Google discloses *another* Microsoft Windows vulnerability before a patch is ready

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Earlier this month, Google controversially published proof-of-concept code, providing malicious hackers with a blueprint through which they could exploit Microsoft Windows 8.1 through a zero-day vulnerability.

This week, Google did it again.

The latest disclosure by Google is a new privilege escalation bug in Microsoft Windows 8.1 (reportedly also affecting the 64-bit edition of Windows 7 Professional SP 1).

New vulnerability report

Sign up to our free newsletter.
Security news, advice, and tips.

As with the previous controversial disclosure, Google gave Microsoft 90 days to fix the flaw. Microsoft requested that Google wait until a security patch was available, and Google said tough luck and published code that could assist malicious hackers.

Not terribly friendly

Both flaws were patched by Microsoft on Tuesday, but understandably the company isn’t happy about Google’s releasing details of security holes when patches were not only in the works, but about to be imminently released.

Google vs MicrosoftReleasing details of security holes to the public before a patch is available only helps a tiny nerdy proportion of the internet community. It doesn’t help the vast majority of computer users at all – in fact, it potentially puts them in danger.

If Google is frustrated that Microsoft is taking too long to release a patch, it should take its concerns to the media and demonstrate the flaw to them – *not* release code which anyone could exploit.

Just imagine if Microsoft researchers gave Google 90 days to fix a WebView vulnerability in Android 4.3, and then released proof-of-concept exploit code.

I wonder how Google would feel then?


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

10 comments on “Google discloses *another* Microsoft Windows vulnerability before a patch is ready”

  1. David

    Although I think Microsoft drags their feet,meaning they could step up their game and release patches as they come out,instead of trying to stick to the stupid schedule. Google could be a little more generous.

    MS had three months to patch these issues,and should have beet that deadline by two months. It is MS who is leaving their customers vulnerable,not Google. Perhaps MS could offer bounties to buy some goodwill. But lets not forget,they are competitors,not friends. And MS is going to have to be a little better at fixing things in the first place,because they are accessories to some of the large breaches of late. If MS was more secured coming out of the box, perhaps there would be nothing for Google to find in the first place!

    1. Coyote · in reply to David

      Fact for those with enough experience: There is no such thing as 100% security. So no, it isn't about out of the box status. That is irrelevant. Now bias? That is not irrelevant in the slightest. But that is another issue entirely.

      Another fact for those who have been around long enough:

      MS does have a terrible record. Yes, they've also ignored warnings and actual exploits. They've outright dismissed them and even going so far as writing a report on what their view is – with NON-technical (and technical) facts wrong! But that isn't the case here.

      I seem to think they were working on a fix. Yes, it took longer than it should, certainly longer than non-commercial products tend to be fixed in (but that's how it goes when you're passionate about something, your project that you hate seeing have problems (contrast to being paid for it on working hours only)). But it still took longer nonetheless.

      Here is the issue: It is one thing to ignore a risk entirely – which indeed they have done (as I described above). But they weren't ignoring this, were they? So while the principle of making a vendor fix a flaw is valid (and 0days – as appears to be – is indeed one common way of doing it), if they're ALREADY working on one (and/or NOT ignoring it), then it INVALIDATES the argument that they (google) are doing it for a good reason – to make sure no one else with malicious intent (who won't report it) finds it. No, no, make no mistake: Google is being themselves here. This is just another example of their arrogance, trying to make a point or show themselves to be better. They do it under the guise of bettering everyone. But they care far more about their own agendas that they will do whatever they want, regardless of the consequences (that they will also ignore outright). I can name several dictators (some of who I have studied extensively) that were this way (and then some) as well as other very unpleasant people who were this way. This way means, among other things, appealing to others (or otherwise making it seem to others that they are helping or certainly aren't harmful) but actually it is for their own gain and very often is harmful.

      1. Coyote · in reply to Coyote

        (…I apologise: that was meant to be responding to the post itself, not you. A consequence of starting to make a short response, then deciding to move it to one, reloading and forgetting that I clicked on the hyperlink and so it was already specified I would respond to you)

  2. Steve

    Competitors or not, it is absolutely irresponsible to provide a viable proof of concept to all and sundry when you know the vendor is in the process of fixing it.

    The only people hurt by this sort of disclosure are the users, and Google should be considered complicit in attacks with result from their sharing of the proof of concept.

    As for 'more secure out of the box', the same criticism could be leveled at all OS vendors.

    There can never be a reason for releasing a working compromise to the public until a patch is available and has had time to propagate.

  3. Google is absolutely right to do this. Software companies have a very poor record of fixing security holes in a timely manner, even after vulnerabilities have been pointed out to them. They have tended to do the work only when absolutely forced to by adverse publicity, otherwise prevaricating as long as possible. Google has fixed a very reasonable time limit, which Microsoft has promptly attempted to subvert (heaven knows Microsoft has the resources to patch its software within a few days or weeks at the most), and Google has rightly enforced its line and made an example of them. Next time, Microsoft will get its finger out and get on with it – at least, we can hope so.

    Google's attitude over patching WebView is another issue, albeit a hypocritical one. Hopefully similar adverse publicity will have a similar result.

  4. ran

    It doesn't only help small nerdy group of the population.
    It puts pressure on MS to actually allocate resources to fix it.
    if MS did not fix it in 90 days they probably did not allocate enough resources.
    Yo have to remember that exactly as Google find those holes so could the hackers.
    They may have exploited them for months and years already.
    3 months is more than enough time.

  5. 90 days is long enough for any vendor – Microsoft included. Few others vendors have this problems, because security in their products is important to them and they realise that 90 days is ample time, and get started straight away.
    If google found the bug, so can hackers. As soon as a hacker has it, then it affects far more than just a nerdy few. As seen, many, many times with Microsoft been slow or unwilling to fix security issues and just how many they have.
    It's irresponsible of this author and publication to suggest anything other than Microsoft is anyhting other than behaving irresponsibly and sooking about it instead of fixing their security patch performance and deliverable speed. I assume Microsoft must be an advertiser or contributor?

    1. Coyote · in reply to Jason Allen

      1) This website doesn't have advertisements.
      2) The sponsors have not been Microsoft (and Microsoft hasn't contributed here).
      3) He has criticised Microsoft (as well as Google, especially with Android. as well as others; i.e he discusses them all).

      Add it all up and he isn't being irresponsible at all.

  6. kyndee2009

    The window OS is not to blame its the Microsoft to be blame. The just pin a hole so that they could sneak into it. Its just disgusting that they always after money and not quality or security. They just need to remove their firewall and defender to start with.

  7. Coyote

    It is most interesting to me that someone (i.e. me) who is pro-open source and anti-proprietary (and this includes more than software although I still don't blame corporations for being in business (and a huge part of the population are able to use computers because of Microsoft; they could have learnt something else but it is their choice – they should be grateful for it rather than whine about the problems that they don't have to subject themselves to – but do (everything in this world has problems))) … someone who is also incredibly closed-minded and biased against Microsoft (and Apple. and Google. and…)… can see the point (which I might add has nothing to do with any of these corporations) here. To be strictly technical, I HATE all three of them a great deal.

    But this post has nothing to do with them. It has to do with 0days and how they come to exist. Yes, sometimes it is all that can be done. This wasn't such a case. As Graham noted, the patch was already released when he wrote it. In addition, Google released the exploit two days before the patch. Yes, yes, they should have been quicker. But the fact remains: they weren't ignoring the issue. Therefore the argument of it being so they are forced to fix it, is invalidated. It is a fallacy here. There's more to it (software development has many phases and different protocols (project specific, organisation specific and both combined specific), even, but that is the most important point: in this case the argument is invalidated.

    (It is one thing if the vendor is flatly ignoring the problem and not working on a fix. It is another if they are and have it scheduled for release. The latter is the case here. That they're slower only comes down to: they're a corporation with other products. They also work on work hours, not whenever they want to. It is also a business and not a passion like it is with open source (and I know because I only do programming for free projects and while some of it isn't open source it is all free to use… and no matter what it is, I hate bugs so it will be fixed once noticed))

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.