Microsoft in a long detailed blog post explains the discovery of a Google Chrome vulnerability and how the search giant was irresponsible in correcting it. The flaw discovered on Chrome browser was a Remote Code Execution (RCE) that could enable attackers to have access to sensitive details like email addresses, documents, and banking sessions. The blog details the vulnerability with all its source codes, how potentially dangerous it is and also Google’s role in patching fixes.
If you scroll down towards the end of the blog post, you’ll see Microsoft criticizing Google for its approach in fixing the Chrome vulnerability. Microsoft says that it informed Google about this RCE exploit on September 14. Google announced a bug bounty of $7,500 for this flaw which Microsoft’s team fixed along with other bugs discovered. Google was quick to issue a source code for the fix which happened just four days after it was first reported. This is what ticked off Microsoft.
Before patching the security fix to the stable channel of Chrome, Google made the source code available on Github. Prior to this, the vulnerability was kept private. Doing so, Microsoft says that Google “made the vulnerability obvious, especially as it came with a regression test”. In addition to this, the stable channel of Chrome was kept vulnerable to the RCE exploit for about a month before releasing the fix to users. ALSO READ: Google Chrome for Windows updated with anti-virus features
Microsoft says that one month is more than enough time for attackers to exploit the flaw, and the fix as well. It subtly concludes saying, “Our strategies may differ, but we believe in collaborating across the security industry in order to help protect customers”.
Microsoft’s response to Google is considered as a slap back to what happened last October. Google had discovered a bug in Windows OS which it made public ten days after reporting it to Microsoft. This was done before Microsoft could even patch a source code for the bug. While Google revealed only a short description of the Windows bug, it was enough to alert attackers of a possible exploit. ALSO READ: 64% Chrome traffic on Android devices protected with HTTPS: Google