Microsoft’s Windows security team haven’t been happy with Google for the past year. While the pair are bitter rivals for a number of different reasons, Google disclosed a major Windows bug before Microsoft was ready to patch it last year. It irritated the company so much that Windows chief Terry Myerson authored a blog post criticizing Google for not disclosing security vulnerabilities responsibly. That resentment still remains today.
Microsoft discovered a remote Chrome vulnerability last month and is now demonstrating what it feels is responsible disclosure. In a new blog post, Microsoft’s Windows security team outlines a remote code execution issue in Chrome, and criticizes Google’s approach to security patches. “We responsibly disclosed the vulnerability that we discovered along with a reliable remote code execution exploit to Google on September 14, 2017,” explains Jordan Rabet, a Microsoft Offensive Security Research team member. Google patched the problem within a week in its beta versions of Chrome, but the stable and public channel “remained vulnerable for nearly a month.”
That wouldn’t normally be an issue for most software patches, but Microsoft criticizes Google’s approach of making the source code for the fix available on Github ahead of the stable channel fix. That gave attackers a month to discover the flaw. Rabet calls it “problematic when the vulnerabilities are made known to attackers ahead of the patches being made available.”
Despite these jabs, Microsoft’s long and detailed blog post is more about reminding the industry about its position on disclosing security patches. Microsoft takes the opportunity, more than once, to point out that it disclosed the Chrome bug privately, and that it will continue to do this to promote its approach across the industry.
Google has been criticized for its approach to vulnerability disclosures, allowing engineers to disclose details seven days after they’re reported to vendors. The search giant regularly finds and discloses security issues in Microsoft’s software, and occasionally publishes details before products are patched. It’s this approach that has angered Microsoft so much, and it’s clear the company will take any opportunity to call Google out on it.