NEWS
Microsoft criticizes Google’s approach To Security Patches
Y’all know I don’t like to gossip….but there’s something that has been going that I feel you should know about.
I repeat, it’s not gossip!
So, it’s like there is a low-key beef going on between Microsoft and Google.
It all started last year when Google did ‘gbeboroun’ and disclosed a major Windows bug before Microsoft was ready to patch.
As expected, it irritated the company so much that Windows chief Terry Myerson authored a blog post criticizing Google for not disclosing security vulnerabilities responsibly.
Apparently, Microsoft can keep a grudge because till today, it seems they’ve not forgotten that ‘snitching’ Google did.
Microsoft discovered a remote Chrome vulnerability last month and is now demonstrating what it feels is ‘responsible disclosure’ ( but we all know it’s revenge snitching). In a new blog post, Microsoft’s Windows security team outlines a remote code execution issue in Chrome, and criticizes Google’s approach to security patches. “We responsibly disclosed the vulnerability that we discovered along with a reliable remote code execution exploit to Google on September 14, 2017,” explains Jordan Rabet, a Microsoft Offensive Security Research team member. Google patched the problem within a week in its beta versions of Chrome, but the stable and public channel “remained vulnerable for nearly a month.”
That wouldn’t normally be an issue for most software patches, but Microsoft criticizes Google’s approach of making the source code for the fix available on Github ahead of the stable channel fix. That gave attackers a month to discover the flaw. Rabet calls it “problematic when the vulnerabilities are made known to attackers ahead of the patches being made available.”
Despite these jabs, Microsoft’s long and detailed blog post is more about reminding the industry about its position on disclosing security patches. Microsoft takes the opportunity, more than once, to point out that it disclosed the Chrome bug privately, and that it will continue to do this to promote its approach across the industry.
Google has been criticized for its approach to vulnerability disclosures, allowing engineers to disclose details seven days after they’re reported to vendors. The search giant regularly finds and discloses security issues in Microsoft’s software, and occasionally publishes details before products are patched. It’s this approach that has angered Microsoft so much, and it’s clear the company will take any opportunity to call Google out on it.