| Recurring |
one_organization |
(a) The articles mention a similar incident happening again at Microsoft. In 2015, Google published another bug online 90 days after informing Microsoft, just a few weeks before Microsoft planned to roll out its own patch. In that case, the bug was agreed by both companies to be non-critical, and Microsoft planned to delay its patch until a regular roll-out, but Google refused to budge on the time limit. This shows a recurring issue between Google and Microsoft regarding the disclosure of vulnerabilities and the timeline for fixing them within Microsoft's products and services [48597].
(b) The articles do not provide information about a similar incident happening at other organizations or with their products and services. |
| Phase (Design/Operation) |
design |
(a) The software failure incident in the articles is related to the design phase. Google discovered a critical Windows bug that allows privilege escalation in Windows and decided to publicize it just 10 days after informing Microsoft about it. This decision was part of Google's disclosure program to make others aware of the danger posed by the bug, even if they cannot fix it until Microsoft releases a patch. Microsoft, on the other hand, expressed anger at not being given enough time to properly issue a patch, emphasizing their belief in coordinated vulnerability disclosure [48597].
(b) The software failure incident is not related to the operation phase or misuse of the system. |
| Boundary (Internal/External) |
within_system, outside_system |
(a) within_system: The software failure incident in this case can be categorized as within_system. Google discovered a critical Windows bug that allows privilege escalation in Windows, indicating a flaw within the Windows operating system itself [48597]. The bug was being actively exploited in the wild, highlighting an issue originating from within the system.
(b) outside_system: The software failure incident can also be linked to factors outside the system. Google's decision to publicly disclose the bug just seven days after informing Microsoft about it can be seen as a factor originating from outside the system, as it was a deliberate action taken by Google that impacted Microsoft's response time and patching process [48597]. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident in the articles is related to non-human_actions, specifically a critical Windows bug that allows privilege escalation. Google discovered the bug, which was already being actively exploited in the wild, and gave Microsoft a short timeline to fix it before going public with the information [48597].
(b) The software failure incident also involves human_actions, as Microsoft expressed anger at Google for not giving them enough time to properly issue a patch. Microsoft emphasized the importance of coordinated vulnerability disclosure and working with software providers to fix issues before making them public. Microsoft felt that Google's tight timeline for disclosure could potentially put customers at risk [48597]. |
| Dimension (Hardware/Software) |
software |
(a) The articles do not mention any software failure incident occurring due to contributing factors originating in hardware.
(b) The software failure incident mentioned in the articles is related to a critical Windows bug discovered by Google, which allows privilege escalation in Windows. This bug was a contributing factor originating in the software itself, leading to the failure incident [48597]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident described in the articles is malicious in nature. Google publicized a critical Windows bug just 10 days after discovering it, which allowed privilege escalation in Windows and was already being actively exploited in the wild [48597]. This act by Google was seen as part punitive towards Microsoft for their delay in fixing the bug, as well as part preventative to make users aware of the danger even before a patch was available. Microsoft, on the other hand, believed in coordinated vulnerability disclosure and was angered by Google's actions, stating that it put customers at potential risk [48597]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions, accidental_decisions |
(a) The intent of the software failure incident related to poor decisions can be seen in the actions taken by Google and Microsoft in response to the critical Windows bug. Google's decision to publicize the bug just seven days after informing Microsoft about it, despite Microsoft's belief in coordinated vulnerability disclosure, can be viewed as a poor decision that potentially put customers at risk [48597].
(b) The software failure incident can also be attributed to accidental decisions or unintended consequences. Microsoft expressed frustration at Google's tight timeline for disclosing vulnerabilities, indicating a disagreement in approach to handling such issues. Microsoft's Chris Betz highlighted the importance of researchers privately disclosing vulnerabilities to software providers and working together until a fix is available, emphasizing the need for a partnership to benefit customers the most. The clash between Google and Microsoft over disclosure timelines and differing perspectives on bug severity suggests accidental decisions or unintended consequences contributing to the software failure incident [48597]. |
| Capability (Incompetence/Accidental) |
accidental |
(a) The articles do not provide information about the software failure incident being related to development incompetence.
(b) The incident reported in the articles is more related to a conflict between Google and Microsoft regarding the disclosure of a critical Windows bug. Google publicized the bug just 10 days after informing Microsoft about it, leading to a dispute over the timeline for fixing the vulnerability. This incident seems to be more accidental or a result of differing approaches to vulnerability disclosure rather than development incompetence [48597]. |
| Duration |
unknown |
The articles do not provide information about the duration of the software failure incident being permanent or temporary. |
| Behaviour |
omission, timing, other |
(a) crash: The incident described in the articles does not involve a system crash where the system loses state and does not perform any of its intended functions [48597].
(b) omission: The software failure incident is related to the omission of fixing a critical Windows bug by Microsoft after being informed by Google. Google publicized the bug after Microsoft did not issue a patch within the given timeline, leading to the omission of addressing the vulnerability promptly [48597].
(c) timing: The software failure incident involves a timing issue where Google gave Microsoft a deadline of seven days to fix the critical bug before going public with the information. Microsoft expressed anger at not being given enough time to issue a patch, highlighting a timing conflict in the disclosure of the vulnerability [48597].
(d) value: The incident does not involve a failure due to the system performing its intended functions incorrectly [48597].
(e) byzantine: The software failure incident does not exhibit characteristics of a byzantine failure where the system behaves erroneously with inconsistent responses and interactions [48597].
(f) other: The behavior of the software failure incident can be described as a conflict in vulnerability disclosure practices between Google and Microsoft, leading to public squabbles and disagreements over timelines for fixing critical bugs. This behavior falls under the category of a dispute over responsible disclosure and the handling of security vulnerabilities [48597]. |