Microsoft has recently expressed their displeasure of how Google has released information about a vulnerability in Windows. According to Coordinated Vulnerability Disclosure (CVD), security researchers should give Microsoft a possibility to fix vulnerabilities detected before disclosing them to the public. Microsoft states that they seek to provide their customers with high-quality updates and protect the customers from malicious attacks while the update is being created.
It is believed that full disclosure encourages software vendors to fix vulnerabilities more quickly and customers to take protective measures. However, Microsoft disagrees with this belief and suggests that public disclosure may trigger new cyber attacks.
The company has expressed their dissatisfaction and request that researchers privately inform them about vulnerabilities detected and release information about the issue only when a fix has been made. Chriz Betz, senior director of the Microsoft Security Response Centre, believes that researchers and software vendors have to collaborate until a fix is released and argues that this partnership is highly beneficial for customers.
The release of the information about the bug has been regarded as a situation in which customers are put in danger. Chriz Betz believes that Google is not necessarily right with their decisions.
Google released information about a bug two days before a planned fix, which was done despite Microsoft’s request to avoid revealing the details about the issue. Specifically, it was requested to withhold the information from the public until January 13, 2015, when the fix had to be released. Microsoft’s approach is that the primary focus should be on providing customers with protection but not exposing them to a greater danger. Chriz Betz argues that they would not try to put pressure on competitors after detecting some flaws in their products.
The disclosure was made by the Project Zero team, which disclosed code required to exploit bugs. This was done after issuing affected companies with a deadline to fix problems. As the vulnerability was not fixed within 90 days, information about the issue was disclosed.
Last week it was reported that Microsoft’s Advanced Notification Service (ANS), which was created than 10 years ago as part of Patch Tuesday for communicating about Microsoft updates, is no longer available to the public. That means that ANS information will not be available through a blog post or website. Changes are said to be implemented due to customers’ feedbacks that ANS is no longer used in the same way as in the past, meaning that the vast majority of customers wait for Update Tuesday, allowing updates to install automatically. Information about security updates will be available only to customers who have paid Premier support contracts.