Google revealed yet another security flaw impacting Windows 8.1 in the company’s zero-day policy that includes revealing any software security issues it finds in other software within 90 days of notifying the company who has ownership of the affected software. The move is one that has been both interesting for observers enjoying the sparring taking place between Microsoft and Google – with Google releasing their first zero-day Windows flaw on December 30th, 2014 and again doing so over the weekend.
The fix though, which was due this week – was an issue that allowed low-level users to give themselves administrative control – by allowing them to become “administrators” within Windows 8.1 system. The vulnerability ultimately would allow users to gain control to something that they otherwise should not gain access to, if the security measures were appropriate. The common-sense level explanation points out that for obvious reasons, users should not have the opportunity to improve their standing within a larger network of accounts on a Windows-based system without having approval from the administrator of the system.
Google has been utilizing a policy and procedure called “Project Zero” where Google reveals those security flaws within other operating systems, if the company in charge or responsible does not correct the bug or issue that impacts the system. According to Google, Microsoft was notified in October of this particular issue – and when Microsoft pledged to have a patch released on Tuesday, January 13th – Google responded by releasing the bug days before the so-called 90-day agreement date.
Microsoft said in a statement on their blog, “The decision feels less like principles and more like a “gotcha,” with customers the ones who may suffer as a result.” The lengthy blog post also points out, “What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”
Microsoft had requested that Google ensure that details of the security flaw be kept in a manner that at least made customers only aware of it – after the patch was released, to minimize the public outcry and potential damage that could occur.
While Google may seem like the hero in this instance, with proactively reporting the issue – the company has now been under intense criticism for not fixing a bug in its Android 4.3 Jelly Bean, which is impacting nearly one billion users. The bug, which Google said would only be fixed, if someone else took the initiative to fix, is a flaw within WebView. WebView is a component within web page rendering on Android devices. Even more worrisome is the fact that many devices are still being sold with the version of Android on-board, which makes the security flaw one that is a problem for those who are looking to crown Google the champion of keeping users safe within their software.