Google today disclosed another vulnerability in Windows 8.1 for which Microsoft hasn't released an update yet. After disclosure of the vulnerability Microsoft posted a fierce message on their blog. The vulnerability Google's security experts discovered, allows an attacker with system access to elevate his privileges. The leak was reported to Microsoft in October last year after which the software giant was given 90 days to patch the issue.
The automatic deadline of 90 days which Google uses, means details of the vulnerability become public two days before the patch is released. The deadline passed on January 11th (yesterday) while the patch will be released January 13th (tomorrow), during Microsoft's regular Patch Tuesday.
At the end of last year Google also disclosed a vulnerability in Windows 8.1 which also allowed an attacker to elevate his privileges and for which Microsoft didn't have a patch available yet.
"Google - has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so. Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix", Chris Betz, senior director of the Microsoft Security Response Center, writes.
He continues with wondering whether Google's decision is fair, "although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result."
