Microsoft hits out at Google team over bug report

97 点作者 oinkgrr超过 10 年前

28 条评论

pilif超过 10 年前

This is crazy. By now the world really knows about Microsoft's second-tuesday-of-the-month policy for patches. If Google isn't willing to wait the two additional days such that the patch can be deployed within the regular update window, this means that Google effectively gives MS only 60 days to react and fix issues (because once they missed the second patch day, the vulnerability will be disclosed before the third).MS is a huge company with an immense installed base and they have to be understandably careful with pushing updates. Working with them to disclose vulnerability on their regular patch day really wouldn't be such a bad thing for either Google nor the end users, even more so as we're talking about two days here and there even was a holiday week in the timespan.This is about being an ass and I see no advantages for end users.Even if Microsoft had not responded to Google at all, they could have waited for full three patch days (again, MS' patch deployment timeline is very much public knowledge by now) before publicly disclosing the issue.

评论 #8874113 未加载

评论 #8874084 未加载

评论 #8873960 未加载

评论 #8874063 未加载

评论 #8874031 未加载

评论 #8873970 未加载

评论 #8874049 未加载

评论 #8874195 未加载

xxyyzz3d超过 10 年前

I think there is something to notice about having a hard fixed timeline for everyone. See from the bug:<a href="https://code.google.com/p/google-security-research/issues/detail?id=123" rel="nofollow">https://code.google.com/p/google-security-research/issues/de...</a><pre><code> > Microsoft confirmed that they are on target to provide fixes for these issues in February 2015. They asked if this would cause a problem with the 90 day deadline. < Microsoft were informed that the 90 day deadline is fixed for all vendors and bug classes and so cannot be extended. Further they were informed that the 90 day deadline for this issue expires on the 11th Jan 2015. > Microsoft confirmed that they anticipate to provide fixes for these issues in January 2015. </code></pre> So basically Microsoft asked for an extra month, and they said no, which forced them to move quicker, and fix it a month earlier. Without picking any side of the debate, you can still see what effect the non-negotiation of timeline has on getting patches out as soon as possible.

评论 #8874151 未加载

WestCoastJustin超过 10 年前

TL;DR -- Google found bug in Windows 8.1. Gave Microsoft standard 90 days notice of public release on 11 January. Microsoft wanted to move release date to patch Tuesday on 13 January. Google released on their 90 day notice date of 11 January.Personally, I don't think Google should bend to the internal red tape of other companies. You are going to start maintaining this long list of exceptions based on other peoples priorities. There is a published 90 day policy, they gave 90 days notice, figure it out. There is also details missing about the communication between Google and Microsoft. Like when they asked for an extension, etc.

评论 #8873991 未加载

评论 #8874042 未加载

评论 #8874009 未加载

评论 #8874028 未加载

评论 #8874387 未加载

评论 #8873984 未加载

jnbiche超过 10 年前

Look, I'm been really happy with a lot of the stuff Microsoft has been doing recently, particularly in open source. But this is ridiculous. They had plenty of notice that Microsoft's standard 90-day (90 day!) policy applied, and that no exceptions were going to be made.I applaud Google for not bending on their 90-day deadline (assuming they do hold all companies to that, and it appears they do). Maybe this incident will help encourage some companies that might otherwise be lax when confronted with a bug to hurry up. There's no telling who else knew about this bug and was actively exploiting it (probably lots of people).

评论 #8878629 未加载

评论 #8874137 未加载

forgottenpass超过 10 年前

"Microsoft's senior director of research Chris Betz said in a blog post.", "Several security researchers", "wrote one developer", "But another said"So is this what the disclosure issue is going to look like when packaged up for the masses? No historical context on how the ongoing disagreements are the latest in decades of ongoing discussion? Or any mention of the events that shaped the popular ideas today? Just a sour blogpost and some bland quotes of agreement and disagreement from an internet so large you can always find quotes for the positions you want to portray. We're so fucked.Edit: And apparently it worked on us too. Of course external messaging is going to paint the other guy as the unreasonable one.

评论 #8874068 未加载

评论 #8874576 未加载

andyrj超过 10 年前

Google expended their resources to find a flaw in a MS product, in which MS was treated as any other vendor. If MS requires the ability to dictate the time alloted to fix their own mistakes, and are unwilling to change their own internal priorities for the sake of their own user base. Then perhaps, they should have found and fixed this prior to Google needing to point it out for them? I am amazed at the blind hatred for Google on this when MS has had a less than spectacular performance with its patches in the last year. Did all the MS fanbois forget about the bsod's just a few months back from MS's own "flawless", as you all seem to believe, patch schedule? (MS14-045 and MS13-036) If this deadline, self imposed by MS, is so greatly beneficial to MS patching why didn't the magic of patch Tuesday prevent those incidents?

LukeB_UK超过 10 年前

Everyone is saying that Google should have waited for Microsoft's patch day, but why should Google bend their standard procedure to fit Microsoft? If it really meant that much to Microsoft, they could have released a patch earlier.They knew they had 90 days and decided to ignore it.

评论 #8874303 未加载

评论 #8874513 未加载

评论 #8875303 未加载

sgdread超过 10 年前

You think that 2 days is nothing, but look at this from other perspective: first time MS asks for 2 days (BTW, as others pointed, initially MS said it's not going to be fixed until Feb), next time they ask for a week: last time you gave us 92 days, couldn't you wait for another 3 days? And then it goes, and goes. Then other company asks for a week. If google refuses, there will be unfair treatment and might cause bad press (much worse than this one). So as despite it looked like a dick move, I fully support google's actions. If you compromise on policy once, you're done. So 90 days is a 90 days, no matter what. I think it was a lesson to MS: take this policy with respect and avoid this in future. I'm a software developer and I know how difficult to fix big systems like Windows (burocracy must be crazy there), but the only way to challenge broken processes is to put pressure, otherwise it will never change.

valevk超过 10 年前

This is the issue: <a href="https://code.google.com/p/google-security-research/issues/detail?id=123" rel="nofollow">https://code.google.com/p/google-security-research/issues/de...</a>

fixermark超过 10 年前

Turning the question on its ear a bit:Even given that Windows 8.1 is a large and complicated machine, what was it about this particular bug that required basically all of Q4 for MS to patch it?It's one bug.I have a sinking suspicion that MS simply didn't consider it a priority, even after responsible disclosure to them, which is why it's good that Google's public disclosure policy is a hard-limit 90 days. Too many companies, when given the option to choose their own priority tree over the priority tree enforced by security needs, will choose the former.

jorgecastillo超过 10 年前

It seems reasonable for Google to release the details of the bug. If they make an exception for one company they'd have to start making exceptions for all companies. Microsoft is at fault here for not fixing this on time.

shogun21超过 10 年前

Isn't this all MS's fault for having a security flaw in their system?If the Project Zero programmers were independent or malicious, they could have sold this information or released it without giving the 90 day window.Seems like Google is trying to do the right thing by alerting others on these flaws and holding a fast deadline to fix it.

评论 #8874723 未加载

tptacek超过 10 年前

Graham Cluley isn't a vulnerability researcher; he's a blogger and former antivirus author. Old school antivirus people are like the opposite of vulnerability researchers.

jrockway超过 10 年前

I'm looking forward to the "Scroogled" ads and merchandise highlighting this issue.

doe88超过 10 年前

If I were MS I wouldn't complain on this issue and instead I would just take the bait and put an internal team to find out bugs exclusively in Google products like for instance Android [1] and declare an arbitrary short disclosure policy [2] and then release these bugs when time is up.[1] <a href="https://news.ycombinator.com/item?id=8874339" rel="nofollow">https://news.ycombinator.com/item?id=8874339</a>[2] <a href="https://nakedsecurity.sophos.com/2010/06/15/tavis-ormandy-pleased-website-exploits-microsoft-zeroday/" rel="nofollow">https://nakedsecurity.sophos.com/2010/06/15/tavis-ormandy-pl...</a>

评论 #8876078 未加载

chappi42超过 10 年前

> Then again what does Google care, they don't use or support anything Microsoft, so it doesn't affect themWhat does Google care? I get the impression they care about not much else than ads and HUGE NUMBERS of users.

bagacrap超过 10 年前

The linked bug shows that it was discovered Sep 30 and revealed publicly on Dec 30. Thus MS missed the deadline by two weeks, not two days. I agree there should be some flexibility but where do you draw the line?

mark_l_watson超过 10 年前

What? Microsoft asked for 2 extra days and Google refused? Seems like an asshole move.I am in general a huge Google fan, but in using Google services I realize that I am not much of a customer (I purchase extra storage and buy stuff on the Play Store); advertisers are the customers.Microsoft on the other hand gets its money from computer users and it seems like they have a much more customer focused mentality.

评论 #8874091 未加载

评论 #8874080 未加载

Beltiras超过 10 年前

2 days leeway is not uncalled for. Bad form Google.

评论 #8873899 未加载

评论 #8873856 未加载

评论 #8873872 未加载

realcul超过 10 年前

Google please fix your issues [1] before you leak zero day issues about your competitor...[1] <a href="http://www.zdnet.com/article/google-stops-providing-patches-for-pre-kitkat-webview-abandons-930m-users/" rel="nofollow">http://www.zdnet.com/article/google-stops-providing-patches-...</a>

dogpa超过 10 年前

Microsoft has been shipping steaming crapola for decades. Their unwieldy and unmaintainable codebase is their own fault. This should not be news to anyone who is unfortunate enough to have to use their awful products.They sought to dominate the market by means other than having the best talent and shipping the best software. It worked but now they have a problem.And who can forget this? <a href="http://blog.zorinaq.com/?e=74" rel="nofollow">http://blog.zorinaq.com/?e=74</a> Developers developers developers.Any vulns I find will not be dealt with in such a charitable manner. (i.e. you have exactly zero days to fix your shit).Why on Earth are Google wasting their own resources doing Microsoft's work for them?Tiny, tiny violins, Microsoft. Tiny, tiny violins.

divs1210超过 10 年前

Microsoft will be celebrating a lot of Merge Days[1].[1]: <a href="http://thedailywtf.com/articles/Happy_Merge_Day" rel="nofollow">http://thedailywtf.com/articles/Happy_Merge_Day</a>!

outside1234超过 10 年前

"Do no evil"Unless it hurts a competitor and is bad for their customers.

评论 #8874590 未加载

wnevets超过 10 年前

Hasnt Microsoft released "out of band" patches before? Why is this one so special?

评论 #8876131 未加载

franzwong超过 10 年前

How about Google sponsors Microsoft human and financial support to fix the bugs if they really care about that?

presootto超过 10 年前

Google is just a bunch of hypocrites. Do you remember what happened when they're new ReCaptcha was reverse engineered?Let me remind you: <a href="https://news.ycombinator.com/item?id=8728336" rel="nofollow">https://news.ycombinator.com/item?id=8728336</a>Disclaimer: I work for TAGA (The Arrogant Google Assholes)

评论 #8874010 未加载

评论 #8874974 未加载

评论 #8873911 未加载

k-mcgrady超过 10 年前

*repost of my comment from another post on this subject[1]>> "Google's Project Zero seeks to find bugs in popular software and then give the manufacturers responsible 90 days to fix the problem."Seems reasonable.>> "On 11 January, Google publicised the flaw. Microsoft said it had requested that Google wait until it released a patch on 13 January."Dick move. Sorry, I can't think of any other way to describe it. They may have waited until the last minute (or maybe they really did have to rewrite a tonne of code) but that's no excuse or putting users at risk when you can wait two days. Seems more like a marketing tactic than a desire for faster security patches.[1]<a href="https://news.ycombinator.com/item?id=8873704" rel="nofollow">https://news.ycombinator.com/item?id=8873704</a>

droopybuns超过 10 年前

A few observations:Google headcount: ~49k MS headcount: ~130kThere is going to be a huge difference in speed based on size alone, but MS also has a much greater commitment to regression testing than Google ever has.Google has embraced an engineering culture where the security team can contribute fixes directly to their own projects. I imagine this creates an unreasonable prejudice culture about how easy it is to implement fixes without concern for regression issues. You can see examples of this in recent e.o.y will not fix bug closures in AOSP. Those savants are going to set the usability vs security debate back a decade by by marking all http connections as insecure.Finally, don't forget that Eric Schmidt agreed to a recruiting cease fire. For. All of their pride and arrogance, those Google security engineers are never going to escape the fact that they have compromised their own potential maximum value so they can sneer at other companies cultures.Toxic and stupid.