For a very long time, Microsoft and Google have been enemies and as a result they have had a lot of disagreements over disclosure of security vulnerability in the last few years. Google has once again stirred up the dispute this week, exposing a Microsoft Edge security flaw to Microsoft back in November, giving Microsoft 90 days to repair the flaw or else they would go public as it is rated “medium” in terms of severity.
Google also gave Microsoft 14 more days to have an available fix for its monthly Patch Tuesday release in February but Microsoft missed this goal because “the fix is more complex than initially anticipated.” It remains vague however when Microsoft will have a fix available, and according to the Google engineer responsible for reporting the security flaw, Microsoft “do not yet have a fixed date set as of yet” because of the complexity of the fix.
The public disclosure will probably annoy Microsoft this time as well. Last October, Microsoft hit back at Google’s approach to security patches after discovering a Chrome flaw and “responsibly” unwrapped it to Google given the company sufficient time to patch. The main issue is if Google’s policy to disclose after 90 days without a patch is considerate. Google made exceptions to this difficult rule and also gave a period of grace even though it could have exposed the flaw a lot sooner if the vulnerability was being exploited. Google disclosed a serious Windows bug in 2016 after reporting it to Microsoft about 10 days earlier and the company had revealed zero-day bugs in Windows long before patches were available.
Two apparent elisions to Google’s security disclosure rules were the recent Meltdown and Spectre bugs. Engineers of Google noticed the CPU flaws and Intel, AMD, and others had about 6 months to have the problem fixed before the faults were revealed publicly this year. Chrome OS and Android devices were also affected by the defects in the processor along with Windows, Linux, macOS, and iOS.
Google desires that the industry adopts its belligerent disclosure policies even though Microsoft has baulked so far. This latest disclosure isn’t as critical as the previous ones but it may ignite the debate on whether Google should direct the way security flaws in rival operating systems are disclosed in the interest of the public.