Microsoft patches Windows bugs that got under its skin

Fixes two 'patch-or-we-go-public' flaws Google reported, then divulged

band-aid patch bandage
Credit: Thinkstock

Microsoft yesterday patched both Windows vulnerabilities that Google had taken public before the fixes were ready.

The disclosures had irked Microsoft, leading to an unusual dust-up where the company specifically called out Google for allegedly putting Windows customers at risk.

As part of an eight-update Patch Tuesday slate yesterday, Microsoft issued fixes for two Windows bugs that Google security engineer James Forshaw had found and reported in 2014. Forshaw works on the Google Project Zero team, which has a policy of automatically revealing technical details of a flaw, and in most cases sample attack code, too, 90 days after reporting the vulnerability if it has not been patched by then.

MS15-001, as Microsoft identified one of the updates, addressed a vulnerability Google reported on Sept. 30, 2014, and automatically disclosed on Dec. 29. Although Forshaw did not test any edition other than Windows 8.1, Microsoft confirmed that the flaw was also present in Windows 7, Windows 8, Windows RT, Windows Server 2008 R2 and Windows Server 2012.

The second Google-reported bug, filed with Microsoft Oct. 13, 2014 and made public on Jan. 11, 2015, was patched Tuesday by MS15-003. Again, Forshaw tested only Windows 8.1, but Microsoft said the vulnerability also affected Windows Vista, Windows 7, Windows RT, and Windows Server 2003 through 2012 R2.

In the two bulletins, Microsoft did not credit Forshaw with uncovering the flaws, but that's standard practice for the company: It typically only gives a hat tip to researchers who refrain from revealing bug information until a patch ships.

Yesterday's Patch Tuesday was the first since Microsoft's sudden decision last week to restrict pre-patch notifications to security partners and enterprises that pay for premium support. Previously, those warnings were available to everyone free of charge. After the eight updates were released, security experts again lambasted the change.

"It is extremely hard to see how this benefits anyone, other than maybe [the person] responsible for support revenue targets for Microsoft," said Ross Barrett, senior manager of security engineering at Rapid7, in an email Tuesday.

"Pulling the Advanced Notification Service is an unfortunate change," chimed in Russ Ernst, director of product management at Lumension. "Even with many organizations making the transition to automate the tactical steps of testing and deploying updates, the lack of notification does impact the ability for CIOs and senior management to strategically plan for the impact of these changes to their environment."

Google's Project Zero bug tracker currently shows three reported-but-not-patched vulnerabilities, all in Apple's OS X operating system. The most recent of the trio was reported to Apple on Aug. 18, 2014, and details went public on Nov. 19.

The three OS X vulnerabilities were logged in the bug tracker by Ian Beer, another Project Zero team member.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.