Over the last year, Google’s Project Zero has publicly called Microsoft to task by publishing vulnerabilities in Windows and Edge before the company could patch them. Microsoft has responded angrily to what it calls irresponsible reporting of security flaws. Today may be a sweet day for Redmond, giving Google Chrome some of its own medicine.
In a new blog post, the Windows security team details a remote Chrome vulnerability which was found last month.
“We responsibly disclosed the vulnerability that we discovered along with a reliable remote code execution exploit to Google on September 14, 2017,” explains Jordan Rabet, a Microsoft Offensive Security Research team member. “Google patched the problem within a week in its beta versions of Chrome, but the stable and public channel “remained vulnerable for nearly a month.”
The code execution was found by the Offensive Security Research (OSR) team through a method called fuzzing. The team lays out the following key components of the vulnerability:
- Our discovery of CVE-2017-5121 indicates that it is possible to find remotely exploitable vulnerabilities in modern browsers
- Chrome’s relative lack of RCE mitigations means the path from memory corruption bug to exploit can be a short one
- Several security checks being done within the sandbox result in RCE exploits being able to, among other things, bypass Same Origin Policy (SOP), giving RCE-capable attackers access to victims’ online services (such as email, documents, and banking sessions) and saved credentials
- Chrome’s process for servicing vulnerabilities can result in the public disclosure of details for security flaws before fixes are pushed to customers
Microsoft’s problem with Google Project Zero has not been that the team finds vulnerabilities, but how it reports them. The team was created to find zero-day exploits in third-party services and to warn software makers about the flaws. Project Zero has found issues in Windows 10 and the Microsoft Edge browser.
Project Zero gives developers 90 days to solve the problem with a patch before making the issue public. Microsoft has been critical of the approach, suggesting Google should work with software developers until a patch is found.
Terry Myerson, Executive Vice President, Windows and Devices Group, previously said Google’s 90-day limit ultimately puts customers at risk:
“We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.”
Microsoft believes its method of warning Google and working with the company for a solution is the best approach. Google disagrees, although it does work with developers to patch flaws, the company argues putting pressure on companies will stop them shipping software with these vulnerabilities in the first place.
Fixing the Flaw
In terms of the Chrome bug, the company paid Microsoft’s $15,000 bug bounty (which was donated to charity). However, Microsoft is also angered by the way Google patched the problem. The company made the source code for the patch available on GitHub.
Microsoft says not releasing it on a stable channel gave attackers a month to find the vulnerability. It could potentially be retrofitted to bypass the new patch.
What we are seeing is a clear clash of methods and ideologies. While it would be easy to say Microsoft has put egg on Google’s face by finding this flaw. Although, Project Zero has found Microsoft services with their pants down too many times. For customers, it is better that these vulnerabilities are found and patched, but expect this divide in opinion to continue.