Microsoft claims Google's software bug disclosure does a "disservice" to users

J

Justin Kahn

Posts: 752   +6

Google and Microsoft are at odds over the search giant’s Project Zero, which prides itself on offering companies advanced warning in order to fix software issues before being sent out to the public. Google’s program is said to offer companies exactly 90 days for such vulnerabilities to be taken care of, and has recently published details regarding a problem with Windows 8.1 just days before going live.

While to some, Project Zero may seem like a simple reminder, or even helpful to the public, Microsoft doesn’t think so. The company claims to have told Google that it had a patch already scheduled to go with regards to the particular vulnerability in question and that customers may “suffer” as a result of Google’s disclosure.

Chris Betz, the senior director at Microsoft’s Security Response Center, said in a blog post that the company believes full disclosure of a vulnerability ahead of a fix becoming "broadly available" is doing a "disservice" to millions of users and the systems they use on a daily basis. Now the second time Google has published vulnerability data ahead of a Microsoft patch for Windows 8.1, Google was recently quoted as saying that its 90-day warning period is fair and that disclosure of this nature is “the optimal approach for user security.”

Permalink to story.

https://www.techspot.com/news/59379-microsoft-claims-google-software-bug-disclosure.html

 
Google gets 5 minutes in the penalty box for crowding the foul line. Microsoft gets 10 minutes in the penalty box for failing to get its team on the field.
 
So maybe Microsoft should start fixing their stuff faster. I don't see any problem 90 days is an eternity for security professionals.
 
90 days notice gives Microsoft at least two "patch Tuesdays" to include a fix into Windows Update. And if they're unable to get a fix in time for the second opportunity, they could choose to issue an "out-of-band" Windows Update before the 90 day limit. I've seen a lot of out-of-band updates in recent months from Windows Update. So wouldn't the security vulnerability referenced in this article be important enough to have deserved an out-of-band Windows Update? It seems that Microsoft is doing as much a disservice as Google is by letting a vulnerability that was reported to them to remain unpatched for so long.
 
WOW .... talk about the pot calling the kettle black ... of course, in this case the pot and kettle are completely interchangeable with one raping my wallet while the other simply sells my soul to the devil. Decisions, decisions, decisions ......
 
You do realize it's not just a matter of "here, it's done", if the bug was there first it was for some reason, probably a functionality that someone else found how to take advantage of, so they not only have to address the issue, they have to do it without disabling the actual useful part, and all of that without breaking code somewhere else, since it's... the operating system and not just some software you install/uninstall, so yeah, I don't think those are the 24 hours fixes you can just put out there.
 
  • Like
Reactions: Teko03 and treeski
From the article:
"Chris Betz, the senior director at Microsoft’s Security Response Center, said in a blog post that the company believes full disclosure of a vulnerability ahead of a fix becoming "broadly available" is doing a "disservice" to millions of users and the systems they use on a daily basis."

If disclosing the vulnerability is doing a disservice to users I wonder what Mr. Betz calls knowing about the vulnerability and taking more than three months to fix it.
 
Most of the commenters here clearly don't know how complicated some fixes can be. Along with critical and time consuming QA testing, getting a patch ready can take a long time. It's good that Google "threatens" companies with revealing vulnerabilities, but there is no reason they can't be flexible and wait two days.
 
Last edited:
  • Like
Reactions: cliffordcooley and Teko03
I had developed and introduced a software titled called FAST RETURN for all versions OS back in 1991 to 1998, by 1998 Microsoft was interested in it. So once I had met one of the Vice Presidents for East Coast from Microsoft in 1998.

MS VP had told me I could make Million with my software that allowed users who got BSD in Windows to recover quick without doing a reboot! He said Microsoft was coming out with a better OS that you don't need to use my software. Boy was is completely wrong on that statement.

But he had also told me what Microsoft objective was, that all version of the OS (Client & Server) are beta tested by the customers. So meaning all these software releases are pretty much as-is! Google is not better than Microsoft. They'll never fix the issues just patch it. Google doesn't patch it they just release another version of their Android.

The both have technical problems (another word bugs, glitches an etc) . All the online gaming suffers from this too. They don't put in the people hours to debug like I do. It can be done. But for some odd reason they don't seem like it should be. To it all boils down to profits. If you have Client OS and Server OS running 100% no technical problems what so ever.

Why would you change it for Client OS and Server OS that not 100%. How is Microsoft going to get more profits coming in unless they release a buggy OS. The patch up couple of times then release a new Client OS and Server OS that you have to pay for! (Not this doesn't effect Windows Smart Phone which the Cell OS next version is a free push by the Cellular carries.
 
  • Like
Reactions: cliffordcooley
I didn't get your actual point. Read it twice, but didnt get the point of all that... are you asking a question, making a statement or just rambling?? O_o
 
  • Like
Reactions: gingerbill
tipstir said:
Why would you change it for Client OS and Server OS that not 100%. How is Microsoft going to get more profits coming in unless they release a buggy OS. The patch up couple of times then release a new Client OS and Server OS that you have to pay for! (Not this doesn't effect Windows Smart Phone which the Cell OS next version is a free push by the Cellular carries.
Click to expand...
Please stop with the nonsense conspiracy about them purposely leaving bugs in the OS. The main selling point for a new OS is the addition of new features and capabilities. I don't upgrade to the newest version of Windows on my home PC for bug fixes. I do it because I want the new capabilities. Not to mention the fact that computer companies are going to ship with the latest version of Windows regardless. This applies even more so to Windows Server OS. I upgrade my servers for the new functionality of the latest server OS (also possibly for compatibility reasons, depending on your timeline), not because I hope it's going to fix a few bugs.
 
  • Like
Reactions: gingerbill
Collekt said:
Please stop with the nonsense conspiracy about them purposely leaving bugs in the OS. The main selling point for a new OS is the addition of new features and capabilities. I don't upgrade to the newest version of Windows on my home PC for bug fixes. I do it because I want the new capabilities. Not to mention the fact that computer companies are going to ship with the latest version of Windows regardless. This applies even more so to Windows Server OS. I upgrade my servers for the new functionality of the latest server OS (also possibly for compatibility reasons, depending on your timeline), not because I hope it's going to fix a few bugs.
Click to expand...
I've been a Windows programmer since 1991. I telling you from experience. OS is always going to be AS-IS the customer is the beta tester that came out of the MS VP back then. Google does the same with Android OS and Chrome OS. I also program in Android OS since 2010. I change the ROM code to improve on tablet. So I see what's going on there. All Microsoft had to do is not rush out the OS to the market. Bugs can be fix there is a debugging process but it take a lot of people to run though the code. Not going to be 100%.
 
"Google does the same with Android OS and Chrome OS. I also program in Android OS since 2010."

Ah! But Google doesn't charge for it's OS and also it's OS is open-source so if you REALLY want to mess with it for personal use, you can download it, modify it and recompile it and then install it if you really want to.

Not so with M$. They are ONLY about making $$ and hooking users and businesses into their marketing monopoly.

The ONLY thing that I use Windows for is games, and that's only because the games I like to play (The Old Republic, DC Universe Online, Diablo III) are Windows-only games (though since the first two are free-to-play, why they don't open source the game client is beyond me!) and the performance hit I would get running them in either Wine (If you can get them to run!) or in a VM, is too high. That's slowly changing with Steam moving to Linux.

But I digress. I will NEVER run another version of Windows other than Windows 7 simply because Win 7 meets all my gaming needs and I use Linux for everything else. The version I use is "Kubuntu", Ubuntu with the K Desktop Environment (KDE). I have yet to be sorry for using Kubuntu. I've been nothing but sorry using Windows over the years and poorer for it to boot!
 
You must log in or register to reply here.

Similar threads

midian182
Microsoft confirms Outlook Classic bug that causes CPU spikes while typing, offers workaround
Replies
3
Views
70
Au Contraire
A
A
Dangerous WhatsApp bug on Windows let hackers run malicious code
Replies
0
Views
74
Alfonso Maruccia
A
D
Apple's latest iPhone update fixes two zero-day security flaws exploited in targeted attacks
Replies
0
Views
48
DragonSlayer101
D

Latest posts

Back