Google and Microsoft have different opinions on public disclosure policies

For the third time in a month, Google has gone ahead and disclosed all the gory details of a zero day vulnerability affecting Windows before Microsoft could get around to releasing a patch. It affects both Windows 7 and Windows 8.1 and has to do with how applications handle memory encryption to allow for data flow back and forth between processes running in the same logon session.
"The issue is the implementation in CNG.sys doesn't check the impersonation level of the token when capturing the logon session ID (using SeQueryAuthenticationIdToken) so a normal user can impersonate at Identification level and decrypt or encrypt data for that logon session," Google's Project Zero team explains. "This might be an issue if there's a service which is vulnerable to a named pipe planting attack or is storing encrypted data in a world readable shared memory section.
"This behavior of course might be [by] design, however not having been party to the design it's hard to tell. The documentation states that the user must impersonate the client, which I read to mean it should be able to act on behalf of the client rather than identify as the client."
Microsoft had originally planned to plug the security hole in January's Patch Tuesday rollout earlier this week, though had to be postponed due to compatibility issues -- it's now scheduled to be fixed with February's Patch Tuesday rollout, PCWorld reports. In the meantime, Windows 7 and Windows 8.1 users are left vulnerable to what's now a publicly disclosed security flaw.
The issue of publicly disclosing software vulnerabilities has become a point of contention between Google and Microsoft. It's Google's policy to give vendors like Microsoft 90 days to fix any security issues its Project Zero team finds, and any that remain unpatched after that three-month window will be disclosed to the public, no exceptions.
As far as Microsoft is concerned, companies should be working together to ensure that security holes are addressed prior to being made public, or at least have some flexibility. That wasn't the case when, earlier this month, Google disclosed a Windows 8.1 vulnerability that Microsoft was scheduled to fix on Patch Tuesday, two days after its 90-day deadline. Microsoft had asked Google to refrain from publishing the vulnerability, but its request went ignored.
"Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a 'gotcha', with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal," Microsoft stated in a blog post.
Google's stance is that 90 days is plenty of time to plug up known security holes, and with three disclosures in a month's time, it doesn't look like the search giant has any intentions of budging on its policy.
Follow Paul on Google+, Twitter, and Facebook


More...