Google has made Microsoft look a bit foolish after publishing details of a vulnerability it discovered in Windows 8.1 that allows attackers to gain system administrator privileges.

Google didn’t hesitate to release the vulnerability, as well as the code needed to exploit it under its “Project Zero” initiative. That project team is tasked with tracking and investigating software flaws and informing developers of the ways in which they can be exploited. Once a flaw has been thoroughly researched, Google gives developers a 90-day time period in which to patch it before publishing what it found. Google said Microsoft has failed to patch the Windows flaw, but Microsoft insists the threat has been exaggerated.

“We are working to release a security update to address an Elevation of Privilege issue,” said Microsoft in a statement to Engadget. “It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer.”

Microsoft chose not to address the issue of Google making it look a bit foolish in public, but the search giant explained its actions in a blog post announcing the vulnerability.

“On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security – it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face,” said Google in a statement. “By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response.”

Google says it informed Microsoft of the flaw on September 30, and urged it to fix things within 90 days. One user commented on Google’s blog post that Project Zero was being “irresponsible” to demand a fix within 90 days, while another said users “deserve a more responsible behavior” from both companies.

Image credit: geralt via Pixabay.com