Project Zero is a security research team assembled by Google to test and search for vulnerabilities in software and products from other companies. If any flaws are found by Project Zero, they are reported back to the vendors. If the flaw is not patched with in a 90 day time period, Google makes the details of the flaw public.
Project Zero found a elevation of privilege (EoP) vulnerability in Windows 8.1. EoP flaws can be exploited to gain administrator privileges on a system from a low privileged account. Google reported the details of the flaw to Microsoft. After 90 days, the flaw was yet to be patched. Following their standard 90 time table, Google made the details of the flaw public.
Microsoft was upset that Google would not “work with them” as the patch was set to release the following Tuesday. Microsoft releases patches every 2nd Tuesday of the month or what people call “Patch Tuesday.”
Google responded that Microsoft had 90 days to release a patch. The same time table as all other vendors. Google felt that making an exception or extending the time table would set a precedent that Google feels is unnecessary.
Robert Graham, the CTO of security research firm Errata Security, released a statement on his blog: “Since we can’t make perfect software, we must make fast and frequent fixes the standard. Nobody should be in the business of providing ‘secure’ software that can’t turn around bugs quickly. Rather than 90 days being too short, it’s really too long.”
I’m sure this won’t be the last time someone gets upset with Google, but one does have to admire their drive to protect us.
(Image Source: iCLIPART)