No one ever wants to hear bad news, but Google has made a company policy out of it. At least that’s the explanation it has offered as to why the company releases bad news to the public, even when it isn’t their bad news to share.
Backing up, Google has a seven-day turnaround policy when it comes to security. When their researchers discover a flaw or vulnerability, they inform the company whose product contains the flaw and then that company has seven days to issue a patch. That’s obviously problematic for a lot of tech companies, and for a lot of different reasons, but Google stands by its “the public needs to know” decision.
When Google discovered a zero-day vulnerability in Windows and shared the news with the public yesterday, Microsoft was obviously non-plussed. Issuing a patch for an entire operating system is no small feat. Microsoft’s spokesperson expressed disappointment in Google’s policy and announcement, stating that it’s far better to release news of this kind when the fix is already available.
This is one of those “both sides of the argument” issues. Google’s policy is meant to not only inform the public so they don’t continue to blithely rely on a flawed product, but could also be their way of holding others’ feet to the fire when it comes to both issuing patches and preventing them in the first place. For its part, Microsoft bemoans the fact that alerting the public to such a vulnerability before the patch is available could open the door to even more people exploiting it and causing further harm.
In this particular instance, there was a connection with an Adobe Flash vulnerability, as described in a report by Venture Beat. With the Flash patch already issued, Microsoft says the Windows vulnerability is at least “mitigated,” despite there being no patch as of yet. Users are advised to download the latest version of Flash until the Windows patch is ready.