Microsoft pokes Google for its handling of exploits

James Marshall
October 21, 2017

The Microsoft security researcher blasts this approach, writing that it is "problematic when the vulnerabilities are made known to attackers ahead of the patches being made available".

Recently, Microsoft found itself in the position to scold its frequent exploit nuisance finder Google, and boy did the company jump at the opportunity.

Microsoft discovered a remote Chrome vulnerability last month and is now demonstrating what it feels is responsible disclosure.

"Chrome's process for servicing vulnerabilities can result in the public disclosure of details for security flaws before fixes are pushed to customers", Rabet added.

Just a month back, the tables were turned when Microsoft discovered a vulnerability in the coding of Google Chrome which was highlighted in a blog post emphasizing on the ethical stance of telling a company about its weaknesses. The company's approach was then reinforced in its publishing where Microsoft called on Google to consider following in kind with their own future discoveries. "We responsibly disclosed the vulnerability that we discovered along with a reliable remote code execution exploit to Google on September 14, 2017", explains Jordan Rabet, a Microsoft Offensive Security Research team member.

This would not usually be an issue, however, Google makes its source code available for free on Github (also known as Git) ahead of the update to the stable version of the app. Microsoft notified Google about the problem, which was patched last month.

Using the handle "msft-mmpc", the unnamed Microsoft author also noted that Google's method for dealing with Chrome bugs could "result in the public disclosure of details for security flaws before fixes are pushed to customers".

Discovering the exploit was only the beginning of Microsoft's work with Google as the company then made a decision to take the opportunity to try and dish out a backhanded lesson in dealing with vulnerability discoveries. "What Microsoft should have done is take the high ground", Thurrott said. The consensus seems to be that perhaps it's time for both companies to renew their focus on the true prize: the security of their end users and customers.

Other reports by Click Lancashire

Discuss This Article