The ding-dong between Microsoft and Google vulnerability researchers is not yet an trans-generational conflict but it’s showing signs of turning into one.
After being embarrassed by Google’s Project Zero over a string of software flaws, Microsoft has fired back by publicising a critical Remote Code Execution (RCE) flaw its Offensive Security Research (OSR) team spotted after crashing Chrome’s open-source JavaScript engine, V8.
Identified as CVE-2017-5121, the flaw in the just-in-time compiler was patched by Google in September (Chrome 61.0.3163.100), which we now know was reported to the company by Microsoft because, the company’s blog reveals, its team were paid a $7,500 (£5,700) bug bounty by Google.
Normally, that would be that, except that Microsoft’s dissection swiftly turns into a launchpad for a broader critique of weaknesses in Chrome’s design. For example:
Chrome’s relative lack of RCE mitigations means the path from memory corruption bug to exploit can be a short one.
And, significantly:
Several security checks being done within the sandbox result in RCE exploits being able to, among other things, bypass Same Origin Policy (SOP), giving RCE-capable attackers access to victims’ online services (such as email, documents, and banking sessions) and saved credentials.
Bluntly, Microsoft seems to be saying, Chrome’s much-vaunted sandboxing (a feature that limits one web page or browser tab’s access to another) doesn’t always stop criminals from pwning the user.
The vulnerability was fixed weeks ago so why would Microsoft want to tear it apart in such detail?
Perhaps to make a point about throwing stones in glasshouses after a period in which the company has received a string of similar criticisms from Google’s Project Zero team.
Only days ago, Google’s Mateusz Jurczyk laid into Microsoft over its alleged prioritisation of Windows 10 patches over those for older versions of the OS.
In May his colleague Tavis Ormandy took to Twitter to talk up a “crazy bad” RCE vulnerability affecting Windows Defender which, as it happens, Microsoft fixed only days later.
Worst of all was February’s disclosure by Jurczyk of a vulnerability in Windows he felt the company was taking too long to patch but which, he said, Google had a responsibility to tell the world about under its 90-days disclosure policy.
The difference of opinion over what constitutes responsible disclosure has turned into a particular bone of contention. As Microsoft makes a point of saying:
We responsibly disclosed the vulnerability that we discovered along with a reliable RCE exploit to Google on September 14, 2017.
Rubbing salt in the wound, Microsoft’s used its new MSRD Azure “fuzzing” platform to find it, perhaps subtly mocking Google’s enthusiasm for spotting flaws using the same technique.
It seems unlikely that a truce will be called in this head-to-head any time soon. Google will continue hammering Microsoft for taking too long to fix flaws while Microsoft will shoot back that Google isn’t immune to security woes of its own.
For Microsoft and Google users, this is all good. Not that long ago, it seemed that the software industry lacked urgency when it came to acknowledging and fixing vulnerabilities. If that complacency is melting away, it does no harm for big companies to help the thaw by taking each other to task.
Lancer
lmbo…Decades later, people still hate on Microsoft for everything, but they just keep going and going. Energizer bunny could learn a thing or two from Microsoft
Laurence Marks
Umm, maybe this feud is a good thing if vulnerabilities are being found and fixed earlier.
Mark Stockley
Indeed. That’s why John wrote “For Microsoft and Google users, this is all good”.
Spryte
So what about pure Chromium? or derivations?
Wendy Holstein
The new windows 10 upgrade is causing me issuse and will not update or download one of the worst upgrades I have ever seen !!
Joe
October 2017:
Current Firefox version: 56.0.1 – browser first released in 2002
Curremt Chrome version: 64 – browser first released in 2008
hmmm
Mark Stockley
So if Firefox changed their versioning scheme (again) and skipped straight to 65 they’d be one better than Chrome. Got it.
Mark Stockley
Also, are we including all the versions of NCSA Mosaic that preceded Netscape Navigator, which was open sourced and transformed into Mozilla SeaMonkey (or whatever it was called), which was forked into Firefox? Also, what about that whole period when Fireofx which was versioned using the Major.Minor.Bugfix scheme, which gave us browser versions like 3.5.19?
Steve
And then there’s Internet Explorer, which got all the way up to 12… in how many years? Apparently it has been the safest, most stable, bug-free browser of all, right? LOL
Steve
Oops… how did I manage to type “12”? I can’t even hit the same key twice without missing it once? Argh. Oh well, let’s just say that Edge is IE12, OK?
Mongojim
The real loser in a battle like this is the end user not having a patch available before the disclosure. Shame on Google for starting this mess, and shame on Microsoft for playing the same game….. GROW UP KIDS!
Jim
It seems to me that these two giants (and maybe others) should make a deal about how to responsibly deal with these issues. One-upsmanship is not good for the industry.
Jason
I remember the days when they (software companies) produced programs that actually worked!
Each new version brought new features, rather than bug fixes (to fix problems that should have been fixed from the beginning, bring back proper testing)…
Mark Stockley
I don’t ;)