Microsoft angry at Google over vulnerability disclosure

Microsoft has criticized a Google researcher for publicly disclosing a remote code execution vulnerability affecting Windows XP and Server 2003.

The issue was first reported to Microsoft on June 5 and publicized some four days later.

“Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk,” explained Microsoft spokesperson Mike Reavey.

“One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause.”

According to Reavey, Google’s initial analysis of the vulnerability was “incomplete,” with a workaround that could be easily circumvented.

“We recognize that researchers across the entire industry are a vital part of identifying issues and continually improving security, and we continue to ask researchers to work with us through responsible disclosure to help minimize the risk to customers while improving security,” he added. 

The above-mentioned vulnerability has been identified as only affecting Windows XP and Server 2003.

Microsoft says it is not aware of any “current exploitation” for users running Windows Vista, 7, Server 2008, and Server 2008 R2.