Microsoft and Google are at it again. The point of contention, this time around, is related to the vulnerabilities in the Chrome web browser which the latter makes for PCs. Microsoft discovered a vulnerability in the Chrome web browser, and has now made the details public in what it feels is a responsible disclosure. Microsoft’s security team has identified and detailed a remote code execution process in the Chrome browser running on Windows PCs, and called out Google’s lax attitude towards patching that vulnerability.
In an official blog post, Jordan Rabet of Microsoft’s Offensive Security Research Team says, “In this specific case, the stable channel of Chrome remained vulnerable for nearly a month after that commit was pushed to git. That is more than enough time for an attacker to exploit it.” Git refers to GitHub, which is a software development platform and a repository for distributed software. On its part, Google had rolled out a fix for the vulnerability on GitHub within four days of the initial report, but did not roll out the update on the stable channel for almost a month—stable channel is the route by which you get updates for the newest versions of Google Chrome on our PCs.
Microsoft surely has a point here, because it believes that the vulnerability patch should have been released to all Chrome browser users automatically and urgently, and not just on a platform where most common users would not check.
This, as it turns out, is a chance for Microsoft to get back at Google. The latter has often publically criticized Microsoft in the past. In October last year, Google’s Threat Analysis team had disclosed what it claimed was a critical vulnerability in the Windows operating system, in a public post no less. It had detailed the bug specifically, which was allowing attackers to bypass security measures through a flaw in the win32k system. This happened before Microsoft had a patch ready to roll out to users, and needless to say, Microsoft was not impressed.
It was perhaps expected that Microsoft would use this opportunity to talk about the security advantages of its own Edge web browser.
While this game of getting one over the other is all fine as long as it is done in good spirits, but it might be time for both companies to perhaps take a step back, as publically pointing fingers at each other while revealing complete details of vulnerabilities that may or may not have been patched, does put PC security of millions of users at risk.