Microsoft has fixed the Windows 8.1 vulnerability controversially revealed by Google last week in the first Patch Tuesday of 2015, and has hit back at the search giant for its lack of cooperation in the matter.
The fix is one of eight patches for Windows issued in the update, including another one revealed by Google earlier this week. One patch is deemed to be ‘critical’ with the other seven classified as ‘important’.
MS15-001 fixes the vulnerability exposed by Google last week, which allowed a malicious attacker from elevating their privileges to the level of administrator, as well as another similar flaw also published Google earlier this week.
“Those in favour of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves,” said Chris Betz, senior director of Microsoft Security Response Center. “We disagree. Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment.
“It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a “fix” before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack. We are in this latter camp.
“One company – Google – has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so.
“Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”
The one critical patch in the update fixes a vulnerability in the Microsoft Telnet service, while others fix bugs in the Network Location Awareness Service and Windows Error Report that could allow a malicious attacker to bypass security features. Another fix closes a weakeness in the Windows Kernel while another solves a problem that could see an infected system be used for DDoS attack.
This Patch Tuesday is also notable for being the first one since Microsoft discontinued its free advance notice service, with the notifications only being issued to paying customers – much to the dismay of security experts.
How well do you know the history of Windows? Take our quiz!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…
View Comments
Big boo hoo for Microsoft on this one. They're slating Google for releasing the information when they were aware of Microsoft released schedules. Well, Microsoft were aware of the Google 90 day deadline and overshot it, which can't really be blamed on anyone else - it's their software. Ultimately the timescale is reasonable and hopefully Google's actions will encourage Microsoft to give fixes a higher priority in future. Who knows how many customers were exposed to danger by Microsoft's slow response.