Microsoft criticizes Google over handling of Chrome exploit

Greg S

TS Evangelist

In an ongoing rivalry for browser superiority, Microsoft has publicly condemned Google's handling of a zero day exploit that was found in Chrome. This may be a retaliation against Google for disclosing a Windows privilege escalation vulnerability before Microsoft was able to patch it.

Microsoft is calling for Google to change its release process for Chrome because bug fixes often make their way to Github before regular users receive updates. Giving the general public access to source code before regular release channels makes it significantly easier to find vulnerabilities that could be used in between when code is published to Github and the time that the final bug fix is pushed out.

It should be noted that Google is not actively revealing vulnerabilities when sharing source code, but closely examining change logs and differences between revisions can make it easy for skilled individuals to find them. Microsoft's own policy is to "ship fixes to customers before making them public knowledge," in order to protect end users as best as possible.

Microsoft mentions that even though some components of Edge browser are actually open source, such as Chakra JavaScript engine, changes in code are not released until final builds are distributed.

From Google's standpoint, it fully cooperated with Microsoft in patching the vulnerability that was discovered and reported by Microsoft's Offensive Security Research team on September 14. A reward of $7,500 was offered to Microsoft for the remote code execution issue discovered in addition to $7,887 given for other bugs reported. Google also donated $30,000 to the Denise Louie Education Center in Seattle, Washington on behalf of Microsoft.

Permalink to story.

 

Teko03

TS Evangelist
Lol @ MSFT... They have no room to talk, considering their history.
Thing is, Google is the company that started doing this to Microsoft. So why not return the favor? You can't attack one software company and pretend that yours is perfect. But Google can do wrong, right? Even if the tables were turned, people would side with Google.

At the end of the day, this approach helps secure the end user.
 

wujj123456

TS Enthusiast
I kinda always find Google's security effort quite ironic. Among all the large OSes, Android is the only one can't get reliably patched after years. They seem to be more interested in pointing fingers at others than fixing their problem first. Honestly, I think at this point, an Android exploit might worth much more than an IE/Edge exploit to hackers.
 

IAMTHESTIG

TS Evangelist
Thing is, Google is the company that started doing this to Microsoft. So why not return the favor? You can't attack one software company and pretend that yours is perfect. But Google can do wrong, right? Even if the tables were turned, people would side with Google.

At the end of the day, this approach helps secure the end user.
I totally agree... it's all about doing what is right.