On October 21, 2016, Google notified Microsoft and Adobe of a new vulnerability in Adobe Flash and Microsoft’s operating systems, including Windows 10. By exploiting the vulnerability, an attacker can achieve a privilege escalation, which means that he’ll have more rights to use the system (perhaps to create or delete accounts, for example) than he should have. Obviously, that can be a dangerous thing.
The vulnerability comes about by trying to reference the memory locations that store a so-called child window. A child window is just a form, for example, that resides inside of another window that houses the main menu, such as one of the tabs in your web browser. Adobe patched the flaw in its Flash product on October 26, but Microsoft, which had the much more difficult task of fixing the problem across an operating system, announced today that it won’t be patching the flaw until November 8, about a week from now. A week is an awfully long time for a flaw to exist, so this is not good news for Windows users.
The dynamics between tech giants Microsoft and Google play like a good drama. Google has a policy of reporting the exploits and vulnerabilities it finds to affected software manufacturers immediately and giving them a week to fix the flaws before going public with what they have found. It would be irresponsible and dangerous for Google not to go first to the software vendors, since reporting the problem straight to the public makes an unknown problem visible to many before the developers have had a chance to try to fix it. The week grace period is more than a courtesy; it’s good practice. Hackers have gotten in trouble in the past for going public with a vulnerability instead of letting the developer know first, and sometimes even then they have wound up on the wrong side of the law. In this case, Adobe was able to patch the flaw in time, but Microsoft still had not. When Google went public with the problem, Microsoft announced their November 8th timeline and expressed their displeasure with Google, adding that the vulnerability was not as serious as Google claimed.
Did Google know that Microsoft was still working on fixing the flaw and had a timeline for releasing its remedy? Should Google have given Microsoft preferential treatment and not stuck to its week-long grace period because Windows is ubiquitous, and so revealing the problem before it has been fixed would create an immense attack surface? Did Google overstate the problem as Microsoft contends, or is Microsoft simply covering itself by downplaying the severity of the problem? Do the two companies stand to gain the upper hand by pointing out the flaws in each other’s products, or are they doing this simply in the spirit of preserving what little shreds of safety the Internet can offer?
We certainly can’t answer these questions, but it is interesting to consider how marketplace dynamics can and often do affect cyber security, for better or for worse. Remember that silly Apple marketing claim that Mac’s don’t get viruses? There are still people who believe that, much to their peril. Marketing and corporate chess play can keep companies on their toes, but they can also mislead and endanger the web-surfing public.