. Best to inform users so they can mitigate their own systems when a software vendor can't.

        • skane2600

          In reply to Waethorn:

          Generally the only ones who benefit from the reveal are Google and anyone who wants to exploit the vulnerability. Average users usually can't mitigate the potential damage. While it's theoretically possible that someone other than Google can find a particular flaw, there's no guarantee that someone would.

        • Sprtfan

          In reply to Waethorn:

          Not sure if you know how Project Zero works. If there is an active exploit, Google will not even wait 90 days and will release the information. They released info about a bug in Windows after only giving Microsoft 10 days to fix it because there was an active exploit. I guess you think they should have released info on spectre and meltdown as soon as they found it because some hacker might have found it too?

          Also, depending on the bug, it does little good to give users a heads up if there is nothing they can do to stop it and that is assuming that the end users even get the info. Most of Windows users are not keeping up on this type of information and would have not idea how to mitigate their own system even if they did.

  35. MacLiam

    I'm not sure my perception is completely justified, but to my mind Microsoft is a slow-fix company. Yes, they have shown they can do fast turnarounds when absolutely necessary, and any new feature or product that was not previously announced looks like a fast-action outcome to the consumers. But overall...

    At least a few hundred of the several thousand people fired by Microsoft in the last 2-3 years (I'm talking about the techies, not the marketing staff) might better have been pushed into OS maintenance. Maybe the company needs a Special Forces security division with a retired General or Admiral to run it.

    I'm kind of with Google on this. If there were less "Hustle as a Service" happy talk in Redmond and more actual exploit crushing, the world would be a better place The way to avoid being irritated by Google is not to leave them an opening.

    I'm hardly a fan of Google and often don't like their attitude even when they are doing something I mostly approve of. Another way for the world to be a better place is for Google to bust their best picks trying and routinely failing to find holes in Microsoft's code. Microsoft, that longed-for state of affairs is in your hands.

  36. jrickel96

    Are they even consistent with this? How long did they sit on the Intel flaw? Did they not reveal that flaw because of their own reliance on Intel on Chromebooks? Will they do the same thing with flaws discovered in Chrome or Android, etc if they cannot patch quick enough, or do they just have this policy for competitors?

    I understand releasing the info if the company you notified is sitting on their hands, but if they are working on a fix and need more time, there's no reason to just say - 90 days, time's up!

  37. MattHewitt

    I agree it's somewhat reckless on Google's part, but how long should they give Microsoft? If Microsoft can't hit a 90-104 day deadline, then maybe they need to review their processes and put a higher priority on these things. I mean they know that every time Google finds a vulnerability, they are only going to give them 90 days, so it should be all hands on deck until the vulnerability is patched.

    Maybe you can blame Google the first time this happens, but now that it's happened multiple times, I feel like it's up to Microsoft to get with the program and find a way to patch these things within the allotted time.

    • jimchamplin

      In reply to MattHewitt:

      It’s so easy for El Goog to throw proverbial stones because they don’t even try to make sure Android users get security fixes.

      When they’re pushing needed fixes to all 35 hojillion Android devices the way Windows updates go to all applicable installations, then they can puff up and crow all they want.

      But since Android is an unfolding tragedy of an ecosystem, they need to just sit down and shut up.

    • chrisrut

      In reply to MattHewitt:

      You've evidently never worked in R&D - in the real world things take as long as they take. But two wrongs don't make a right. NO users benefit from Google's action. Zero. None.

    • CrownSeven

      In reply to MattHewitt:

      And what exactly is the point of Google announcing to the world of these vulnerabilities before they are fixed? Its not just somewhat reckless, it is 100% reckless and lets be honest here, Google is doing this for a single reason - to make Microsoft look bad. They are slowly turning from being the company of 'do no evil' to the opposite. Just look at their latest squabble with Amazon and Youtube.

      • MattHewitt

        In reply to CrownSeven:

        I think the point is to give them some type of deadline to hit so they can prioritize it appropriately. If no deadline was given, Microsoft may just back-burner it indefinitely.

        I guess a better question is how long should Google give them? Infinity days isn't an appropriate answer. If 90 days isn't enough time, maybe 180 days is more appropriate. I still feel like Microsoft should be able to hit some type of deadline and not just be able to arbitrarily ask for extension because they can't hit a date.

        • SvenJ

          In reply to MattHewitt: And just how long does it take to fix a vulnerability? 30,60, 90...180. Maybe a rewrite of the entire OS or a fundamental architecture change? Google is a software company, just like MS. Putting an arbitrary time limit on this is arrogant as hell, and purely self serving. All hands on deck is a nice idea, but just as 9 women can't make a baby in a month, more coders isn't always effective.

    • lvthunder

      In reply to MattHewitt:

      Just remember this isn't the only thing going on the last 90 days. The whole Spectre and Meltdown happened as well. I'm guessing that's where most of the "all hands" were directed.

  38. pfrandsen

    The problem with just giving extra time to fix is that this will end up as the default rather than the exception. Over time is will take longer and longer to get security bugs fixed. The short term issues with information being released will be worth it in the long run (by "forcing" vendors to provide security fixes faster - and 90 days seems like a long time when you are not talking Meltdown/Spectra kind of issues).

    • skane2600

      In reply to pfrandsen:

      You're working on the false assumption that the only thing that motivates companies to fix flaws is having them made public. While companies may proritize fixes, in my multi-decade experience as a software developer I've never worked for a company that wasn't interested in fixing flaws.

    • lvthunder

      In reply to pfrandsen:

      Well Meltdown and Spectre happened in the middle of this 90 day window. I guess you would rather see untested and rushed patches then a patch that is clearly thought out and tested to make sure it works correctly just to beat Google's 90 day policy.

    • jrickel96

      In reply to pfrandsen:

      Do they hold themselves to the same standard? That's my question. If Chrome has a flaw and they discover it, do they disclose it after 90 days if they have failed to come up with a patch. Could be wrong, but I believe MS called them out on this when they discovered a flaw and couldn't fix it in 90 days. So Google had known about the flaw for more than 90 days and did not report it - so MS shared it with the world.

      If this is your policy, you have to be sure you enforce it on yourself too.

  39. Kadren

    I like it how this disclosure about Edge is being treated like it's something serious. Microsoft, will you ever change?

    And Google is a-holish for doint that nevertheless.