Don’t be evil? Google discloses yet another zero-day bug in Microsoft code

Graham Cluley

For the third time in a month, Google has gone public about a security vulnerability in Microsoft’s code – and not been prepared to wait for the software giant to publish a patch.

The security hole, which exists in Microsoft Windows 7 and 8.1 is expected to be patched in Microsoft’s regular monthly security update on Tuesday February 10th.

But that isn’t good enough for Google’s bug-hunting engineers, who not only went public about the flaw last week, but also published proof-of-concept code to demonstrate how to exploit the vulnerability.

The concern is that the details published by Google, and the proof-of-concept code released by Google’s bug hunters, is effectively a blueprint for online criminals to launch attacks against Windows users, and allow them to gain access to a user’s data in unencrypted form.

Google poc 1

Google’s disclosure of the vulnerability – with working exploit code – is highly controversial. Google’s security engineers say that they privately informed Microsoft of the vulnerability in October last year, and started a 90-day countdown ticking before the eventually declassification.

Microsoft told Google that it had planned to roll out to customers a fix for issue in its January patches, but because of “compatibility issues” it got pushed back to February.

But Google couldn’t care less that Microsoft was attempting to ensure that its patch would actually *work*, and went public with details of the flaw anyway – with no patch still available.

Google disclose

So, for the third time in a month (the previous instances were both Windows Elevation of Privilege vulnerabilities) Microsoft users are left exposed to a security hole made public by arch-rival Google.

Of course, in an ideal world, Microsoft shouldn’t have had the security bugs in the first place. But I find it difficult to see how its response hasn’t been appropriate.

Microsoft clearly wants to fix bugs, but it wants to make sure that the fixes work.

Google, meanwhile, appears to have adopted behaviour which I would find more common in a schoolyard.

Isn’t it about time they grew up, and acted responsibly for the safety of internet users?

After all, it’s not as though their own Android backyard doesn’t have some dreadful unpatched security risks of its own.

This article originally appeared on the Optimal Security blog.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.
Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES