Microsoft Chastises Google Over Zero-Day Chrome Exploit Disclosure
Microsoft and Google don't have that much love for each other. The two are rivals in the search market with Google being far and away the most popular search engine, leaving Bing with the table scraps. Google also has the most popular mobile operating system forcing Microsoft to admit that its mobile OS is dead. Google also went public with a Windows flaw bask in February that Microsoft was slow to patch, seemingly as a way to shame Redmond into patching the issues.
Microsoft is now hitting back at Google with a bit of admonishment for a security issue in the Chrome browser. Reports indicate that Microsoft found a Chrome vulnerability last month and outlined how the browser could be exploited. "We responsibly disclosed the vulnerability that we discovered along with a reliable remote code execution exploit to Google on September 14, 2017,” explains Jordan Rabet, a Microsoft Offensive Security Research team member. Google patched the problem within a week in its beta versions of Chrome, but the stable and public channel “remained vulnerable for nearly a month."
What Microsoft is specifically criticizing Google for making the source code for the fix available via Github before the official stable channel fix was ready giving any nefarious sorts a month to find the flaw and exploit it. Rabet wrote that Google's approach was "problematic when the vulnerabilities are made known to attackers ahead of the patches being made available."
The take away here is that Microsoft is pointing out specifically that it took the time to disclose the bug privately, rather than publically as Google did. Microsoft notes that it will continue to use its private approach to disclosing vulnerabilities. Google has a controversial policy in place that allows its engineers to make public any bugs or flaws they find only a week after telling the vendor who has to deal with the flaw that it exists.
Microsoft also of course took the opportunity to talk about how Edge handles this sort of attack vector better than Chrome. Microsoft wrote, "This kind of attack drives our commitment to keep on making our products secure on all fronts. With Microsoft Edge, we continue to both improve the isolation technology and to make arbitrary code execution difficult to achieve in the first place. For their part, Google is working on a site isolation feature which, once complete, should make Chrome more resilient to this kind of RCE attack by guaranteeing that any given renderer process can only ever interact with a single origin. A highly experimental version of this site isolation feature can be enabled by users through the chrome://flags interface."
Google awarded Microsoft with a $7,500 bug bounty for the reported exploit and Microsoft says that its team found and disclosed enough bugs to rack up $15,837 from Google in bounties, which was matched resulting in $30,000 donated to charity.