Google’s Project Zero security team has been keeping Microsoft busy finding exploits in Windows and Edge, and on occasion announcing them publicly before Microsoft has patches available.
The company has also criticized Microsoft for patching Windows 10 before Windows 7 and earlier operating systems, thereby revealing to hackers which vulnerabilities are still present in the older versions of the operating system.
Last month it was Google’s turn to scramble, as Microsoft’s Offensive Security Research (OSR) team found a bug in Google’s Chrome browser which allowed remote code execution, and as part of the process Microsoft also complained that Google’s method of patching could also reveal the compromises before the fixes have rolled out.
Regarding the bug, which was discovered using a fuzzer (Google’s favourite tool), the OSR reports:
- Our discovery of CVE-2017-5121 indicates that it is possible to find remotely exploitable vulnerabilities in modern browsers
- Chrome’s relative lack of RCE mitigations means the path from memory corruption bug to exploit can be a short one
- Several security checks being done within the sandbox result in RCE exploits being able to, among other things, bypass Same Origin Policy (SOP), giving RCE-capable attackers access to victims’ online services (such as email, documents, and banking sessions) and saved credentials
- Chrome’s process for servicing vulnerabilities can result in the public disclosure of details for security flaws before fixes are pushed to customers
Google acknowledged the bug and paid Microsoft a $15,000 bug bounty (which Microsoft donated to charity), but their approach to patching the bug also raised alarm at Microsoft. Google pushed out a fix to the V8 GitHub repository three days before pushing out a fix to the browser and the Chromium project, giving fast hackers 3 days to reverse engineer and exploit the hundreds of millions of Chrome users.
Given the acrimonious relationship between Google and Microsoft’s security teams I expect this will not be the first such exchange over the next few months, but hopefully, the result will be safer browsers and operating systems for us all.