Google threatens to make Microsoft’s and Apple’s software vulnerabilities public

“Google Inc. has given fellow tech companies an ultimatum: patch your software vulnerabilities within 90 days or we’ll make them public,” Chris Strohm and Jordan Robertson report for Bloomberg. “An elite team of Google hackers and programmers scrub their own and competitors’ software for security flaws, giving companies a deadline to issue a fix. Google says it wants software makers to move fast because cybercriminals act with lightning speed when they spot bugs.”

“It’s a sensitive topic — rivals Microsoft Corp. and Apple Inc. declined to talk about the tactic — though others in the industry say the help isn’t always welcome, usurps a role best left to government and can jeopardize security,” Strohm and Robertson report. “‘I’m not sure who made Google the official referee of the marketplace for vulnerability notification,’ said John Dickson, a principal with software security company Denim Group Ltd. in San Antonio. He said pressuring companies to fix flaws is a good idea, but ‘what noble motives they had in mind could be called into question given the fact that they essentially outed vulnerabilities for two of their biggest rivals.'”

“Apple declined to comment while Microsoft would only refer to a previous statement in which it said Google’s tactics felt like a game of ‘gotcha,’ illustrating [the divisiveness of the issue],” Strohm and Robertson report. “In January, Apple pleaded with Google to wait about a week before going public so it could fix three flaws in the Mac OS X operating system, according to a person familiar with the request who wasn’t authorized to speak publicly. Google knew the fix was coming and had possession of the updated software because it serves as a developer for Apple, the person said. Regardless, Google refused and released details of the flaws.”

Read more in the full article here.

MacDailyNews Take: People who wear Google Glasses shouldn’t throw stones.

60 Comments

      1. Peter, Aspergers syndrome is not to blame, not more than stupidity or blindness. Not more than we can accuse diabetes patients as naming them as diabetics who commit some crime or act stupid or something. We don’t need any diagnosis for that. They are instead just stupid…. or work at Google. Aspergers or not. Aspergers can and are actually one of our finest, like Abraham Lincoln, Steven Spielberg and most likely Steven Jobs and also many of the worlds best writers, painters, artists, politicians, doctors etc etc. Some of the traits as Aspergers symptoms have we have most of us, though without having any diagnosis.

        But if you mean jealousy, revenge, obsessive compulsive disorder, insensitivity, lack of empathy, narcissism, lack of empathy or just pure evil, then we are talking Google ;-).. and you don’t have to Google it!
        But, most likely thera are many Aspergers that work at Google as in Silicon Valley. One of my friends once said that all we needed to to do is to put a roof over Silicon Valley and then we had an institution for Aspergers, with a roof on it! hmmm something to think about, doesn’t it or not?

        1. I wasn’t making fun of those with Asberger’s (though what I hear from a good friend of mine who son has it is they don’t use the term anymore) but just the “clumsy and socially awkward” aspects of Google.

          I also have a granddaughter (my wife and I adopted) who has learning disabilities and was born with a very slight Cerebral Palsy so I’m sensitive to these issues. Google’s quirky corporate style suggests certain mental maladies.

    1. yep it is a douche-bag move, but what can one expect from them other than this sort of unwarranted self serving hypocrisy.

      on the other hand it does seem to me that mr. apple has both the resources (talent and money) and one would think the motivation – and most certainly the obligation – to be putting out nothing less than bullet proof software.

      there is no denying they have been kinda sloppy lately.

      so please remember tim and all, this is not just a matter of our security and your reputation – it is also, fundamentally, you f’ing JOB

  1. Who died and left Google in charge???

    The whole world is suing Google for their bad ethics and flagrant invasion of privacy practices and they feel they have the gall to take upon themselves the moral authority ???

    Google will fast lose everyone’s faith and any favor

  2. One may question the motive and the means but if it gets fixes out much faster I value that as the end user. There is no reason why such companies with such vast resources can’t do it!

  3. Don’t do evil? How about releasing security vulnerabilities to criminal hackers? When your phone operating system is the least secure in the industry! I don’t even have to wonder if the 90 day patch window applies to their own software, because it doesn’t. Maybe they should spend a little more time securing their own software and services, and a little less time worrying about their competitors.

    Google: Research Arm of Cyber Terrorists

  4. Android – the ‘Swiss Cheese of Security’

    Interesting dichotomy: Apple and Microsoft (?) take security seriously and FIX holes – but maybe not within 90 days (Apple 97 days; Microsoft maybe 10-15 years for some flaws). Android is full of security holes that are actively being exploited and Google does nothing to fix problems in the established user base and may or may not address the problems in the NEXT version of Android.

    1. What utter, blazing hypocrisy.

      and “and may or may not address the problems in the NEXT version of Android”
      Which, of course, will never reach the vast majority of Androcrap Swiss Cheese users.

    2. But the difference is, Google could care less about Android security issues.

      In fact, I doubt that they really care about security issues in Microsoft and Apple products. I see this as an effort to tear down their competition and redirect any concerns about Android security. They haven’t got a product worth using, so they start calling their competitors nasty names. Propaganda, by another name. No matter how you couch it, in noble, flowery language, it’s evil.

  5. Every major player contributed to security and privacy gaps.

    Microsoft because they are inept and maybe because of backdoors.

    Google because of a-hole at the top.

    Apple because they sat on their hands when they had the bugs, tho they there are not like Google, usually.

    Government backdoors and lack of secure standards.

    Router companies.

    ISP and other domain aspects.

    —————————

    Google LIVES because their business model is to sell out the consumer.

  6. In principal what they’re going is ok, trying to get things fixed faster is hardly a bad thing, but the problem is, what’s to stop them from identifying a problem in their own software, starting work on fixing it, then announcing it when they’re ready to patch it to make themselves look good? Also, Android’s solution is that if they do fix things, it tends to only be on the newest version which isn’t used by anybody and which people couldn’t install even if they wanted to. Is a fix that can’t be utilised still a fix?

    1. I am of two minds about this. I like the idea of a forcing function that identifies OS and application vulnerabilities and drives companies to rapidly fix them. But I do not like the idea of Google being that industry conscience. Instead, I would prefer a consortium of industry players to fund research teams and incentivize independent software experts to report bugs. A requirement of participation would be to fix identified vulnerabilities within a specified timeframe.

      1. A requirement of participation would be to fix identified
        vulnerabilities within a specified timeframe.

        Building/architecting software is NOT like building with Legos. With Legos, you have fixed, pre-determined block sizes and shapes, and they always snap together in a reliable way.

        Writing code is a messy process, at times. Whether or not a software mod mysteriously introduces bugs into a formally working bit of code can be difficult to predict, ahead of time. And, the BEST beta testing period is NO guarantee that all of the bugs have been identified.

        Sometimes, the existing code being modified is so complex and brittle (but works) that seemingly ANY code mods will break this formally working code — or certainly introduce cosmic weirdness that remains unidentified until after release and deployment to the customer base, where specific user cases (specific hardware, HW configs, network set-ups, interactions with network services, etc.,) suddenly align and highlight a code problem that could not be effectively predicted/seen prior to release.

        And, then there are software architecture issues that become the source of the problem, such that some larger chunk of good working code must be ripped out and rewritten/architected to realize a different/necessary software feature upgrade — good metaphor would be when one modifies an existing building — some mods simply overwhelm the old building’s architecture’s ability to effectively support the desired structure upgrades without introducing safety/structural/support issues into other areas of the building that formally had no such issues — the solution would be to tear down some larger chunk of the formally perfectly good building, and rebuild from the foundation, up — to oft times include redesigning the foundation to properly support the desired building additions and mods.

        And then, there are the bugs that randomly present themselves, originating in a buggy API, or compiler, or development environment, with complete unpredictably — fix the buggy API, and watch other formally working code suddenly stop working, because its ability to work relied upon the unidentified bug contained in the API (or compiler) — now, with the API or compiler bug fixed, it is no longer able to work correctly.

        You get the idea.

        Niffy

  7. Special Note to Google: If my private information is “hacked” because of Google’s special mission to publicize weaknesses, I will go get a set of attorneys who have fangs that drag on the ground and we will feed on your money. For Years. For Billions. You won’t like it. We won’t stop.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.