January 21, 2015
Google’s Project Zero posted details of a vulnerability in Windows 8.1 after waiting for Microsoft to respond, to no avail, for 90 days. Once a vulnerability is public knowledge, it can be abused by attackers. Microsoft criticized Google for publicizing the flaw too early, saying the company had put Windows customers at risk.
According to Microsoft, it had specifically asked Google to withhold details of the flaw until January 13, Patch Tuesday, when the fix would be released. Microsoft patched two Windows vulnerabilities that were exposed by Google in MS15-001 and MS15-003.
With adherence to its 90-day policy, Google disclosed two additional vulnerabilities after last week Tuesday’s patches were released. One of them does not appear to be a security issue. The next Patch Tuesday is scheduled for February 10, when presumably the more serious of the two vulnerabilities will be patched.