Written by Philip Magson
Just days before Microsoft patched a troublesome Windows bug, Google decided to publicly disclose details of the threat. While Google defiantly cited established security policy, Microsoft cried foul: with cyber-security protocol becoming increasingly complex territory, should tech firms be working together to protect users?
The bug in question allowed lower level users within a network to gain administrator access. While its popular and media impact might not have been on the level of the recent Sony debacle, a disgruntled employee aware of the vulnerability within a business could have wreaked a good bit of havoc – should they have so desired.
I should point out, it’s normal for tech companies to do what Google did when they find a bug – and a deadline was issued for Microsoft to find a fix… a deadline missed by two days. Microsoft argues, on the other hand, that its requests to extend the deadline and keep the bug quiet while a patch could be implemented, were ignored – and, as a result, users may have been put at risk.
So…is this the equivalent of Google ‘snitching’ on Microsoft, to score points with users? It’s easy to see this from Google’s perspective: users should be made aware of problems with their networks within a reasonable amount of time – after all, that’s what deadlines are for: how could Google be sure Microsoft were working to create a patch? That said, by publicising the exploit just as a fix was being found, Google put users at risk – however briefly – from malicious forces which would otherwise, not have been aware there even was a vulnerability.
When we at Shackleton identify a threat we aim to take action as quickly as possible to protect clients. It goes without saying that there are security precautions available to businesses above and beyond reliance on the sanctity of software – and I wouldn’t advise anyone to wait for disasters to strike before doing anything about them – yet… I can see Microsoft’s point: they promised to develop a fix, they did develop a fix, but for whatever reason, users were still put at risk. Of course, there’s no reason why Microsoft should receive special treatment from Google, but as a user of both companies’ products, what I would like to see is a better standard of communication between companies to resolve issues like this.
In many ways, good communication is crucial to cyber-security: I’ve learned about new threats through the advice of colleagues, industry professionals and dedicated news services and taken appropriate steps to protect my data. Talking about bugs, viruses and other malicious software isn’t difficult, we manage it with colleagues and clients every day… so why can’t companies like Microsoft and Google do the same? If Google had been determined to stick to their deadline, who knows: maybe opening a line of communication would have allowed Microsoft to reassure its users that a fix was imminent? Conversely, if Microsoft had been more open with its progress in dealing with the threat, Google might have considered staying their hand.
Until tech-firms can get their disclosure policies straight, we can expect more turbulence on the horizon. As always, the best policy for your business, is to take matters into your own hands and deal with problems before they happen: get your back-up in place, use secure servers and software, make sure your employees protect themselves and their work from threats – so that when one arrives, you’re not relying on others to make the choices for you.