After Google’s Constant Trolling, Microsoft Is in for Some Blood!
Google continues to tell us that Chrome is the top browser choice when it comes to security protections. While the company may be behind the power of Safe Browsing, Microsoft appears to be going after it with full force. The company's Edge browser was recently rated as the best browser for defending against phishing websites. After winning that small battle, the Redmond tech giant is now breaking Chrome apart to look for its security flaws.
"What’s right for Google is not always right for customers" - Microsoft
The delicious rivalry between Microsoft and Google was first started by the search giant at the end of last year when it revealed security flaws before waiting for Microsoft to patch them. The company has continued to do so throughout the year as even the latest October security patches included a flaw discovered by Google's Project Zero team. Not only that, one Google researcher went on to write a blog post detailing how the entire patching system over at Redmond is flawed, saying that the Windows maker is putting Windows 7 users at risk.
This, of course, didn't sit well with Microsoft. The company had said in January that Google is looking for a "gotcha" moment disregarding user security. Since this didn't stop Google, Microsoft's security team, Offensive Security Research (OSR), has now revealed details of a remote code execution vulnerability found in Google's darling Chrome. Tracked as CVE-2017-5121, the flaw is a high-severity out-of-bounds information leak that can lead to remote code execution inside a user's browser.
Microsoft said in January (emphasis is ours): "Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal."
Microsoft recommends Google to rethink its "problematic" patching/disclosing mechanism
While Microsoft is being nice saying that Google's "turnaround was impressive," this applaud comes with a "however". In its post, Microsoft said "it’s important to note that the source code for the fix was made available publicly on Github before being pushed to customers". This publicly available fix potentially enabled attackers to use that flaw to launch attacks.
"It is problematic when the vulnerabilities are made known to attackers ahead of the patches being made available," the company said, "In this specific case, the stable channel of Chrome remained vulnerable for nearly a month after that commit was pushed to git. That is more than enough time for an attacker to exploit it."
Microsoft then mentioned the example of its own Edge browser, sharing a tip with Google on how it doesn't make information of such security issues publicly available even when the issues are in the open source components of Edge, to make sure that the patch is shipped to consumers first.
This may remind some readers of a very similar statement earlier this year when Microsoft had called Google irresponsible for disclosing a vulnerability in Windows GDI (Graphics Device Interface) that it was yet to fix. At the time Google had said it waited for the industry-accepted 90-day window. But Microsoft wasn't happy. "We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure," Microsoft had said. "Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk."
But since getting the "disappointing" tag didn't stop Google either, the Redmond software maker has found a better solution - get into Chrome and do exactly what Google has been doing with every Microsoft product. It's all good for the end user, though, since this ensures better browser security at the end of the day. We are kind of excited to see what more suggestions these two give each other, publicly.
- Google patched this recent RCE flaw last month with the release of Chrome 61. For the discovery, Microsoft was awarded $15,837 that the company plans to donate to charity. More details on the flaw available here.