As Google unveiled a system flaw which could make users vulnerable to attacks, Microsoft is dissatisfied with the Internet giant’s too quick notification period.
Google and Microsoft seem to be on opposing sides of a security and notification dilemma as the companies can’t seem to agree as to what is the proper notification period and what and how should be publicly disclosed.
The current problem stems from a Microsoft system flaw recently discovered by Google. The problem in question is said to have been noticed by the Internet giant who then went and drew Microsoft’s attention to it some days ago, on October 21.
The system flaw in question could prove to be quite a serious issues as it is related to the system’s kernels. According to Google, the win32k.sys system call has a bug which could allow potential attackers’ access to the system.
As the Windows kernel could be used so as to bypass the system’s security sandbox, Google also went to state that they are sure that the bug is already being exploited.
After noticing the system flaw, Google reportedly gave Microsoft a ten days period in which it could either patch the bug or publicly reveal it.
When the ten days passed, the formerly mentioned company announced the bug on its security blog and went to offer details and advice.
The issue and cause of debate between the two giants seem to be less related to the system flaw, and more to the fact that Google went to announce it instead of Microsoft and before the company could come up with a solution.
As Google has a seven days wait period before outing any found problems, the period could seem quite short. As the company stated in a 2013 declaration, the time period is considered to be enough so as to release safety advice and possible solutions, if a patch is as yet unavailable.
Microsoft went to disagree with Google’s strict announcement policy as it considers that this particular system flaw could cause more problems now that it was revealed than before the blog post.
Microsoft maintains that the kernel is more likely to be exploited now as the potential hackers will be looking for the vulnerability after it was revealed.
The patch for the system flaw is thought to be impossible to accomplish in just seven or ten days as Brian Martin, Risk Based Security director of vulnerability intelligence goes to explain.
With the patch addressing different OS platforms, the developers also have to make sure that existing programming will not be affected by the new fixture.
The debate over system flaw disclosures is not at first round, as the same two companies went through the same dance back in 2015. Back then, Google discovered some previously undetected holes in the Microsoft Windows operating system.
Still, the questions regarding the current system flaw still stand. Was Google justified in revealing the issue, as it was already exploited, or should it have waited until Microsoft patched the problem?
Image Source: Wikimedia