Senior Director of the Microsoft Security Response Center, Chris Betz, said in a blog post that Google knew Microsoft had a fix in the pipeline and was due to be released on "Patch Tuesday", however, Google went ahead with the disclosure just two days out, despite being asked not to do so.
In a post published on Google's security research site earlier, a researcher disclosed the vulnerability and how to execute the flaw. The vulnerability allows for an elevation of privilege in Windows 8.1, an example application was also included that could launch calc.exe using the method.
Betz argued that responding to "security vulnerabilities can be a complex, extensive and time-consuming process" and that Google should be more flexible and be willing to coordinate with other companies in the interest of the millions of people who depend upon on the software.
The Google researcher earlier defended the disclosure, saying they waited 90 days before letting the world know how to exploit it, following their company's public disclosure philosophy, which is meant to pressure companies into fixing vulnerabilities more quickly.
Betz argued that privately disclosed vulnerabilities are more likely to be fixed and less likely to be exploited by "cybercriminals" than ones that are publicly disclosed.
Google is unlikely to change it long-held philosophy though.
Posted:
Related Forum: PC General Forum
Source: http://www.neowin.net/news/microsoft-slams-google-for-publishing-a-security-vulnerability-in-windows-81
"Microsoft slams Google for publishing vulnerability in Windows 8" :: Login/Create an Account :: 26 comments