Microsoft accuses Google of harming customers following first Patch Tuesday of 2015
Microsoft has fixed the Windows 8.1 vulnerability controversially revealed by Google last week in the first Patch Tuesday of 2015, and has hit back at the search giant for its lack of cooperation in the matter.
The fix is one of eight patches for Windows issued in the update, including another one revealed by Google earlier this week. One patch is deemed to be ‘critical’ with the other seven classified as ‘important’.
MS15-001 fixes the vulnerability exposed by Google last week, which allowed a malicious attacker from elevating their privileges to the level of administrator, as well as another similar flaw also published Google earlier this week.
Google v Microsoft
Both were made public automatically because Microsoft had not patched the flaws within 90 days. Microsoft has criticised Google for its actions, arguing that tech companies should work together to help protect consumers and business rather than cause unnecessary risk.
“Those in favour of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves,” said Chris Betz, senior director of Microsoft Security Response Center. “We disagree. Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment.
“It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a “fix” before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack. We are in this latter camp.
“One company – Google – has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so.
“Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”
The one critical patch in the update fixes a vulnerability in the Microsoft Telnet service, while others fix bugs in the Network Location Awareness Service and Windows Error Report that could allow a malicious attacker to bypass security features. Another fix closes a weakeness in the Windows Kernel while another solves a problem that could see an infected system be used for DDoS attack.
This Patch Tuesday is also notable for being the first one since Microsoft discontinued its free advance notice service, with the notifications only being issued to paying customers – much to the dismay of security experts.
How well do you know the history of Windows? Take our quiz!