Since Microsoft launched the Edge web browser for Windows 10, the company and Google have been locked in a browser battle. To be fair, it is a battle Google's market-leading Chrome is comfortably winning. However, Microsoft Edge has managed to score a few minor wins in terms of speed and security tests.
Now Google has ramped up to the next level and is stoking the fire against Microsoft Edge. The company has disclosed an Edge security vulnerability before Microsoft has sent out a patch.
This information comes from Google Project Zero, a division that is made up of a team of security analysts. The point of the team is to look for zero-day vulnerabilities. Google opened the division in 2015 and warns software providers of any vulnerabilities found in their products.
Using the full time team, Google looks for flaws in software, giving developers and publishers 90 days to patch problems. If no fix is issued in that time, Project Zero will make the security flaw public.
Indeed, it was almost a year ago that Project Zero issued a report on another Microsoft Edge problem. This time, the company says the flaw is rated as medium in terms of risk. As usual, Google told Microsoft and gave it 90 days to issue a patch.
That was back in November and a 14-day grace period was added at the start of this month. Microsoft has the additional time to issue a fix through its February Patch Tuesday. That has come and gone, so Google has decided to go public. Microsoft says it missed the deadline because “the fix is more complex than initially anticipated.”
Microsoft against Project Zero
The company has often been critical of Google Project Zero. Microsoft's problem with Google Project Zero has not been that the team finds vulnerabilities, but how it reports them. The team was created to find zero-day exploits in third-party services and to warn software makers about the flaws. Project Zero has found issues in Windows 10 and the Microsoft Edge browser.
Terry Myerson, Executive Vice President, Windows and Devices Group, previously said Google's 90-day limit ultimately puts customers at risk:
“We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google's decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.”