Microsoft and Google fight, we all lose

Conflicting policies on how and when to address patches left IT with the possibility of a zero-day attack. The cause of that gap in protection: Microsoft and Google didn’t quite see eye-to-eye on when patches need to be made available.

Per Google’s policy, all vulnerabilities it discovers are made public after 90 days. A Google researcher discovered a flaw in Microsoft’s Windows User Profile service on October 13, 2014, so it was automatically disclosed to the public on January 11, 2015.


The problem: Microsoft runs on a once-monthly patch schedule (its famous “Patch Tuesday“). That fell on January 13, 2015 – two days after the vulnerability was made public, meaning that hackers had full knowledge of the flaw and 48 hours to take advantage of it before Microsoft’s fix was available.

And a separate flaw in Windows Application Compatibility Cache went public 90 days after discovery on December 29 of last year, meaning it was publicized and unpatched for almost two weeks.

These two disclosures created zero-day situations.

Opening the door to attackers

Neither of these flaws were likely to lead to major security incidents. But Google’s practice of disclosing flaws publicly even if they’re not patched is drawing some criticism, especially from Microsoft itself. Some say that 90 days is an arbitrary amount of time – and there’s no reason to keep to it regardless of Microsoft (or any other company’s) patch schedule.

On the other hand, Microsoft’s practice of waiting longer than three months to fix known issues is also drawing heat. Since the researchers informed Microsoft of the problems as soon as they were discovered, they should’ve gotten fixes out sooner, the argument goes.

Presumably, had either of these issues been serious enough, Microsoft would have made it top priority and gotten fixes out sooner. But there’s no guarantee that will be the case. It’s entirely possible some flaw in the future will be complicated enough that it can’t be addressed in a 90-day period. When the automatic deadline runs out, this could lead to a serious zero-day that puts users (and organizations’ systems) at risk.

Rushing fixes before they’re entirely ready could also lead to incomplete testing or unforeseen consequences.

Can Microsoft and Google patch things up?

This is a reminder (as if IT needed one) that security is often subject to the whims of outside companies. When and whether flaws are shared or made public is outside of IT’s control, but it owns all the risks associated with it. Microsoft announced this week that it’ll restrict Advanced Notification System announcements of upcoming patches to its premier customers, which highlights this challenge.

Your best bet isn’t too comforting, but it is important. Make sure you’re up on every patch that comes out whether you use a third-party to manage it or keep it in-house.

As unfair as it may seem, third-party security companies are sometimes given or purchase information on vulnerabilities that aren’t available to the little guys.

If you do take care of this process in-house, be sure to:

  • Establish ownership. Have techs who are responsible for checking for and applying patches for certain programs or vendors. That way there’s less of a chance that one will go unnoticed.
  • Share information. Make sure your team communicates about patches as they come out and are fixed. This helps make sure there’s no complications and makes it easier to keep track of if a tech leaves for a new job or is out of the office.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy