Earlier this month, Google controversially published proof-of-concept code, providing malicious hackers with a blueprint through which they could exploit Microsoft Windows 8.1 through a zero-day vulnerability.
This week, Google did it again.
The latest disclosure by Google is a new privilege escalation bug in Microsoft Windows 8.1 (reportedly also affecting the 64-bit edition of Windows 7 Professional SP 1).
As with the previous controversial disclosure, Google gave Microsoft 90 days to fix the flaw. Microsoft requested that Google wait until a security patch was available, and Google said tough luck and published code that could assist malicious hackers.
Both flaws were patched by Microsoft on Tuesday, but understandably the company isn’t happy about Google’s releasing details of security holes when patches were not only in the works, but about to be imminently released.
Releasing details of security holes to the public before a patch is available only helps a tiny nerdy proportion of the internet community. It doesn’t help the vast majority of computer users at all - in fact, it potentially puts them in danger.
If Google is frustrated that Microsoft is taking too long to release a patch, it should take its concerns to the media and demonstrate the flaw to them - *not* release code which anyone could exploit.
Just imagine if Microsoft researchers gave Google 90 days to fix a WebView vulnerability in Android 4.3, and then released proof-of-concept exploit code.
I wonder how Google would feel then?