Microsoft Bug Fix from Google

Description

Google will publicly disclosing software flaws whether or not that vendor has fixed the bug. The objective of its “Project Zero” is to significantly reduce the number of targeted attacks. For this reason Google is hiring additional security researchers to improve security across the Internet. The purpose of this effort is to create a quick response capability to reduce "zero-day" vulnerabilities.

The first result of “Project Zero” is a batch of Microsoft patches for 2015 that fix vulnerability in Windows 8.1, discovered only two days ago. Microsoft responded with a blog post complaining that this leaves Microsoft users in the without adequate defenses.

Executive Guidance

Executives should welcome a third party checking of security, particularly since bug fixes may currently be taking a very long time, sometimes months before a correction is announced by a vendor and then weeks before a bug fix is implemented (if ever).

For instance, Microsoft’s MS15-002 is a “critical” flaw that makes it possible for an attacker to perform remote code execution. Microsoft’s January 13, 2015 also includes seven additional vulnerabilities classified as “important”.

Summary

“Project Zero” should be seen as start of a new era in security management of systems. Only major vendors will have the staff to accelerate the identification of software flaws from months to days. Security interception is speeding up. Firms will need to start choosing support of cloud computing from firms that can demonstrate such capabilities.