MICROSOFT HAS UNCOVERED a remote code execution (RCE) vulnerability in the Chrome web browser and has taken the opportunity to lash out at Google while it's at it.
Microsoft's Windows security team isn't Google's biggest fan. Last year, Redmond penned a blog post criticising Google for not disclosing security vulnerabilities responsibly after it disclosed a major Windows bug before Microsoft was ready to patch it, a practice that has happened on multiple occasions.
Microsoft this week took the opportunity to demonstrate what it thinks is a responsible disclosure, and in a blog post has detailed a remote Chrome vulnerability that it discovered last month and disclosed to Google on 14 September.
"Our discovery of CVE-2017-5121 indicates that it is possible to find remotely exploitable vulnerabilities in modern browsers," Microsoft's Offensive Security Research (OSR) team said in its post. "Chrome's relative lack of RCE mitigations means the path from memory corruption bug to exploit can be a short one."
Google patched the problem within a week in its beta versions of Chrome, but Microsoft notes that, although now fixed, the stable and public channel "remained vulnerable for nearly a month."
This is a big deal, according to Microsoft, as it notes that Google made the source code for the fix available on Github ahead of the stable channel fix, which means - in theory, at least - that attackers had a month to exploit the bug.
"This can be expected of an open source project, but it is problematic when the vulnerabilities are made known to attackers ahead of the patches being made available," Microsoft said.
Microsoft takes a break to pat itself on the back, adding that while parts of its own Edge browser are also open source, "we believe that it's important to ship fixes to customers before making them public knowledge."
Google paid Microsoft a $7,500 bug bounty for disclosing the Chrome vulnerability, along with another $8,337 for other uncovered bugs, which the firm donated to charity. µ
Store will be shuttered over the 'coming weeks'
But devs will need to wait until 2021, supposedly
Now you can hack with confidence
Promises that it wasn't used without permission