Microsoft exposes Chrome flaw in tit-for-tat war with Google
Microsoft has slammed Google for not immediately fixing a security flaw in its Chrome browser, in the latest clash between the two tech rivals.
In a blog post ( www.snipca. com/26009) Microsoft says it found a flaw in Chrome, and notified Google on 14 September, receiving a ‘bounty’ payment of $15,837 (£12,000). Google fixed it within a week in the beta version of Chrome, which Microsoft acknowledged was “impressive”.
But Microsoft criticised Google for publishing details of the fix on Github ( https:// github.com) – where software developers release source code for others to use – before fixing the full version of Chrome, which it failed to do for almost a month. Microsoft said this gave hackers “more than enough time” to exploit it.
The company’s comments come after heavy criticism this year from Google’s Project Zero team, which has accused Microsoft of leaving flaws unfixed even after being told about them.
Most recently Google criticised Microsoft for fixing flaws in Windows 10, but not 7 and 8.1, creating a “false sense of security for users of the older systems” (see ‘Question of the Fortnight’, Issue 513).
Google’s policy, strongly criticised by Microsoft, is to go public with a security flaw if a company hasn’t fixed it within 90 days of being notified.
In its report, Microsoft said that its strategy differs from Google’s, and urged companies to use the principle of ‘Coordinated Vulnerability Disclosure’, in which before going public the ‘finder’ of the flaw lets the affected company fully test “updates, workarounds, or other corrective measures”.