Microsoft has fixed the Windows 8.1 vulnerability controversially revealed by Google last week in the first Patch Tuesday of 2015, and has hit back at the search giant for its lack of cooperation in the matter.
The fix is one of eight patches for Windows issued in the update, including another one revealed by Google earlier this week. One patch is deemed to be ‘critical’ with the other seven classified as ‘important’.
MS15-001 fixes the vulnerability exposed by Google last week, which allowed a malicious attacker from elevating their privileges to the level of administrator, as well as another similar flaw also published Google earlier this week.
“Those in favour of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves,” said Chris Betz, senior director of Microsoft Security Response Center. “We disagree. Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment.
“It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a “fix” before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack. We are in this latter camp.
“One company – Google – has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so.
“Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”
The one critical patch in the update fixes a vulnerability in the Microsoft Telnet service, while others fix bugs in the Network Location Awareness Service and Windows Error Report that could allow a malicious attacker to bypass security features. Another fix closes a weakeness in the Windows Kernel while another solves a problem that could see an infected system be used for DDoS attack.
This Patch Tuesday is also notable for being the first one since Microsoft discontinued its free advance notice service, with the notifications only being issued to paying customers – much to the dismay of security experts.
How well do you know the history of Windows? Take our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
Big boo hoo for Microsoft on this one. They're slating Google for releasing the information when they were aware of Microsoft released schedules. Well, Microsoft were aware of the Google 90 day deadline and overshot it, which can't really be blamed on anyone else - it's their software. Ultimately the timescale is reasonable and hopefully Google's actions will encourage Microsoft to give fixes a higher priority in future. Who knows how many customers were exposed to danger by Microsoft's slow response.