Jan 02, 2015

Did Google do the right thing by publicly publishing an unpatched vulnerability in Windows 8.1?

Google notified Microsoft that there was a vulnerability that allows users to have escalated privileges, then publically published details of the flaw. In their defense, Google says that they gave Microsoft 90 days to patch the vulnerability, so MS had plenty of time to come up with a fix. On the other hand, they just revealed it to the world. Did Google make the right call on this or was this a mistake?
Sure, why not? It seems like they gave Microsoft plenty of time to fix it. So why hold it back from the public?
I think Google did this so that their Project Zero Initiative, which is an effort to identify software vulnerabilities and get them fixed, will have some teeth. They give 90 days notice for software vendors to come up with a fix, and if there isn’t something that happens at the end of that 90 days, the time limit is meaningless. Plus, as Google has said, 90 days should be plenty of time to come up with a patch. Whether this is true for a large company like Microsoft, which like a large ship takes time to turn, is something of a questions, but the Project Zero Initiative may serve to light a fire under them and get them moving.

It is interesting to note that while there are obviously security concerns about this vulnerability, this is not a very dangerous vulnerability. Attackers already have to have log-on credentials for the machine that they gain elevated access to. I suspect Google chose this vulnerability to expose because it is relatively low risk, but it still sends a clear message that they really will take steps on their own if their warning are ignored.
Answer this