Tech giants Microsoft & Google have been engaged in a nasty spat over security. It all has to do with the latest batch of security updates from Microsoft for Patch Tuesday. Patch Tuesday occurs the second Tuesday of very month and is when Microsoft issues regular updates for Windows.
Google announced a new project called Project Zero over the summer. When Google discovers a security issue with another company’s software, they tell the company about it and give the company 90 days to issue a fix before announcing the issue to the public.
The company found an issue with 8.1 and told Microsoft about it on October 13. Microsoft had the patch ready for the regular Patch Tuesday updates in January and asked Google to please keep quiet for 2 more days until the patch was available to be applied to everyone. That would have set the time from disclosure to fix at 92 days.
Google refused and went public with the issue anyway. Microsoft was furious since that 2-day lag gave hackers plenty of time exploit the vulnerability. In a post on Microsoft’s Blog, security chief Chris Betz said, “This is a time for security researchers and software companies to come together and not stand divided over important protection strategies, such as the disclosure of vulnerabilities and the remediation of them. ” and went on to explain, “oogle – has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so. Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”
Telling the public about vulnerabilities before a patch is released has always been controversial, since it gives hackers time to get to work. That’s why Apple has generally refused to discuss any vulnerabilities until the patches were already in place for their systems. There is an argument that users have a right to know in order to protect themselves.
The patch for Windows 8.1 vulnerability is available now along with 8 other patches to vulnerabilities that could allow hackers to take over your system. The various vulnerabilities affect Windows Vista, 7, 8 and 8.1.
If your computer is set for automatic updates, you should be good. Other wise you can install the updates manually.
Click here to learn how to install Windows 7 updates.
Click here to learn how to install Windows 8 updates.
~ Cynthia
That was pretty venomous on the part of Google.