Microsoft Gets Security Disclosure Revenge on Google

Posted on October 19, 2017 by Paul Thurrott in Cloud, Windows 10 with 47 Comments

Microsoft Gets Security Disclosure Revenge on Google

It only took four years, but Microsoft this week was finally able to give Google a dose of its own medicine when it disclosed a security vulnerability in Chrome.

Which is hypocritical.

What Microsoft should have done is take the high ground. Do the right thing for your shared customers and just shut up about it.

But it didn’t. Because the two companies have been going at it for years now, since Google adopted a policy of disclosing unpatched security vulnerabilities that are being exploited back in 2013.

This policy has angered Microsoft on several occasions since Windows is often the product being exploited. For example, in November 2016, Microsoft’s Terry Myerson lashed out at Google in the following manner.

“Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” he wrote at the time. “We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure.”

Well, Microsoft’s stance has shifted just a bit since then.

“Security is now a strong differentiator in picking the right browser,” a post on the Microsoft Security Response Center begins.


Worse, Microsoft didn’t randomly discover a flaw in Chrome, alert Google, and then wait some period of time before disclosing it publicly. Instead, it specifically started a project to “examine Google’s Chrome web browser” for security problems. And it found some. Alerted Google. And then disclosed it publicly, after taking careful note of how long Google took to fix them. In short, Microsoft just wanted some revenge on Google.

“We responsibly disclosed the vulnerability that we discovered along with a reliable [remote] exploit to Google on September 14, 2017,” the Microsoft post explains. “[But] the source code for the fix was made available publicly on Github before being pushed to customers … the stable channel of Chrome remained vulnerable for nearly a month after that commit was pushed to git.”

Calling Google out like that seems petty to me. Beneath what I believe Microsoft is all about.

Regardless, it’s time for both sides to grow up and work together. Take potshots at each other, sure. But not over security.


Tagged with ,

Elevate the Conversation!

Join Thurrott Premium to enjoy our Premium comments.

Premium member comments on news posts will feature an elevated status that increases their visibility. This tab would allow you to participate in Premium comments with other premium members. Register to join the other Premium members in elevating the conversation!

Register or Subscribe

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate