Microsoft Gets Security Disclosure Revenge on Google

Posted on October 19, 2017 by Paul Thurrott in Cloud, Windows 10 with 47 Comments

Microsoft Gets Security Disclosure Revenge on Google

It only took four years, but Microsoft this week was finally able to give Google a dose of its own medicine when it disclosed a security vulnerability in Chrome.

Which is hypocritical.

What Microsoft should have done is take the high ground. Do the right thing for your shared customers and just shut up about it.

But it didn’t. Because the two companies have been going at it for years now, since Google adopted a policy of disclosing unpatched security vulnerabilities that are being exploited back in 2013.

This policy has angered Microsoft on several occasions since Windows is often the product being exploited. For example, in November 2016, Microsoft’s Terry Myerson lashed out at Google in the following manner.

“Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” he wrote at the time. “We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure.”

Well, Microsoft’s stance has shifted just a bit since then.

“Security is now a strong differentiator in picking the right browser,” a post on the Microsoft Security Response Center begins.

Yikes.

Worse, Microsoft didn’t randomly discover a flaw in Chrome, alert Google, and then wait some period of time before disclosing it publicly. Instead, it specifically started a project to “examine Google’s Chrome web browser” for security problems. And it found some. Alerted Google. And then disclosed it publicly, after taking careful note of how long Google took to fix them. In short, Microsoft just wanted some revenge on Google.

“We responsibly disclosed the vulnerability that we discovered along with a reliable [remote] exploit to Google on September 14, 2017,” the Microsoft post explains. “[But] the source code for the fix was made available publicly on Github before being pushed to customers … the stable channel of Chrome remained vulnerable for nearly a month after that commit was pushed to git.”

Calling Google out like that seems petty to me. Beneath what I believe Microsoft is all about.

Regardless, it’s time for both sides to grow up and work together. Take potshots at each other, sure. But not over security.

 

Tagged with ,

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (48)

48 responses to “Microsoft Gets Security Disclosure Revenge on Google”

  1. Avatar

    madthinus

    The portion of the story Paul did not tell you is that the fix for the flaw is in the beta browser and the code of that fix is in the open source depository. So Google published this fixed in code form, long before Microsoft made this flaw public.


    So why not ask the real hard question to Google. Is their 6 weeks cadence more important that security of customers?


    I have a serious issue with this article, because it is a half truth. I agree with Paul that Microsoft did a shitty here, but I also agree with the bigger question they posed. Why not protect your customers once you have the fix.

    • Avatar

      wright_is

      In reply to madthinus:

      Exactly, all Microsoft did was point out a flaw in Google's update procedures - publicly posting patched source code (and regression tests to see if the bug was fixed) long before getting round to pushing the fixed binaries at their customers.

      At least Microsoft waited until after Google had pushed the updated binaries before pointing out the flaw in their release methodology.

  2. Avatar

    Lauren Glenn

    Compared to whatever Microsoft did that resulted in Edge, I'm still sticking with Chrome. My anti-virus protects me hopefully from what vulnerabilities are there, but IE is not good and Edge is just "heavy" in terms of user experience. Whatever gets Google to fix any vulnerability.....

  3. Avatar

    red.radar

    its petty ... but sometimes it’s good for morale to say


    “payback is a bitch”


    question is ... does google take e high ground or escalate

  4. Avatar

    Mark from CO

    Paul:


    I agree with most of you commenters. While Microsoft action is perhaps not reflective of the 'high ground,' with Google I don't think it believes in 'high ground' as it assumes a moral position. Google was pasting Microsoft as a security luddite, and it was the virtue of strong, reliable security. Perhaps Microsoft saw signs that this charge and claim was gaining currency. Doing nothing would only serve to allow this claim to continue to be reinforced.  Microsoft's action at least put words to their counter-argument - that Google has a long way to go from a security perspective.


    There are many reasons why we should be down on Microsoft. I, along with many of your readers, don't believe this is one of them.


    Mark from CO

  5. Avatar

    wizarrc

    I really don't see anything wrong with writing a blog post about a vulnerability they found using their own fuzzing technology and was published after the fix was applied to the stable branch. I would even applaud them for pointing out how they handle security vulnerabilities in an open source project and how they can better improve their process. If I know anything about big companies like Google, without a blog post demonstrating the problem, I'm sure it would take them forever to implement a system where they fix their source code in private and release the patched binaries before showing the world the fix.


    Also, I don't even think the blog post was that hard on them. I think this was more about promoting their Azure fuzzing service, and that it changes how we should all think about security, pointing out that how they have to assume that there are exploits in every software. It's about how to mitigate the risks, not just about sandboxing. More importantly, it validates their reasons for all those security features added to the Edge browser and why they are so necessary.

  6. Avatar

    glenn8878

    Even today, Microsoft is lax on securing Windows and Edge. Payback is more like envy. No one has to worry about Windows if they don’t use it precisely for its lack of security.

  7. Avatar

    Winner

    Google's policy is wait 60 days before disclosing vulnerabilities publicly. And in many cases Microsoft took longer than 60 days which is why Google publicized those vulnerabilities. This helps protect users so that zero-day flaws are not exploited.


    In this case (Chrome browser), Microsoft waited barely over 30 days (from 14 Sep to 19 Oct) to publicize this one.


    Microsoft is just behaving like a typical baby here, not responsibly.


    Keep in mind this comes from the company that coerced my 85 year old mother's PC to upgrade to Windows 10 without her permission, along with millions of other users. So that Microsoft could try to hit its Windows 10 numbers.


    This kind of behavior unfortunately is in Microsoft's DNA and it isn't pretty.

    • Avatar

      Chris

      In reply to Winner:

      This story says otherwise: https:// www.theverge.com / 2016/10/31/13481502/ windows-vulnerability-sandbox-google-microsoft-disclosure (remove the spaces from the url)


      Note that it states that Google gave MS 10 days to patch the flaw. Not 60, a measly 10. If MS is being a baby over 30 days, what does that make Google's spat over 10 days?


      That same behaviour also exists in Google, but seems to be tolerated.... and it shouldn't.

      • Avatar

        Winner

        In reply to c.hucklebridge:

        In that specific case, the exploit was already in the wild and being used. The "cat was already out of the bag". So Google let the info out because that was the best way to help users. Not to hurt Microsoft, but to help users. See the difference?

        If the exploit had not already been live in the wild Google would not have disclosed it for the standard 60 day period.

        • Avatar

          Chris

          In reply to Winner:

          How does publicly disclosing that kind of information help users? What is the average user going to do with it? The average user isn't going to know anything about exploits, or how to fix them. Until the vendor can find the exploit, or even figure out how to close it without breaking something else, Google's aggressive stance does nothing to help users, and everything to point out where the exact flaw is, and how to use it. That's not helping users. That's harming users, and MS. It's giving the hackers what they need to attack Windows PCs (whether they do or not is an entirely different thing...)


          Besides, this article (this very article), doesn't mention whether the browser exploit was being used or not. It's entirely possible that it was being used, though maybe not as extensively as some of the more critical ones.


          There's better ways of doing this, and neither Google nor MS have it right.

          • Avatar

            Winner

            In reply to c.hucklebridge:

            There may be behaviors users can take that reduce risk of known vulnerabilities. Disclosure of *active* exploits done by everybody (not just Google). The idea of responsible disclosure after a fixed time period is well established in the security industry. But for ACTIVE exploits, the news is typically reported immediately since the value of keeping it secret is gone, and there is more benefit for everybody potentially affected to be notified.

  8. Avatar

    Nicholas Kathrein

    The responses here are a perfect look into "fanboyism". Just reverse the names and the people saying the correct thing was done would have said the opposite. Let's face it. In the end you have to disclose the vulnerability. The question is all about how long till you do that. Giving around 60 days is good in my opinion but whatever. I'd rather have this found and patched even with a little pressure. I finding it funny that these MS fanboys think that the Google fanboys or just normal people who will never see this or hear about it will care. This is inside baseball at it's best/worst plain and simple.

  9. Avatar

    Lateef Alabi-Oki

    Google doesn't give a shit.


    They already pay security researchers, through paid bounties, to publicly find flaws in Chrome. And they publicly self disclose all their security vulnerabilities from Chrome, to Chrome OS, to Android.


    Microsoft is delusional if they think this stunt is going to get Google to change its ways. In Google's view they just did them a favor. Heck they even paid Microsoft a bounty for this bug.


    That doesn't sound like a company that's salty.


    By the way the bug was fixed within 4 days. Chrome Beta already had the patch. Chrome Stable gets updated every 6 weeks. So the roll out was going hit Chrome Stable within the next week.


    This is not a case of a company neglecting security bugs for months, even years, like Microsoft is notorious for doing.


    IE had gaping security issues that languished for years. Heck Edge is only updated twice a year along with Windows, as opposed to a more granular timely period where possible security issues can be addressed.


    That alone is the reason I'd never use Edge. Everytime people compare Edge to Chrome, I chuckle. They're not in the same league from a security, or technology perspective.

  10. Avatar

    Bdsrev

    Google can dish it but they can't take it. Sadly, for people like them, this seems to be the only way to make them understand. Microsoft did what they had to do. Maybe Google will think twice before pulling another 'gotcha!' security stunt

  11. Avatar

    sharpsone

    If you think Google doesn't have a dedicated a team to identifying MS vulnerabilities than you must live on fantasy island. Good for MS and Screw Google!

  12. Avatar

    MutualCore

    Honestly Paul is really pissing me off lately with his nitpicky attitude. Today on FRD he especially went after Microsoft on the 'claim' that they design Surface displays. He insisted that because they don't manufacture them in China, that means that they must be just buying commodity displays from LG/Sharp/Samsung and plugging those into Surface devices. So Apple we know designs all their displays, despite ordering them from LG/Sharp/Samsung, but Thurott has not criticism there.


    Does he really believe Microsoft orders 'off the shelf' displays which are 3:2, that nobody else actually is using right now?


    Not only that, but he nit-picked on them for not breaking out XBox units sold, Azure revenue in absolute terms, and other things as 'deceitful' to investors.


    Never mind that Paul's beloved Amazon Echo has never had reported unit sales, or Apple has never reported sales of Apple Watch. Google has never reported sales of Nexus or Pixel phones. Newsflash - all companies obfuscate on unit sales/revenue where they feel it's not to their benefit. But No! Microsoft is TEH EVIL one and he talks about hypocrisy.


    What I sense is really going on is lingering Windows Phone butthurt that bleeds over into his coverage of everything Microsoft does and it's revolting.

  13. Avatar

    rth314

    You got this one wrong, Paul. Google set themselves up for this. Did they think they would only have to play offense, and no defense in the silly game that they started? They impugned Microsoft's reputation, claiming Microsoft was lax with fixing security vulnerabilities. It was important for Microsoft to check them on that. If this makes Google think twice next time they consider rushing out security vulnerabilities, then we are all better off. You're asking Microsoft to be a bunch of pacifists while Google runs all over them.

  14. Avatar

    ememmactello

    Want to make money at home? Need a financial help? Why don't you try learning how totrade? Google SuperiorTradingSystem today.

  15. Avatar

    Jhambi

    I agree. Trying to play "gotcha" accomplishes nothing of value. Google has Its share of security (android)problems. Instead they should have allocated resources to bolster Edge

  16. Avatar

    Ron Diaz

    Scroogled Redux. Google does something, Microsoft calls them out for it then ends up doing the exact same thing.


    Lather, Rinse, Repeat....

  17. Avatar

    nbplopes

    I'm glad that out of the three there is at least one big consumer targeting company that its out of this unhelpful game where users are concerned.


  18. Avatar

    LocalJoost

    Someone let's their dog take a p*ss on your lawn. You asked the person politely not to do that. Person walks away without saying a word (at best)

    The next week, the same happens. You ask again. Same response. Next week, again. And again. And again. And again. Every time, you ask, a polite, but gritting your teeth a bit more every time, Not. To. Do. That.


    Something's gotta give at one point. Yes. It is a petty response. Maybe a petty response will hammer the message home. It's at least a novel approach.

  19. Avatar

    conan007

    Do the right thing for your shared customers and just shut up about it.”

    Well if it can make Google realise their actions were wrong and stopped publishing unpatched security issues than it would be good for its share of customers (and all customers).

  20. Avatar

    jrickel96

    I think it's important that people understand Google cares nothing about security. They only care about getting your data so they can effectively sell ad space. Only by publicly hammering them will you get them to comply.


    It's important to know your security is a concern if you use anything Chrome or anything Android. Hopefully MS makes Edge full featured everywhere so it can be a true challenger to Chrome, a browser that just isn't very good but does sync well, but is also super bloated at this point. I'm using it now, but I'd prefer to have options other than Firefox - and I'm hoping Edge is about to become just that.

  21. Avatar

    Rik

    How is this the same thing as what Google did. If this bug was reported in September 14th and fixed in stable a month later, than the patch has already rolled out (hence the past tense). Besides, Google themselves published the vulnerability when they patched it.

    • Avatar

      Chris Powers

      In reply to Rik:

      Bingo! Give the man a 'c'. Everyone here is missing the point of the post. Understandable if you don't do OSS.


      Microsoft disclosed the bug responsibly (no malice - Google paid them a reward), Google fixed the bug in 4 days (Microsoft gives them credit), but then Google publishes their own fix to a public GitHub repository (since open source) which DISCLOSES the vulnerability weeks BEFORE the fix is actually pushed to Joe customer using the stable version of Chrome. This is in contrast to Microsoft's process where they only DISCLOSE their code fix AFTER it is pushed to customers.


      TL;DR - Microsoft exercised responsible disclosure. Google scores security own goal; eats crow.

  22. Avatar

    Martin Pelletier

    Sometimes it's OK to do the same to the other to show that person how bad his behavior was.


    But anyway, yes, they should cooperate. Microsoft has anyway a lot of bugs to fix in Windows

  23. Avatar

    Roger Ramjet

    Paul, you seem confused. What is bad, and contested, and that Google does from time to time, claiming it gave the vendor enough time, is disclosing unpatched security vulnerabilities. Disclosing vulnerabilities after they have been patched is extremely common, and standard and does not harm any customers. How else would you know?

  24. Avatar

    Delmont

    Good for Microsoft. I want Microsoft to be more aggressive. Google got caught with their pants down.

  25. Avatar

    Tony Barrett

    So MS claim there was a vulnerability in Chrome for 'nearly a month' before the fix was released. There have been known vulnerabilities in Windows for *years* that MS never bothered fixing. I really don't think MS are in a strong position to try and get one over on the competition, but this tit-for-tat thing is a bit childish.

    I'll also add that at Pwn2Own 2017 this year, Chrome was branded 'uncrackable', while Edge was literally torn apart by hackers who cracked it 5 times. Yes, really.

  26. Avatar

    chrisrut

    I'm hoping Google cries "We need to cooperate!" in response, and that MS winks and says "Good idea!"

    Yet another interesting way to start the day :-)


  27. Avatar

    AnOldAmigaUser

    What's good for the goose...


    I think that what both sides need to do, and let's be clear, Google is the bigger offender in this, is to back off a hard and fast number of days before releasing the exploit. If memory serves, Terry Myerson's problem was caused by the release of an exploit a week before the patch was to be released in the normal patch Tuesday cadence, even though Microsoft had told Google that is when it would be released.


    As long as the code is being fixed, and patched in the normal engineering cadence of the product, then that should be good enough. Better to have a fully tested fix than a point release that might break something else.


    Agreed they should both grow up, but Google is the more childish subject here.

    • Avatar

      MutualCore

      In reply to AnOldAmigaUser:

      It's definitely a better approach than 'Scroogled'. It definitely doesn't look good that Edge was the most vulnerable in the Pwn2Pwn competition, but Edge also is the youngest browser on the market as well. I'm pretty sure given another 12 months of development and Edge can be as secure as anything.

  28. Avatar

    jwpear

    I see this as competition. Google isn't doing what it does because it cares about Microsoft customers. It discloses the vulnerabilities to make Microsoft look bad. Bottom line. Microsoft took the high road, but that didn't work. Now they're calling Google out with a dose of their own medicine.


    Honestly, Microsoft probably needs to do this to help bolster their Edge browser adoption.  Your average user thinks Chrome has no security issues.


    This could go one of several ways. Things could continue as is with both now taking shots at each other. This might convince both parties to cooperate more on security vulnerability sharing and disclosure practices.  Or they both decide to just stop looking and reporting. In that case, we all lose.

    • Avatar

      RM2016

      Agreed, Google did this to harm a competitor nothing more. If they were sincere they would be looking a their own product fragmentation.

  29. Avatar

    wright_is

    This wasn't Microsoft revealing anything. It was pointing out a flaw in Google's approach to patching.

    Google wrote a patch and submitted it to a public Git repository, then didn't get around to pushing the fixed binaries for days or weeks afterwards.

    Microsoft's point was, that the public commit to the repository should have coincided with the release of the patched binaries, instead Google self-published the vulnerability (code + regression test to confirm the bug), which preceded clients being patched by several days.

    It is a faux-pas on Google's part, the code is open source and they were trying to be transparent, but in the process the put their userbase at risk.

    Maybe a bit petty of Microsoft to call them out over it, two wrongs don't make a right, but if Google take notice and modify their practices, so that their customers are better protected. it is worth the snub.

  30. Avatar

    BryanK

    Great as a consumer I'm supposed to take comfort in the fact Microsoft and Google are engaged in a "my dick is bigger than yours" childish game?

Leave a Reply