«

»

Google is right to keep issuing ‘fuck you’s to Microsoft

Share this...Share on Google+Share on LinkedInTweet about this on TwitterShare on FacebookShare on RedditDigg thisEmail this to someone

Google is right to keep issuing 'fuck you's to MicrosoftTwice this week, Google has flipped the metaphorical bird at Microsoft, muttering a quiet ‘fuck you’ under its breath. Google’s security researchers have a policy of sitting on software vulnerabilities they discover for 3 months. When the security issue is found, the relevant company is informed, and the clock starts ticking.

When 90 days is up, details of the vulnerability are automatically published. This is precisely what happened a few days ago and Microsoft wasn’t happy. Google let the world know about a security issue before Microsoft could pull its finger out and release a patch. At the time, Microsoft referred to it as a “gotcha”. With the subsequent revelation of two more vulnerabilities in the same way, it’s more like a “fuck you” — and that’s a good thing.

There has been something of a debate in recent days about whether Google has the right to crown itself police of security. I’m not sure that this is what’s happening. Google’s Project Zero is not new, and it is well known that there is a 90 day publishing policy in place. If Google really wanted to fuck with Microsoft (or anyone else for that matter) it could just do away with the grace period and publish vulnerability details right off the bat.

Rather than making Google look like irresponsible or bully-like — and this is precisely what we’re meant to take away from Chris Betz’s moaning — Microsoft has merely succeeded in demonstrating that it is a) incredibly slow to address issues that are brought to its attention and b) incredibly stubborn in its unwillingness to release patches early even when they are ready (which is what happened the first time). Equally worrying is the fact that Microsoft did not even warn Windows’ users about the potential issues despite the warnings from Google.

Is Google swinging its weight about? Absolutely. Is that a bad thing? This is less clear cut. While it is certainly true that publicising details of a vulnerability could put users at risk, it is arguably more important that pressure be put on Microsoft to get things fixed. If putting information that could be misused out in the wild is what it takes, so be it. Many have suggested that this equates to Google holding Microsoft to ransom. This is a misguided way to look at things.

The whole idea behind Google Security Research is to increase security for computer users around the world. The aim is not to shame Microsoft specifically, or indeed to wield self-imposed power — although this is how it has been taken. Google is right to exert pressure on Microsoft and others to fix problems with software. Of course, there are problems and security issues with Google products and services as well… others are more than welcome to point out their findings to Google under a time-restricted embargo or straight to the wider world.

Microsoft may feel that Google has issued a big “fuck you”, but that’s a good thing. It will hopefully spur Microsoft into reacting to things faster in the future. Co-operation between companies is a lovely concept, but it has a tendency to lead to procrastination and laziness; sometimes a little force needs to be applied.

1 comment

3 pings

  1. Jason

    Isn’t Google doing the pot calling the kettle black thing?

    Last time I checked, there’s a rapidly growing anti-Google community for almost exactly the same reasons Google are flipping the bird at MS.

  1. Listen up, Microsoft — Verizon fixes critical email security flaw in two days

    […] Microsoft (and other companies — this is not just about Microsoft) is more than reasonable. I have applauded Google for continuing to publish details of security problems after first warning Microsoft, and I applaud […]

  2. Listen up, Microsoft — Verizon fixes critical email security flaw in two days | SkyNet Chronicles

    […] Microsoft (and other companies — this is not just about Microsoft) is more than reasonable. I have applauded Google for continuing to publish details of security problems after first warning Microsoft, and I applaud […]

  3. Listen up, Microsoft - Verizon fixes critical email security flaw in two days - 196ys

    […] Microsoft (and other companies — this is not just about Microsoft) is more than reasonable. I have applauded Google for continuing to publish details of security problems after first warning Microsoft, and I applaud […]

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>