But it did, so our customers now may suffer, it says

Jan 12, 2015 09:45 GMT  ·  By

A Google engineer recently decided to disclose a vulnerability in Windows 8.1, publishing not only the details of this security flaw but also a Proof of Concept (PoC) 90 days after the issue had been reported to Microsoft itself.

The Google engineer said that the disclosure was made as part of the 90-day disclosure policy, so Microsoft had no less than 3 months to develop a fix.

But as far as the Redmond-based software giant is concerned, Google was not at all fair play because security engineers of both companies discussed and knew that a fix was on its way.

In a post published today, Chris Betz, senior director, MSRC, Trustworthy Computing, reveals that Microsoft actually contacted Google to ask not to disclose the security glitch, as a security patch was planned for January 13, when the first Patch Tuesday rollout of 2015 takes place.

“Google should also try to keep users protected”

Betz explains that the common purpose of both Google and Microsoft should be keeping customers protected all the time and it’s pretty clear that the disclosure does not comply with this idea.

“Google - has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so,” Betz explained.

In the end, the Microsoft Director asked Google to “make the protection of customers the collective primary goal,” suggesting that, although disclosure policies are usually limited to 90 days, it’s much more important for customers to remain protected all the time, especially when it all comes down to critical security fixes such as this one.

“Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha,’ with customers the ones who may suffer as a result. What’s right for Google is not always right for customers,” Betz added.

The Windows 8.1 security vulnerability found by Google will be patched tomorrow, when Microsoft is also expected to release fixes for other bugs in its software, so make sure that you deploy all updates as soon as they become available.