14 DAY TRIAL // A couple of weeks ago, a Google engineer posted online not only details of a Windows 8.1 vulnerability that would allow an attacker to gain administrator privileges on any system but also a Proof of Concept (PoC) to demonstrate the issue.
At the time, Microsoft confirmed that there was an unpatched flaw in its operating and promised to provide us with a fix, but it turns out that the company is waiting for the upcoming Patch Tuesday to do so.
Speaking about Google’s decision to make this vulnerability public, Kasper Lindgaard, director of Research and Security, Secunia, said in a statement mailed to us this morning that the search company actually made a mistake because “there is no gain by releasing a vulnerability from a vendor that has agreed to issue a patch.”
The Google engineer who disclosed the flaw said in his post that Microsoft was contacted in September 2014 on this flaw, so after the three-month no-disclosure policy expired, he decided to make it public, even though no patch was available.
Microsoft needs more time to fix flaws
But according to Lindgaard, it takes more than three months to find the cause of a critical security flaw and issue a fix that wouldn’t break down computers and would completely patch systems to block any potential flaws.
“In general most vendors should be able to issue a patch within a three-month timeframe, and we agree that, in most cases, allowing six months is far too long and unnecessary. A quick estimate would be that at least 95 percent of vulnerabilities can be patched within three months if the vendor is security aware and has good security policies in place,” Lindgaard explained.
So what happened in Microsoft’s case, you could ask. Is Microsoft one of the companies that do not have the security know-how to address flaws in three months?
Definitely not. Microsoft does have the resources to fix security flaws really fast, but given the fact that Windows is installed on billions of computers out there, it takes more time to test the patch on various configurations and prevent compatibility issues than to actually develop the fix itself.
That’s why three months might not be enough for Microsoft, Lindgaard added, which really makes sense, given the number of systems running Windows right now.
“When it comes to larger software vendors such Microsoft, three months may not be a reasonable timeframe to issue a proper patch. For example, if the vulnerability is inside the Windows kernel, it can be quite complex to patch as it may be a deeper lying functionality. Proper Q&A takes time and vendors want to be absolutely sure that the patch issued is indeed effective,” the security expert said.
Microsoft hasn’t provided any other details on the security issue, but this would most likely be addressed on Patch Tuesday, which this month takes place next week.