Security Windows

Should Google Announce Vulnerabilities Before They Have Been Patched?

Tina Sieber 20-01-2015

Google is unstoppable. Within less than three weeks, Google revealed a total of four zero day vulnerabilities affecting Windows, two of them just days before Microsoft was ready to release a patch. Microsoft was not amused and judging by Google’s reaction, more such cases are likely to follow.


Is this Google’s way of teaching their competition to be more efficient? And what about the users? Is Google’s strict adherence to arbitrary deadlines in our best interest?

Why Is Google Reporting Windows Vulnerabilities?

Project Zero, a team of Google security analysts, has been researching zero day exploits What Is a Zero Day Vulnerability? [MakeUseOf Explains] Read More since 2014. The project was founded after a part-time research group had identified several software bugs, including the critical Heartbleed vulnerability Heartbleed – What Can You Do To Stay Safe? Read More .

In their Project Zero announcement, Google stressed that their top priority was to make their own products secure. Since Google isn’t operating in a vacuum, their research extends to any software their customers are using.

So far, the team has identified over 200 bugs in various products, including Adobe Reader, Flash, OS X, Linux, and Windows. Each vulnerability is reported to the software vendor only and receives a 90 days grace period, after which it is made public via the Google Security Research forum.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

That’s what happened to Microsoft. Four times. The first Windows vulnerability (issue #118) was identified on September 30, 2014 and was subsequently published on December 29, 2014. On January 11, just days before Microsoft was ready to push out a fix via Patch Tuesday Windows Update: Everything You Need to Know Is Windows Update enabled on your PC? Windows Update protects you from security vulnerabilities by keeping Windows, Internet Explorer, and Microsoft Office up-to-date with the latest security patches and bug fixes. Read More , the second vulnerability (issue #123) was made public, launching a debate about whether Google couldn’t have waited. Only days later, two more vulnerabilities (issue #128 & issue #138) appeared on the public database, escalating the situation further.



What Happened Behind The Scenes?

The first issue (#118) was a critical privilege escalation vulnerability, shown to affect Windows 8.1. According to The Hacker News, it “could allow a hacker to modify contents or even to take over victims’ computers completely, leaving millions of users vulnerable“. Google didn’t reveal any communication with Microsoft regarding this issue.

For the second issue (#123), Microsoft asked for an extension, and when Google denied it, they made efforts to release the patch a month earlier. These were James Forshaw’s comments:

Microsoft confirmed that they are on target to provide fixes for these issues in February 2015. They asked if this would cause a problem with the 90 day deadline. Microsoft were informed that the 90 day deadline is fixed for all vendors and bug classes and so cannot be extended. Further they were informed that the 90 day deadline for this issue expires on the 11th Jan 2015.

Microsoft released patches for both issues with Update Tuesday in January.


With the third issue (#128), Microsoft had to delay a patch due to compatibility issues.

Microsoft informed us that a fix was planned for the January patches but has to be pulled due to compatibility issues. Therefore the fix is now expected in the February patches.

Even though Microsoft informed Google they were working on the issue, but facing difficulties, Google went ahead and published the vulnerability. No negotiation, no mercy.

For the last issue (#138), Microsoft decided not to fix it. James Forshaw added the following comment:

Microsoft have concluded that the issue does not meet the bar of a security bulletin. They state that it would require too much control from the part of the attacker and they do not consider group policy settings as a security feature.

Is Google’s Behavior Acceptable?

Microsoft doesn’t think so. In a thorough response, Chris Betz, Senior Director of the Microsoft Security Research Center, calls for a better coordinated vulnerability disclosure. He emphasizes that Microsoft believes in Coordinated Vulnerability Disclosure (CVD), a practice in which researchers and companies collaborate on vulnerabilities to minimize risk for customers.


Regarding the recent events, Betz confirms that Microsoft specifically asked Google to work with them and withhold details until fixes were distributed during Patch Tuesday. Google ignored the request.

Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result.

According to Betz, publicly disclosed vulnerabilities experience orchestrated attacks from cyber criminals, an act hardly seen when issues are disclosed privately through CVD and patched before the information becomes public. Further Betz says, not all vulnerabilities are made equal, meaning the timeline within which an issue gets patched depends on its complexity.

Red Rope

His call for collaboration is loud and clear and his arguments are solid. The reflection that no software is perfect because it’s made by simple humans operating with complex systems, is endearing. Betz hits the nail on the head when he says:


What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.

The other point of view is that Google has an established policy and doesn’t want to give way to exceptions. This is not the kind of inflexibility you’d expect from an ultra modern company like Google. Moreover, publishing not only the vulnerability, but also the exploit code is irresponsible, given that millions of users could get hit by a concerted attack.

If This Happens Again, What Can You Do To Protect Your System?

No software will ever be safe from zero day exploits. You can increase your own safety by adopting a common sense security hygiene. This is what Microsoft recommends:

We encourage customers to keep their anti-virus software The Best PC Software for Your Windows Computer Want the best PC software for your Windows computer? Our massive list collects the best and safest programs for all needs. Read More up to date, install all available Security Updates 3 Reasons Why You Should Be Running The Latest Windows Security Patches & Updates The code that makes up the Windows operating system contains security loop holes, errors, incompatibilities, or outdated software elements. In short, Windows isn't perfect, we all know that. Security patches and updates fix the vulnerabilities... Read More and enable the firewall The Best PC Software for Your Windows Computer Want the best PC software for your Windows computer? Our massive list collects the best and safest programs for all needs. Read More on their computer.

Our Verdict: Google Should Have Cooperated With Microsoft

Google stuck to its arbitrary deadline, rather than being flexible and acting in the best interest of their users. They could have extended the grace period for revealing the vulnerabilities, especially after Microsoft communicated that patches were (almost) ready. If Google’s noble aim is to make the Internet safer, they must be ready to cooperate with other companies.

Meanwhile, Microsoft could possibly have thrown more resources at developing patches. 90 days is regarded as a sufficient time frame by some. Due to pressure from Google, they did in fact push one patch out one month earlier than estimated initially. It almost looks like they didn’t prioritize the issue highly enough originally.

Generally, if the software vendor signals that they’re working on the issue, researchers like Google’s Project Zero team should cooperate and extend grace periods. Keeping a soon to be patched vulnerability Windows Users Beware: You've Got A Serious Security Issue Read More secret appears to be safer than attracting the attention of hackers. Shouldn’t customer safety be any company’s top priority?

What do you think? What would have been a better solution or did Google do the right thing after all?

Image Credits: Wizard Via Shutterstock, Hacked by wk1003mike via Shutterstock, Red Rope by Mega Pixel via Shutterstock

Related topics: Google, Microsoft, Online Security.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. robh
    January 24, 2015 at 12:57 pm

    It feels strange for me to to condemn Google and praise Microsoft.

    Google know MS release schedule, MS know Googles 90 day bug announcement deadline and asks Google to delay announcement. Why should Google disregard that request?

    The questions we should ask are "who benefits from Google delaying the announcement?" and "who benefits from Google announcing the bug before a fix has been released?"
    The first answer is "every Windows user on the planet" and the second: "hackers wishing to compromise our computers".

    So why do Google do it? A number of reasons. A misguided attempt to make themselves look like the good guys: "Look we're telling everyone about security problems others wish kept secret". To try to position themselves as "the internet authorities", answerable to nobody but themselves. To "score points" over Microsoft.

    I could be argued that if Google announce an un-patched vulnerability we can do something to protect ourselves - but how many Windows users would get the alert and of those how many would know what action to take?

    Yes I hear the argument from Google that "90 days is long enough" but just who appointed them the "internet police"?

    Then there is the question of whether 90 days is enough. It's easy for non-programmers to say yes, even some programmers may agree but we are talking about a massive and complex system with a 30 year history. I'd like to think Windows no longer contains any code from 1985 but I remember a mainframe system I worked on where the instruction was "don't touch [a specific very old module]: nobody understands it but it works". Any experienced programmer will tell you how a minor change can sometimes have unexpected consequences and any change to a system with over a billion users should be followed by a thorough system test. Microsoft handle that by batching up the changes into monthly releases.

    MS will have a cut-off date for changes, I imagine there will be a (monthly?) meeting to assess and prioritise what is to go into the next batch of fixes. Then those changes need coding into a candidate version allowing time for a full system test and time to address any problems the test throws up and so in reality from identification of a security issue to the cut off date may be much less than 90 days. Just missing one of the cut off dates by a day or two means the fix will go into the following month's patch Tuesday. Rushing the fix to merely to placate Google and at the risk of unexpected consequences would benefit nobody.

    Occasionally if a serious vulnerability is being actively exploited MS will do an out-of-band update. That's a responsible approach but for Google to force them to do it for lesser issues, solely for their own commercial benefit is grossly irresponsible.

    Many Windows users don't routinely reboot but either leave the system running (maybe so they can get VPN access when away from base) or use sleep mode rather than full shut-down. That means they can miss getting security patches. Those who understand the consequences ensure they do a monthly full reboot when Patch Tuesday updates are released. Out-of-band updates may be missed so should be limited to highest priority issues. And we all experience the extended boot time after Patch Tuesday, especially those with slow internet connections I don't want that to become more frequent and less predictable.

    Another aspect is "if Google delay the announcement a few days on request, then might MS not use the same argument to request longer and longer extensions". Possibly but... The vulnerabilities are circulated within the security industry and the risk of disclosure outside that increases with the passing of time and so MS are under pressure to fix as soon as practicable. Then there is the nature of the vulnerability, some are purely hypothetical, the circumstances in which they expose users to risk are so obscure that a focus on them "in order to beat Google's deadline" may be at the cost of assigning lower priority to more significant issues. Another factor is again down to the wider security industry - any sensible PC user will use a commercial security suite and those too will implement functionality to protect users from the risks exposed by some operating system vulnerabilities.
    By the way, I have read that Apple makes MS look good by comparison, the suspicion being that Apple's policy may be not to patch vulnerabilities until there is evidence that they are being exploited.

    • Tina
      January 24, 2015 at 2:34 pm

      Thank you for the thoughtful comment, Rob. I have nothing to add, just wanted to acknowledge the effort that went into sharing your thoughts.

  2. A41202813GMAIL
    January 22, 2015 at 2:53 pm

    Maybe Next Time M$ Will Not Be In A Hurry To Fire So Many Employees In 1 Go.

    This Is A Multiple Way Street.

    M$ Will Do The Same To GOOGLE.

    If The Big Sharks Can Not Keep Themselves Honest, No One Will.

    Advantage Consumer, Period.


  3. R A Myers
    January 21, 2015 at 6:21 pm

    Dear Ms. Sieber,

    From the blustering and denying Microsoft did, they had something (procrastination or not caring?) to hide.

    Microsoft's remarks about the second vulnerability, we'll get around to it when we get around to it, demonstrates their uncaring attitude.

    Microsoft cares about Microsoft. Yes, Google cares about itself also. Taking care of their customers is part of Google's taking care of itself plan, apparently not Microsoft's. I'd bet Microsoft is not the only software source Google has notified about a vulnerability.

    Ninety days is plenty of time to either fix or notify customers of a vulnerability. The bad guys probably spread the word on the dark net already.

  4. Bruce E
    January 21, 2015 at 3:11 am

    So should Google start catering to the whims of the vendors regarding the release of vulnerabilities? What if Microsoft wants a 2 week extension instead of 2 days? How about 2 months? If they do that, what if Adobe wants a 1 month extension for a Flash flaw? How about when Oracle demands they push the release back for 6 weeks?

    Once Google starts letting one vendor have their way, the rest will soon follow and that is not in the best interest of the consumer. After all, when public disclosure was not the norm, Microsoft was really good at letting vulnerabilities go unpatched for months and, in some cases, YEARS. Public shaming was the ONLY means to get them to take security seriously.

    The entire Update Tuesday (had to change the name from Patch Tuesday to make it seem more innocuous) idea is bad too, but it looks like that was instituted to deal with the customer complaints that Windows needs to be rebooted after almost every patch. So, instead of getting machines patched as soon as possible and closing the window of opportunity for hackers earlier, Microsoft holds the patches for the second Tuesday of the month. Even though a patch is available to fix a security issue, users may not get it for WEEKS. That is time that the bad guys can use to their advantage.

    All in all, Google made the right choice.

  5. groudie
    January 21, 2015 at 1:57 am

    Let me remind some of you that Microsoft purposely left exploits/backdoors open and unpatched, then alerted the NSA about it so they could do whatever they wanted to do, without end user's permission. IMO 90 days is way too much time for them. Way too much. A multi billion dollar company that made its fortune by selling software to the masses should have enough resources and man power to patch-up in hours or days(some weeks for the most). Open source OSes and programs get their stuff patched much, much sooner than 90 days after finding out about an exploit. Microsoft has no excuse.

  6. dragonmouth
    January 21, 2015 at 12:22 am

    Microsoft has a history (and a nasty habit) of dragging their feet on security fixes. More often than not they do not act until their feet are held to the fire. Google is holding Microsoft's feet to the fire and they are one of the few companies that have the clout to do it.

    What is this BS with Patch Tuesday?! Why does Microsoft hold security fixes for an arbitrary day? Security patches need to applied RFN, if not sooner. Linux, Microsoft's favorite whipping boy, never holds security patches for an convenient, arbitrary day. Linux security patches are released to the public as soon as the developers are done with them.

    90 days is an adequate amount of time to fix a patch. If the problem cannot be fixed in 90 days, then it is a major problem, not just a minor vulnerability.

    It is naive to think that cyber criminals will only find out about any exploits through a public annoucement by Google or anybody else. If Google research staff can find the bug, cyber criminals can certainly find it also, maybe even faster than Google.

    Instead of protecting their users and customers from harm, Microsoft is trying to protect its reputation.

  7. Doc
    January 20, 2015 at 11:45 pm

    "...shown to affect Widows 8.1." What's that, sonny? You can't spell? Whoops...

    I agree, for the most part: Google should not announce vulnerabilities publicly if Microsoft has pledged to patch them ina timely fashion. On the other hand, Microsoft has often been lax in patching vulnerabilities, and other researchers (especially antivirus and antimalware companies) should be notified as well, in case they can protect systems.

    • R A Myers
      January 21, 2015 at 6:25 pm

      Notifying the reputable anti virus companies is an excellent idea I'd not thought of. Thanks Doc!

  8. Victor
    January 20, 2015 at 10:30 pm

    I think that Google and Microsoft SHOULD work together, but that Microsoft needs to either show that they have been seriously working on patches or really speed up development of the patches. Though to me, it does seem unreasonable not to extend the deadline for a bit. Maybe Google can release the information in a way that doesn't completely compromise users?

  9. jerocis
    January 20, 2015 at 5:49 pm

    Google have obviously lost sight of their motto, "Don't be evil". Sad when it becomes necessary for a person or organization to make others look bad in order to make themselves feel good.

    • dragonmouth
      January 21, 2015 at 12:28 am

      What about the "evil" M$ is exposing its customers to?! It's sad day when a corporation rather than protecting its customers, protects its own reputation.

  10. Scutterman
    January 20, 2015 at 5:33 pm

    Microsoft are historically very slow to start working on patches, even for very serious issues. I think that Google have no option except to be inflexible and to stick to their deadlines. Perhaps Microsoft will be a but quicker to fix the next issue now that they know there isn't another option.

  11. Remi Morin
    January 20, 2015 at 4:58 pm

    Microsoft have a long story of delivering bugged stuff and let the end user find bug while using the software. This is more manageable in surface than it was in windows '95 era but still, in the deep (network management, software development etc.) this is still there.
    The hard line google is using make sense since the culture to deliver flawed software is bad for security and internet development. Look at contest. Internet Explorer is exploited every year. When chrome got hack the fix was available the next day.
    By the way did you read any of the full Microsoft end user agreement? They don't guarantee any quality in their software. not that it work well and not that it is working at all! There is critical system running with windows (government computer, some technologies have windows embedded in them). Not being engage in the quality of the product is a risk to all of us.
    Short term security (extend grace period) is at cost of greater risk (the culture of flawed software). And by the way, we can (via firewall, or stop using the flawed technology) avoid unfixed security flaw. We can't avoid unfixed security we don't know.

  12. Mike Merritt
    January 20, 2015 at 4:47 pm

    If Microsoft can't fix a problem in 90 days - they should assign more resources to it. After all, they didn't have to do any work to find the problem - Google already did that.
    The complaint that it'll only be a few more days - sounds like Microsoft is trying to stick to their own rigid Patch Tuesday schedule. So I ask, why do they keep a "service" running on my computer all the time checking for out-of-band updates ?? You can't have it both ways.
    Good on Google - fix it in 90 days or the world will find out that you're not trying hard enough.

  13. Burt P
    January 20, 2015 at 4:14 pm

    Google just wants to maintain animosity. What happens when the "shoe is on the other foot"? Will they want, or expect the same treatment from their competitors? They also have an operating system and applications, or have they forgotten that?
    Does their behavior benefit computer users (their market) or their own agenda?

    • Mike Merritt
      January 20, 2015 at 4:53 pm

      Don't forget that Google PAYS people to report bugs in their O/S and apps. Obviously they are serious about finding and fixing problems.

    • Tina Sieber
      February 16, 2015 at 9:17 pm

      It's curious thought that Google won't fix some known issues in Android. When you're pointing the finger, you should be prepared to lead by example.

  14. Deason Hunt
    January 20, 2015 at 3:56 pm

    I agree. Flexibility on Google's part, if there is not a history of taking advantage of that flexibility by the company in question, would better serve the community and its users.