Google Is Doing A New Thing To Tick Off Microsoft: Exposing Bugs In Windows 8

Arch rivals Google and Microsoft are going at it in public again.

Microsoft is not happy that Google's security folks are finding bugs in Windows (particularly Windows 8) and telling the world about them before Microsoft can fix the problems.

Publicly discussing bugs in this way (in geek speak, that's called "full disclosure") is not something new or unique to Google. Security researchers have been doing this for ages when they think a software vendor is dragging its feet on fixing dangerous bugs.

The problem here is that Microsoft says it was not dragging its feet.

The flaw was found by Google's "Project Zero" team founded last summer, a group of world-class security researchers looking for security holes in other company's software. The work is generally a good thing, helping make the internet a safer place.

However, Project Zero has a strict 90 day "fix it or we'll disclose it" policy.

Microsoft says it planned to release a fix for the bug as part of its usual monthly Patch Tuesday cycle in January two days after Google's 90-day deadline. However, Microsoft also told Google that the patch itself was buggy and would be released in February, according to records made public by Google.

Microsoft tries to release all patches on a predictable monthly cycle, to make it easier on enterprise customers who need to test each patch before deploying it.

On January 15, 90 days after Google first told Microsoft about it, Google disclosed the bug. There was no patch available.

This was the 15th flaw that Google has revealed in Microsoft software since about November, and it wasn't the first time Google released information about a bug before Microsoft had a fix ready.

Google doesn't just pick on Microsoft. The team frequently finds bugs in Apple's products, and other software, too.

Project Zero keeps a public database that lists all the bugs in all the software it finds.

Interestingly, these Google security gurus aren't disclosing bugs found in Google's own software the same way. The database comes up blank when searching for a list of bugs found in Google software.

The situation has caused Microsoft to cry foul.

In a blog post blasting Google, Chris Betz, a director of Microsoft's own security research group wrote:

"... one company - Google - has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so. Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a "gotcha", with customers the ones who may suffer as a result. What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal."

It's not likely that many enterprises will be hacked because of Google's decision to release the code before Microsoft could patch it, though that is a risk.

Still, the whole thing shows how businesses are caught in the middle of the games these big competitors are playing.