Windows vulnerabilities and security concerns are nothing new, but the latest 8.1 User Profile Service exploit discovered could spark a serious corporate war. Google and Microsoft find themselves at odds again, this time disagreeing on bug disclosure timing.
A contributor for the Google Security Research program going by the nickname of Forshaw brought the glitch to Redmond’s attention on October 13 2014, filing it under medium for severity. As per Big G’s protocol, MS was given a 90-day deadline to issue a satisfactory fix before the confidential bug report would automatically go live for the whole world to see.
In response, Microsoft confirmed it was aware of the problem, and initially estimated a universally working patch would be ready for primetime by February 2015. When informed there was no bending of the rules, and no possible way to extend the three-month due date, the Windows 8.1 repairmen promised a fix for January.
But Google wasn’t willing to wait a minute past the 90 days, and less than 24 hours ago, the issue’s description and details were posted. It didn’t take long for the search giant’s arch-nemesis to snap at the reveal, which they described as a “gotcha” moment rather than a matter of principle.
Microsoft Security Response Center, Chris Betz, claims January 13, i.e. tomorrow, would have seen the vulnerability put to rest, regardless of whether Google released the sensitive information.
And there’s no reason to suspect that’s not true, since January 13 is the month’s second Tuesday, also known as Patch Tuesday for its traditional bug-treating qualities. It’s hard to argue with Microsoft when accusing Google of putting its enterprise interests ahead of those of the customers, given the same mysterious “Forshaw” dug up and ultimately published a separate Windows 8.1 exploit on December 29.
As for the specifics of the two bugs, they’re a little too technical and complicated to explain in a nutshell, so let’s just forget they even existed. As long as they’re both squashed by Wednesday, that is. If not, we may need to side with Google on this.