Should Google Have Outed Unpatched Windows 8.1 Exploit After Microsoft Failed to Fix It On Time?

Google has disclosed an unpatched vulnerability in the Windows 8.1 operating system through the company's security research website, after Microsoft failed to fix the issue within a window of 90 days, which Google gave to Microsoft.

The disclosure has stirred an intense debate whether the revelation by Google was appropriate, as there are beliefs that Google should instead have chosen to keep the issue in secrecy.

The issue gives low-level users of Windows the ability to gain administrator rights in some instances, with Google adding that it was not yet clear whether other Windows operating systems before Windows 8.1 are similarly affected by the problem.

"Automatically disclosing this vulnerability when a deadline is reached with absolutely zero context strikes me as incredibly irresponsible and I'd have expected a greater degree of care and maturity from a company like Google," said one of the people that posted on the site of Google.

According to the same person, the issue is only "your average" vulnerability for local privilege escalation.

Another person posted that the exposure of the vulnerability has wide-reaching consequences, and that its revelation does not lead to the solution of the problem.

Other people that posted on Google's site, however, praised the company for sticking to the deadline it had previously set since the launch of Project Zero, a team for tracking bugs, last July.

In a statement, Microsoft said that it is currently developing a security patch to the reported problem.

A spokesman for the company wrote in an email that, for the vulnerability to be exploited, an attacker first needs valid login credentials, and that the attacker would have to locally log in to the targeted system.

The spokesman added that customers are encouraged to always update their antivirus software, install security updates once available and keep the firewall in their computers turned on.

A statement by Google defended the company's decision to release the information regarding the vulnerability.

According to Google, the deadline of 90 days for fixing the issue is put into place after years of discussions with industry players and careful consideration.

Google added that as the threats to the industry change, so have the company's disclosure policies on such vulnerabilities.

Google also said that the initial results of Project Zero see most of the bugs reported to have been fixed within the disclosure deadline, as a testament to the commitment of the company's partner vendors in ensuring security.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics