Microsoft pokes Google for its handling of exploits

Kareem Anderson

Recently, Microsoft found itself in the position to scold its frequent exploit nuisance finder Google, and boy did the company jump at the opportunity.

In addition to Google’s task of patching the WPA2 vulnerability that affects over millions of Android devices, the company had to address an exploit in its Chrome browser recently uncovered by Microsoft.

Based on Microsoft’s Offensive Security Research (OSR) publishings, the company discovered a remote execution exploit that enables hackers to steal passwords saved in the Chrome browser.

More specifically,

  • Some of our key findings include the following:
    Our discovery of CVE-2017-5121 indicates that it is possible to find remotely exploitable vulnerabilities in modern browsers
  • Chrome’s relative lack of RCE mitigations means the path from memory corruption bug to exploit can be a short one
  • Several security checks being done within the sandbox result in RCE exploits being able to, among other things, bypass Same Origin Policy (SOP), giving RCE-capable attackers access to victims’ online services (such as email, documents, and banking sessions) and saved credentials
  • Chrome’s process for servicing vulnerabilities can result in the public disclosure of details for security flaws before fixes are pushed to customers

Discovering the exploit was only the beginning of Microsoft’s work with Google as the company then decided to take the opportunity to try and dish out a backhanded lesson in dealing with vulnerability discoveries.

Our strategies may differ, but we believe in collaborating across the security industry in order to help protect customers. This includes disclosing vulnerabilities to vendors through Coordinated Vulnerability Disclosure (CVD), and partnering throughout the process of delivering security fixes.

Despite some very public finger wagging by Google a few days ago over a Windows 7 exploit the company felt Microsoft was putting its customer at risk as it sought to apply a fix, Microsoft tried to take higher ground by allowing Google to patch its vulnerability before making the exploit public knowledge. The company’s approach was then reinforced in its publishing where Microsoft called on Google to consider following in kind with their own future discoveries.

There is no reason to believe that Google will heed Microsoft’s example, but this recent situation does highlight the differences between a veteran software company versus the relatively new comer to the industry.