Microsoft has fixed the Windows 8.1 vulnerability controversially revealed by Google last week in the first Patch Tuesday of 2015, and has hit back at the search giant for its lack of cooperation in the matter.
The fix is one of eight patches for Windows issued in the update, including another one revealed by Google earlier this week. One patch is deemed to be ‘critical’ with the other seven classified as ‘important’.
MS15-001 fixes the vulnerability exposed by Google last week, which allowed a malicious attacker from elevating their privileges to the level of administrator, as well as another similar flaw also published Google earlier this week.
“Those in favour of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves,” said Chris Betz, senior director of Microsoft Security Response Center. “We disagree. Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment.
“It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a “fix” before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack. We are in this latter camp.
“One company – Google – has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so.
“Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”
The one critical patch in the update fixes a vulnerability in the Microsoft Telnet service, while others fix bugs in the Network Location Awareness Service and Windows Error Report that could allow a malicious attacker to bypass security features. Another fix closes a weakeness in the Windows Kernel while another solves a problem that could see an infected system be used for DDoS attack.
This Patch Tuesday is also notable for being the first one since Microsoft discontinued its free advance notice service, with the notifications only being issued to paying customers – much to the dismay of security experts.
How well do you know the history of Windows? Take our quiz!
Binance BNB token rises after WSJ report the Trump family is in talks to secure…
After failed Amazon deal, iRobot warns there is “substantial doubt about the Company's ability to…
Community Notes testing across Facebook, Instagram and Threads to begin next week in US, using…
Complete 180. FTC attorney now says federal agency can pursuit Amazon trial, after citing “severe…
Former board member and respected chip industry veteran Lip-Bu Tan appointed to lead troubled US…
MPs demand secret High Court hearing be held in public, after government had ordered a…
View Comments
Big boo hoo for Microsoft on this one. They're slating Google for releasing the information when they were aware of Microsoft released schedules. Well, Microsoft were aware of the Google 90 day deadline and overshot it, which can't really be blamed on anyone else - it's their software. Ultimately the timescale is reasonable and hopefully Google's actions will encourage Microsoft to give fixes a higher priority in future. Who knows how many customers were exposed to danger by Microsoft's slow response.