Last week I mentioned that Google’s Project Zero released information about a bug in Windows 8.1, and Google are not resting on their laurels because two days ago they released information on another Windows 8.1 bug. This latest release by Project Zero mentions a user privilege escalation flaw in the User Profile Service of Windows 8.1 and you can find more information here.
Chris Betz, Microsoft’s senior director for trustworthy computing spoke about Googles actions in a blog post saying “CVD philosophy and action is playing out today as one company – Google – has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so. Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal”.
In another development at Microsoft, last Thursday they abruptly stopped their free Advance Notification Service (ANS) which they used to release the Thursday before Patch Tuesday. ANS was used to give advance warning of Patch Tuesday and what updates would be available. To receive ANS you will have to become a Premier customer.
Chris Betz stated in another blog post “Our Advance Notification Service (ANS) was created more than a decade ago as part of Update Tuesday to broadly communicate in advance, about the security updates being released for Microsoft products and services each month. Over the years, technology environments and customer needs have evolved, prompting us to evaluate our existing information and distribution channels… We are making changes to how we distribute ANS to customers. Moving forward, we will provide ANS information directly to Premier customers and current organizations involved in our security programs, and will no longer make this information broadly available through a blog post and web page“.