Google also presented Microsoft with an extra 14-day grace period to have a fix ready for its monthly Patch Tuesday release in February, but Microsoft blew this goal because “the fix is more complex than originally anticipated.” It’s not clear when Microsoft will have a fix ready, and the Google engineer accountable for reporting the security flaw says because of the complexity of the fix Microsoft “does not yet have a fixed date set as of yet.”
The public exposure will likely anger Microsoft, once again. The software giant hit back at Google’s advance to security patches last October, after seeing a Chrome flaw and “responsibly” disclosed it to Google so the organization had enough time to patch. At the core of the issue is whether Google’s policy to publish after 90 days without a patch is reasonable. Google makes limitations to this hard rule, with grace periods, and can even reveal much sooner if the vulnerability is being actively exploited. Google unveiled a major Windows bug back in 2016 just 10 days after reporting it to Microsoft, and the company has published zero-day bugs in Windows in the past before patches are available.
Two big and obvious reservations to Google’s security disclosure rules were the recent Meltdown and Spectre bugs. Google technicians discovered the CPU flaws and Intel, AMD, and others had around six months to fix the difficulties before the flaws were publicly revealed earlier this year. Chrome OS and Android devices were also affected by the processor flaws, along with Windows, Linux, macOS, and iOS.
Google needs the industry to adopt its aggressive admission policies, but Microsoft has so far resisted rather publicly.
Take your time to comment on this article.