In the past month, Google has publicly shared a series of un-patched vulnerabilities in Microsoft's code, an action that Microsoft has expressed its displeasure about. One of these issues involves a Windows security hole that could allow hackers to gain control of PCs.
Why has Google shared this information? Because the search giant has a 90-day policy that allows developers to fix any vulnerability after it has been reported, something that has been in place for a number of years under the guise of Project Zero. Google's stance has always been strict on the matter of its deadline, with a team of researchers identifying a flaw and notifying the company involved, giving them the opportunity to fix the problem. If they don't, Google shares this information online. Case in point, Microsoft.
Google probably rationalises its actions by hoping to minimise the impact of a security vulnerability that might affect hundreds of thousands of users in the long run. It is therefore understandable why Google is trying to quickly close a vulnerability window by disclosing vulnerabilities in Microsoft's code. However, it should also consider both the moral and security consequences of going public with any vulnerability that may have a global impact.
Microsoft has also been known to work with security vendors in sharing known vulnerabilities and seeking support in plugging them, however, it was not the case this time around. This issue seems to have been more one of timing, rather than not having the manpower to fix a patch within the allocated timeframe.
The hacker perspective: Taking advantage of flaws
The main problem is that hackers can benefit when Google exposes certain vulnerabilities. The cybercriminal community is actively engaged in searching for un-patched flaws, so publicly coming out and stating that something is vulnerable will definitely make their lives easier. Furthermore, when Google discloses security issues, detailed information is provided, essentially giving the hackers a map to the treasure chest. Then of course, if the issue is not patched, hackers can make use of a specific flaw as long as it remains this way.
In this instance, whether or not this disclosure represents a form of rivalry between Microsoft and Google is unknown, but that doesn't change the fact that everyone is expected to abide by Google's 90-day deadline. It's safe to assume that in light of these three new vulnerabilities, Microsoft will start releasing patches in tighter iterations. If not, they might risk not only their reputation, but also the safety of all Windows users worldwide.
The user's perspective: What's the risk?
Whether Windows users are in danger depends on the severity of a specific vulnerability. If a critical vulnerability remains un-patched for an undefined period of time, it's more than likely that malicious code will be written to take advantage of the security flaw. However, it's not always easy to plug a serious Windows vulnerability and sometimes it may take more than 90 days to do so. Often, fixing a critical vulnerability by a certain deadline may be unrealistic; especially if you have a number of patches queued for release - and let's face it, new Windows security vulnerabilities pop up every day.
Microsoft has always been one for "coordinated vulnerability disclosure", especially since millions of users might be affected by a critical flaw. It probably wouldn't hurt if Google's Project Zero were to be a bit more flexible, especially in extraordinary conditions.
To protect themselves, depending on the nature of the vulnerability and what it affects, users are left with few options. The most obvious is to stop using the affected application or software altogether and substitute it with something that offers similar functionality until a patch has been issued, as well as ensuring that a suitable security solution is in place.