Google’s Project Zero security team has been keeping Microsoft busy finding exploits in Windows and Edge, and on occasion announcing them publicly before Microsoft has patches available.
The company has also criticized Microsoft for patching Windows 10 before Windows 7 and earlier operating systems, thereby revealing to hackers which vulnerabilities are still present in the older versions of the operating system.
Last month it was Google’s turn to scramble, as Microsoft’s Offensive Security Research (OSR) team found a bug in Google’s Chrome browser which allowed remote code execution, and as part of the process Microsoft also complained that Google’s method of patching could also reveal the compromises before the fixes have rolled out.
Regarding the bug, which was discovered using a fuzzer (Google’s favourite tool), the OSR reports:
Google acknowledged the bug and paid Microsoft a $15,000 bug bounty (which Microsoft donated to charity), but their approach to patching the bug also raised alarm at Microsoft. Google pushed out a fix to the V8 GitHub repository three days before pushing out a fix to the browser and the Chromium project, giving fast hackers 3 days to reverse engineer and exploit the hundreds of millions of Chrome users.
Given the acrimonious relationship between Google and Microsoft’s security teams I expect this will not be the first such exchange over the next few months, but hopefully, the result will be safer browsers and operating systems for us all.
Source: Technet, via BleepingComputer