This story is surprisingly hostile to Google. A 90-day window after which the bug is published is about as responsible as responsible disclosure gets. The headline really rubs me the wrong way, as though Google raced to publish this vulnerability to spite Microsoft.<p>Not talking about the bug doesn't mean it's not there, but talking about it sure makes people aware that they should perhaps take extra precautions until Microsoft patches the bug. The attitude that "you're giving info to the evil hackers and now we're all unsafe!11" is the very essence of the fallacy of security by obscurity - your ignorance of a bug is not guarantee of others' ignorance of it. Pinning blame on Google for putting us all at risk is the exact wrong response; Microsoft is at blame for taking more than three months to fix a critical security bug, which has been there for even longer.<p>This sentiment is very visible in the comment section - the story's suggestion that Google did something wrong here, and the torrent of clueless commenters raging about how evil Google is being is disheartening, to say the least. I wonder how much of that is a result of the story's tone.
It's more nuanced than article or commenters on HN want it to be. If there's a constant communication channel between companies and there's a reason to believe that patch can't be created in 90 days, sticking to deadlines seems to prioritize the wrong things.<p>On the other hand if MS wasn't responsive enough and upfront about the time it'd take to patch and reasons for that, then sure, 90 days seems more than needed leeway for Microsoft. But I don't know how things worked and I've seen enough to assume that both scenarios are possible.
I think the initial principle of the disclosure policy is good, it is intended to put a bit of pressure on <i>bad</i> vendors to fix their bugs. That said I don't think we can classify MS as a <i>bad</i> vendor. They fix lot of critical issues every years, they certainly have their own internal teams working on security issues, they're <i>responsibles</i>.<p>Vendors with a quite good track record should be allowed to have some slip ups. You cannot compare a vendor who doesn't fix anything on time with one that usually fix issues promptly but occasionally shows a delay on a report. The process should take that into account. I think the binary handling by Google on this one is not very well thought-out.
> It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine.<p>Are Microsoft downplaying or is this genuinely quite minor? The article discusses a disgruntled employee and since all their money comes from Enterprise presumably disgruntled employee can cause major damage is a pretty huge problem?
Url changed from <a href="http://www.pcworld.com/article/2864312/google-discloses-unpatched-windows-vulnerability.html" rel="nofollow">http://www.pcworld.com/article/2864312/google-discloses-unpa...</a>, which points to this.