It only took four years, but Microsoft this week was finally able to give Google a dose of its own medicine when it disclosed a security vulnerability in Chrome.
Which is hypocritical.
Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!
"*" indicates required fields
What Microsoft should have done is take the high ground. Do the right thing for your shared customers and just shut up about it.
But it didn’t. Because the two companies have been going at it for years now, since Google adopted a policy of disclosing unpatched security vulnerabilities that are being exploited back in 2013.
This policy has angered Microsoft on several occasions since Windows is often the product being exploited. For example, in November 2016, Microsoft’s Terry Myerson lashed out at Google in the following manner.
“Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” he wrote at the time. “We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure.”
Well, Microsoft’s stance has shifted just a bit since then.
“Security is now a strong differentiator in picking the right browser,” a post on the Microsoft Security Response Center begins.
Yikes.
Worse, Microsoft didn’t randomly discover a flaw in Chrome, alert Google, and then wait some period of time before disclosing it publicly. Instead, it specifically started a project to “examine Google’s Chrome web browser” for security problems. And it found some. Alerted Google. And then disclosed it publicly, after taking careful note of how long Google took to fix them. In short, Microsoft just wanted some revenge on Google.
“We responsibly disclosed the vulnerability that we discovered along with a reliable [remote] exploit to Google on September 14, 2017,” the Microsoft post explains. “[But] the source code for the fix was made available publicly on Github before being pushed to customers … the stable channel of Chrome remained vulnerable for nearly a month after that commit was pushed to git.”
Calling Google out like that seems petty to me. Beneath what I believe Microsoft is all about.
Regardless, it’s time for both sides to grow up and work together. Take potshots at each other, sure. But not over security.
Delmont
<p>Good for Microsoft. I want Microsoft to be more aggressive. Google got caught with their pants down.</p>
skane2600
<blockquote><a href="#208665"><em>In reply to ghostrider:</em></a></blockquote><p>Anyone who declares any software "uncrackable" should not be considered a security expert.</p>
Lateef Alabi-Oki
<p>Google doesn't give a shit. </p><p><br></p><p>They already pay security researchers, through paid bounties, to publicly find flaws in Chrome. And they publicly self disclose all their security vulnerabilities from Chrome, to Chrome OS, to Android. </p><p><br></p><p>Microsoft is delusional if they think this stunt is going to get Google to change its ways. In Google's view they just did them a favor. Heck they even paid Microsoft a bounty for this bug. </p><p><br></p><p>That doesn't sound like a company that's salty. </p><p><br></p><p>By the way the bug was fixed within 4 days. Chrome Beta already had the patch. Chrome Stable gets updated every 6 weeks. So the roll out was going hit Chrome Stable within the next week.</p><p><br></p><p>This is not a case of a company neglecting security bugs for months, even years, like Microsoft is notorious for doing. </p><p><br></p><p>IE had gaping security issues that languished for years. Heck Edge is only updated twice a year along with Windows, as opposed to a more granular timely period where possible security issues can be addressed.</p><p><br></p><p>That alone is the reason I'd never use Edge. Everytime people compare Edge to Chrome, I chuckle. They're not in the same league from a security, or technology perspective. </p>
ryandevega
<blockquote><a href="#208745"><em>In reply to sharpsone:</em></a></blockquote><p>OK, so the scorched earth approach. That's fine. But, how do we benefit if 2 of the largest tech companies are at war? I'm with Paul on this one.</p>