Google is continuing to investigate potential security flaws in its competitors’ software and threatening to publicly disclose these vulnerabilities if they are not patched within 90 days, despite a lukewarm response from targets like Microsoft and Apple, Bloomberg reports.
“Project Zero,” which is made up of an all-star team of security researchers, has been running since July 2014. But the effort has become more of a hot button issue recently after Google revealed at least two high-profile security bugs in Microsoft’s Windows, prompting an aggravated response from the software giant.
In the most recent instance, in January, Microsoft had actively been working on a patch for a bug in Windows 8.1, and asked Google to hold fast until “Patch Tuesday,” Microsoft’s established date for the roll-out of bug fixes. This gives companies time to test patches before deployment. But Google refused to bend on its standard 90-day deadline.
In response, Microsoft’s security research group director Chris Betz wrote in a blog post that “the decision [by Google] feels less like principle and more like a ‘gotcha,’ with customers the ones who suffer as a result.”
A similar incident, this time with a bug in Windows 8, happened just weeks before the “Patch Tuesday” episode, the Verge reports. “Those who fully disclose a vulnerability before a fix is broadly available are doing a disservice to millions of people and the systems they depend on,” Betz said at the time.
Of course, Project Zero has flagged up vulnerabilities in products other than Microsoft’s. A search of Google’s database shows 43 issues identified in Apple’s software, and 39 in Adobe’s.
Apple remains relatively tight-lipped about Project Zero, but ZDNet has pointed out a statement on the company’s product security page. “For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occured and any necessary patches or releases are available,” it reads. The inference is that Google’s policy of disclosing after 90 days, whether or not the bug is fixed, is harming customers.
While Project Zero is nominally devoted to upholding best practises in security, it’s easy to understand other companies’ frustrations. Google maintains a public database of all the bugs it discloses, but — as my colleague Julie Bort points out — there’s not a single one on — For more information read the original article here.
