Microsoft had some terse words for Google following a Google resarcher's decision to publish an exploitable bug in Windows 8.1, days before a fix would have arrived.
Google Code team member "Forshaw" initially published the bug internally on Sept. 30, 2014, also submitting it to the Microsoft Security Response Center under the ID (MSRC-20544). The bug was found in Windows process ahcache.sys/NtApphelpCacheControl, a piece of the core Window 8.1 code which was responsible for caching data for sharing between processes.
Under Windows' security restrictions only an administrator could edit the cache. But the process had a flaw where if you grabbed the administrator's credentials from an administrative process running on the system, you could pass that id to ahcache.sys/AhcVerifyAdminContext -- code used to check the administrator's credentials. The cod would then allow you to edit the cache, missing you were merely impersonating the administrator.
This seemingly minor bug could potentially allow you to launch a new process with administrative privileges, allowing a malicious user to takeover the machine. "Forshaw" even published an example with a malicious executable and *.dll which launched a Calculator app running as administrator under a user account without administrative privileges.
In the original closed post "Forshaw" warns:
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
The 3 month window went by with no fix from Microsoft. So on Dec. 29 the bug went live to the public.
Microsoft, though, apparently hadn't been sitting idle and -- according to its account -- had been ready to patch the bug on January's Patch Tuesday (1/13). Microsoft patches low-level zero-day vulnerabilities on a monthly basis on the second Tuesday of each month (Patch Tuesday).
The bug in question had come in just ahead of the October Patch Tuesday, but missed the October, November, and December Patch Tuesdays as it apparently was somewhat more complex to fix than Microsoft anticipated.
But according to Microsoft's account, it told Google and "Forshaw" that it had a fix in hand and ready for January. Google ignored this and published anyways at the end of 90 days, leaving Microsoft fuming.
MSRC Senior Director Chris Betz writes in a TechNet blog:
In terms of the software industry at large and each player’s responsibility, we believe in Coordinated Vulnerability Disclosure (CVD). This is a topic that the security technology profession has debated for years. Ultimately, vulnerability collaboration between researchers and vendors is about limiting the field of opportunity so customers and their data are better protected against cyberattacks.
CVD philosophy and action is playing out today as one company - Google - has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so. Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.
He suggests that Google's unwillingness to try to cooperate with Microsoft's timeline is going to hurt everyone, writing:
Automatically disclosing this vulnerability when a deadline is reached with absolutely zero context strikes me as incredibly irresponsible and I'd have expected a greater degree of care and maturity from a company like Google. My reading of the disclosure is that it's your average local privilege escalation vulnerability. That's bad and unfortunate, but it's also a fairly typical class of vulnerability, and not in the same class as those that keep people like me up at night patching servers. The sad reality is that these sort of vulnerabilities are a dime a dozen on Windows, and the situation on Linux is pretty comparable. But disclosing it with zero context strikes me as the wrong approach.
What communication has occurred with Microsoft to date? Has the vulnerability been acknowledged? Presumably yes given there's an MSRC ID? Has there been a delay on Microsoft's end because of certain engineering complexities? Christmas has just passed and today is New Year's Eve, so realistically, many employees from both Google & Microsoft are likely on leave. That's unfortunate, security issues don't care about the time of year, but it's also the human reality. Ninety days may seem like a long time, but developing and regression testing a patch to an important operating system driver isn't typically quick or easy. Mistakes from rushing cost lots of time and money; anyone who's paid attention to recent screw-ups in MS Security Bulletins should be aware of this.
Disclosing this may have been the right thing to do. Doing so based on an automated deadline with zero context from Google strikes me as much less so. It seems to me that the relationship between Google & MSFT's respective security teams is fairly poor. Seeing things like this certainly goes a way to explaining why.
Another user "Anime Crazy" writes:
Google want to troll Microsoft than want to help.
Another user "Silver Star" blasts back:
Google is not evil. Microsoft just slept and did not fix the vulnerability in time. Good job google.
Certainly the fact that Microsoft is a competitor to Google's laptop Chrome OS, to Google's smartphone/tablet operating system Android, and to Google Search raises certain red flags. That said, it's a little unclear where the "two days" before the patch part in the Microsoft blog comes from as the publication appears to be two weeks before the patch.
The bug appears to be absent in Windows 10, indicating the redesign of the core components has closed this security hole even as it remained in Windows 8.1, awaiting a fix.
In closing, I should note this isn't the first time Microsoft and Google have quibbled over Google releasing details of Windows or Internet Explorer vulnerabilities. With Google pushing for a 7-day vulnerability turnaround, it could soon start releasing Windows bugs even sooner.
Do you think Google's security researchers are playing foul by releasing bugs just weeks before Microsoft's fixes? Or is it Microsoft's fault for taking three months to finish the fix?