As another comment points out, unlike Google updates, Microsoft's occur on a particular day of every month. This allows end user IT departments to coordinate the updates as part of a predictable change management policy.
In this case, the bug was reported on 13 Oct, 15 working days before the first Tuesday of November. Assuming Microsoft couldn't fix and test a change to a core service running on millions of desktops in that time, their only remaining opportunity within the disclosure window was the patch day in December - allowing them only 50 calendar days to deal with the bug.
What's worse is that the bug isn't even all that severe. Effectively Google were trying to strong-arm Microsoft into releasing an out of band patch for a minor issue, which would have knock-on effects for thousands of IT departments. A completely dick move, and thankfully one that's being given recognition here.
Shit like this is why I have a hard time dealing with the infosec community in general – a strange mix of conformance to pointless minutia, a deeply ingrained sense of self-importance (only worsening over time with PR crap like APT), and a fatal attraction with some of the most puerile elements of society. The result is a unique melting pot of genius and dumb that I regularly can't stomach.
If you define a limit for disclosure, and then not stick to it, why to define a limit in the first place? 90 days is more than enough - if MS has a lot of internal overhead, you should probably complain to them, not to google.
If contacted by the other party and they give a good reason (in this case: "We have a fix, it's slated for release in line with other things on tuesday"), I think a responsible security researcher should give that time. If patch day rolls around and no production, go ahead and shame. This is not a case of overhead, MS world functions a bit differently from package management in Linux.
They've lost sight of this noble objective with an inflexible policy; who anointed Project Zero guardians of the internet? Why not wait the two days? cui bono?
If Google insists on exactly 90 days without any consideration for patch Tuesdays, this means that, if unlucky, MS will only get 60 days (if they got the announcement right after a patch Tuesday)
So, who forces Microsoft to stick to (so called) patch Tuesdays? No one, actually - it's Microsoft internal schedule, and clearly there are cases when it's absolutely unreasonable - e.g. when there's a 0day in the wild. So there has to be a way to fast track a fix - if there's not, there's something seriously wrong IMNSHO. Apparently, they thought Google won't stick to the 90-day limit.
Why do all these customers need to be on Microsoft's schedule though? Microsoft should release the patches and give each IT team their own ability to assess patches at their own speed.
If some companies want to wait 2 days then let them make their own choice. It seems like a pretty stupid policy that nothing (except extreme cases) should get patched except when it's convenient.
> Microsoft should release the patches and give each IT team their own ability to assess patches at their own speed.
They already do via WSUS. Companies get to plan this work to start on the second Tuesday of every month because that's the day Microsoft publishes them. Nobody puts a gun to company's heads and forces them to deploy internally.
> If some companies want to wait 2 days then let them make their own choice. It seems like a pretty stupid policy that nothing (except extreme cases) should get patched except when it's convenient.
This seems to be a complaint about a "policy" which doesn't exist and has no relationship to the topic at hand. I don't even really entirely understand the above.
I don't really see how that matters. This only shows how utterly broken the concept of "patch Tuesdays" is ...
If you plan your internal deployment updates based on the belief that the schedule will never change, then I'm really sorry for you and your users. In real world, not all issues are reported in advance - some are observed in the wild, and in that case you have to fast-track the fix. If you have no way to do that (e.g. because the vendor only releases fixes on Tuesdays once per month, or because you decided to choose such schedule on your own), then good luck. That might have been appropriate in 1995, not in 2015.
There are many projects and/or companies publishing fixes continuously, and leaving it up to the users when/how to apply them in production. That's essentially what all the linux distributions (RH, Suse, ...) and smaller projects do.
Not entirely true now. Users of MS software have built up their own testing processes around patch Tuesday.
Patch Tuesday was one of the best things MS did when they decided to take security seriously. They realized that testing patches downstream takes time and giving their customers a consistent patch day let them also plan ahead.
The reason for giving 90 days is not that some issues are so complicated that they require 90 days to fix, but that bureaucracies can be slow and need a lot of extra time. In your case, that is 30 days of bureaucratic overhead, leaving them 60 days of actual work. This seems reasonable, as bussiness deadlines are 30 days.
