Mozilla Firefox and Microsoft Edge have both fixed a serious security flaw, but their responses varied wildly. Developer advocate for Google Chrome Jake Archibald discovered the bug on March 1 and says Mozilla handled the vulnerability “brilliantly”.
Microsoft, not so much. The bug involves exploiting WAV audio in the browser to reveal personal data such as emails, Facebook feed, and more. It requires the use of a malicious site but is scary and powerful.
A less severe version of the bug was found in one of Firefox’s beta builds, and Archibald says the team fixed it in three hours. They communicated to find a good mitigation, and the vulnerability didn’t make its way to a full version.
On the Edge of Incompetence
Microsoft, on the other hand, was silent for 20 days. Archibald tried to prompt a response by asking if he could present the flaw at a conference. It didn’t work. It took Archibald tugging on his contacts in the Microsoft Edge team to get confirmation that security was working on a fix.
After that, there was no communication for 14 days, and no word on the bounty, which is significant and was planned as a charity donation. It took a Twitter post to get Microsoft to finally talk, and the bug was eventually fixed on June 7.
In essence, it took Microsoft three months to do what Mozilla did in three hours. It’s not a good look for the company, and its users were at risk in the meantime. It’s not the first time Microsoft has been slow to respond, either. This has happened time and time again with Google’s Project Zero.
Thankfully, everything is fixed now and there hasn’t been any harm done, but Edge users should do this test and update their browser as soon as possible.