Microsoft Chastises Google Over Chrome Security (pcmag.com)

← Back to Stories (view on slashdot.org)

Microsoft Chastises Google Over Chrome Security (pcmag.com)

Posted by EditorDavid on Saturday October 21, 2017 @07:04PM from the no-you dept.

An anonymous reader quotes PCMag: In a Wednesday blog post, Redmond examined Google's browser security and took the opportunity to throw some shade at Chrome's security philosophy, while also touting the benefits of its own Edge browser. The post, written by Microsoft security team member Jordan Rabet, noted that Google's Chrome browser uses "sandboxing" and isolation techniques designed to contain any malicious code. Nevertheless, Microsoft still managed to find a security hole in Chrome that could be used to execute malicious code on the browser.

The bug involved a Javascript engine in Chrome. Microsoft notified Google about the problem, which was patched last month. The company even received a $7,500 reward for finding the flaw. However, Microsoft made sure to point out that its own Edge browser was protected from the same kind of security threat. It also criticized Google for the way it handled the patching process. Prior to the patch's official rollout, the source code for the fix was made public on GitHub, a software collaboration site that hosts computer code. That meant attentive hackers could have learned about the vulnerability before the patch was pushed out to customers, Microsoft claimed. "In this specific case, the stable channel of Chrome remained vulnerable for nearly a month," the blog post said. "That is more than enough time for an attacker to exploit it."
In the past Google has also disclosed vulnerabilities found in Microsoft products -- including Edge.

111 comments

Min score:

Reason:

Sort:

Really? by Anonymous Coward · 2017-10-21 19:18 · Score: 5, Insightful

Do we point out Microsoft's long and illustrious history of ignoring critical security flaws now or...
Do we just point out Chrome isn't crashing computers with their security updates, thus training their users to turn off automatic updates?
I know, I know, its not the same thing exactly. But you know what they say about people in glass houses.
1. Re:Really? by dreamchaser · 2017-10-21 20:39 · Score: 4, Insightful
  
  I would actually prefer that the major players all try to keep each other honest.
2. Re:Really? by Billly+Gates · 2017-10-21 20:51 · Score: 1, Troll
  
  You do know IE 6 came out almost 17 years ago right?
  
  --
  http://saveie6.com/
3. Re:Really? by Anonymous Coward · 2017-10-21 20:51 · Score: 0
  
  Microsoft sucked at security before, they don't now. So? What's important is what they are doing now, not what they used to do in the past.
4. Re:Really? by rtb61 · 2017-10-21 21:35 · Score: 2
  
  How about I can uninstall chrome and gain privacy from google but I can not uninstall wildly privacy invasive elements of Windows 10 and I can not stop M$ installing what ever software they want to unless I never connect a Windows 10 computer to the internet, literally impossible and I can stop Google from install software on my computer. Google my claim a right to my privacy but M$ actually claims a right to my privacy, my PC and my internet connection, well, if I am stupid enough to run Windows 10.
  You can not secure Windows 10 form the worst bastards of the lot M$.
  
  --
  Chaos - everything, everywhere, everywhen
5. Re:Really? by Anonymous Coward · 2017-10-21 21:57 · Score: 0
  Microsoft sucked at security before, they don't now. So? What's important is what they are doing now, not what they used to do in the past.
  There is more than one aspects to software security. For example (sorry if this formatting is weird - lists on Slashdot don't work so good for me)
  1) be good at delivering software that does what you want to do
  2) be good at securing the work of the people delivering the software
  3) be good at understanding your customers actual needs and delivering those
  4) be good at showing your customers exactly what you are delivering so that they can know how to deal with it.
  Microsoft used to suck at all of the above, especially the ones which involve conflicts of interest. For example they made email attachments easy to run even though everybody knew that was insecure because they wanted to get more software distributed for Windows. They now started to fix 1) and to a small extent 2). They are actually getting worse at 3). Before they used to deliver simple operating systems that let their customers do what they want. Now they deliver spyware and monitoring which bring the customer's data back to central databases where it is vulnerable to breaches by enemies.
  Don't be fooled by the pretense that Microsoft is getting better at "security". They are getting better at their own security, which is not your own security.
6. Re:Really? by geekmux · 2017-10-21 22:19 · Score: 3, Insightful
  
  I would actually prefer that the major players all try to keep each other honest.
  Being honest is one thing, which I do appreciate.
  That said, Microsoft doesn't have the right to bash a garage-band IoT maker about security flaws response.
7. Re:Really? by thegarbz · 2017-10-21 23:19 · Score: 1
  
  Do we just point out Chrome isn't crashing computers with their security updates, thus training their users to turn off automatic updates?
  Huh? You can turn off security updates in Chrome and Windows?
8. Re:Really? by GrumpySteen · 2017-10-21 23:23 · Score: 2
  
  You do know that the person you replied to didn't mention IE 6, right?
9. Re:Really? by dreamchaser · 2017-10-22 00:17 · Score: 5, Insightful
  
  I would actually prefer that the major players all try to keep each other honest.
  Being honest is one thing, which I do appreciate.
  That said, Microsoft doesn't have the right to bash a garage-band IoT maker about security flaws response.
  Everyone, from the lone user to a mega-corporation, has the right to call out security flaws on anyone who exposes others to risk.
10. Re:Really? by geekmux · 2017-10-22 00:19 · Score: 2
  
  Microsoft sucked at security before, they don't now...
  Given Microsoft Telemetry, I really don't see products as any more secure, even when the masses exchange privacy for a free upgrade.
11. Re:Really? by Anonymous Coward · 2017-10-22 00:34 · Score: 0
  
  >> I would actually prefer that the major players all try to keep each other honest.
  I was thinking more along the lines of those 1960s movies of giant dinosaurs fighting while the about-to-be-eaten explorers sneak out of the scene.
  > That said, Microsoft doesn't have the right to bash a garage-band IoT maker about security flaws response.
  This is like the big bad dinosaur eating a friendly elephant-sized herbivore that we created since it hatched. We may get to escape, too, but we feel sorry that a friend was killed (digression: BTW, if you're in certain parts of Asia, that's what Westerns feel about eating dogs).
  I have to agree both with dreamchaser and with you, geekmux.
  I was one of those whose first reaction would be bashing M$ for their awful history of incompatibility with competition. Then I reminded the all-too-fresh case of the WPA2 bug, which amazingly and totally out of their character M$ seem to have got right this _single_ time, while Google seems unable to enforce upon distributors of Android.
  Thus, all my Linux computers (yes, I use several -- old but useful) became protected within 24h (at least from the news appearing to me), while all smartphones here remain unpatched; also, the last time I had a problem with the router, I bought a new one without the vulnerability (the old one one needed replacement anyway). Now, I may be forced to flash new firmware onto my otherwise quite good router (and repeater!).
  Not to mention the operator's cable modem/router which I wonder if I can flash (or even, given that I can, if I have the legal right do it, since it's not mine).
  Yeah, this last one really hit the fan...
  Captcha: "brevity". Folks, if someone is reading these posts in advance, the sarcasm is not funny anymore, mmmkay?
12. Re:Really? by Anonymous Coward · 2017-10-22 00:56 · Score: 0
  
  You do know that the OP mentioned Microsoft failed at patching critical security flaws, of which IE 6 had many.
  So it's entirely relevant to mention it. But please continue to show your ignorance for our entertainment.
13. Re:Really? by Anonymous Coward · 2017-10-22 01:03 · Score: 0
  
  Considering how completely useless Edge is, this is quite hilarious. Seriously, it is easily the most useless and retarded browser in existence. It's actually worse than Internet Explorer -- which is not easy to do.
14. Re:Really? by Anonymous Coward · 2017-10-22 02:15 · Score: 0
  
  Do we point out Microsoft's long and illustrious history of ignoring critical security flaws now or...
  Look, fuck Microsoft and everything they stand for, but let's drop the Whataboutism. This is a fair criticism and just because someone else isn't perfect doesn't mean they can't point out a flaw. They should and they did. Chrome team needs to just take their medicine on this one.
  
  Oh and fuck Microsoft and fuck Edge, the shittiest browser I've ever used.
15. Re:Really? by Bing+Tsher+E · 2017-10-22 02:53 · Score: 1
  
  Do you have a cite for that, and not just drive-by FUD?
16. Re:Really? by Anonymous Coward · 2017-10-22 03:46 · Score: 0
  
  Did they stop having security flaws with IE 7? 8? Edge? Office? Sharepoint? Exchange? Skype? (continue listing all of Microsofts products...)
  You want to talk ignorance and then act like there hasn't been ample evidence of bugs from Microsoft Products in the last 16 years...
17. Re:Really? by geekmux · 2017-10-22 04:19 · Score: 1
  
  I would actually prefer that the major players all try to keep each other honest.
  Being honest is one thing, which I do appreciate.
  That said, Microsoft doesn't have the right to bash a garage-band IoT maker about security flaws response.
  Everyone, from the lone user to a mega-corporation, has the right to call out security flaws on anyone who exposes others to risk.
  I was more intending to highlight the fucking irony of Microsoft doing so. As others have said, those in glass houses...
18. Re:Really? by Dutch+Gun · 2017-10-22 04:52 · Score: 3, Insightful
  
  Agreed. In addition, I'd definitely recommend reading the original Microsoft blog post. It's actually not nearly so flame-bait-ish as the breathless headlines and summary imply. It's a fascinating piece of technical detective work, and I think that, while they obviously use this as good propaganda to promote their own technology, the issues they presented seem fair to me.
  They also gave Google kudos where that was deserved, but that doesn't make for very good headlines. For instance:
  
  This kind of attack drives our commitment to keep on making our products secure on all fronts. With Microsoft Edge, we continue to both improve the isolation technology and to make arbitrary code execution difficult to achieve in the first place. For their part, Google is working on a site isolation feature which, once complete, should make Chrome more resilient to this kind of RCE attack by guaranteeing that any given renderer process can only ever interact with a single origin. A highly experimental version of this site isolation feature can be enabled by users through the chrome://flags interface.
  And consider this:
  
  Servicing security fixes is an important part of the process and, to Google’s credit, their turnaround was impressive: the bug fix was committed just four days after the initial report, and the fixed build was released three days after that. However, it’s important to note that the source code for the fix was made available publicly on Github before being pushed to customers. Although the fix for this issue does not immediately give away the underlying vulnerability, other cases can be less subtle.
  Note that they don't actually blame open source. That would be foolish, as they're embracing it more and more themselves.
  
  Some Microsoft Edge components, such as Chakra, are also open source. Because we believe that it’s important to ship fixes to customers before making them public knowledge, we only update the Chakra git repository after the patch has shipped.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
19. Re:Really? by Anonymous Coward · 2017-10-22 05:21 · Score: 0
  
  You are right.
  Because of Microsoft's bad track record of security ... ... Microsoft should not reveal security flaws they find in competitor's products.
  Although the public would be harmed by this behavior, it is a small price to pay because of Microsoft's history of security is bad and they have no right to talk about security.
20. Re:Really? by Trax3001BBS · 2017-10-22 05:39 · Score: 1
  
  Why it hasn't been exploited yet, I don't know. But since day one the Windows Firewall lets traffic pass without notification.
  This link claims it's for Windows Product Activation https://support.microsoft.com/... and always open. When first released it was known to pass any with a license held by microsoft.
  Takes me Autoruns, and gpedit to disable the Windows firewall and defender.
21. Re:Really? by epine · 2017-10-22 06:04 · Score: 1
  
  They also gave Google kudos where that was deserved, but that doesn't make for very good headlines.
  Empirically, one can only conclude that nerds like headlines and summaries that suck moonshite, it's what gives our puny, breathless existence meaning and purpose.
  I tend to judge by the worse thing a person or organization won't fix. Unicode is beyond annoying, but the weedy quality of story summaries here (not all of them, but a sizeable proportion) is far and away the worst thing Slashdot won't fix.
  Yet Slashdot persists in running under the banner of "news for nerds" so I was ultimate forced to concede my prior conception of a nerd as being someone who hews too close to material factuality for his or her social betterment as a false idol.
  Material factuality remains a stretch aspiration.
22. Re: Really? by Anonymous Coward · 2017-10-22 06:14 · Score: 0
  
  Nice strawman. He never said that. He said it's ok to bash them. Not that they shouldn't release flaws because they themselves suck at security.
23. Re:Really? by pthisis · 2017-10-22 06:24 · Score: 2
  
  Yes. The real problem is that Microsoft is advocating for slow-rolling disclosure of security vulnerabilities by hiding patches until the stable release comes out. That's fine, it's not an insane stance, but they're presenting it as though that's obvious and noncontroversial and that there are no drawbacks to their methodology and no advantages to Google's full disclosure policy. That's where they're being disingenuous--full disclosure vs. slow disclosure is one of the more hotly debated topics in security circles, and Microsoft knows it (or should).
  If they want to advocate for slow disclosure, they should at least acknowledge that they're taking one side of a controversial topic about which a lot of serious security people disagree, not pretend that Google is just doing something recklessly idiotic and should clearly do things the Microsoft way.
  Bruce Schneier summarizes the counterargument here: https://www.schneier.com/essay...
  On the surface slow-rolling things seems like a good idea--why show the attackers the breach before you've repaired the wall? The problem with that line of thinking is that it presumes that you're the only one who's found the breach, and that attackers aren't already exploiting it. That's generally naÃve, you have no way of knowing whether a vulnerability is being actively exploited or not.
  By disclosing fully, you make it possible for people to protect themselves or to make judgements about how serious the issue is for them. You also make companies take security more seriously in the future, which hopefully leads to greater global security even if the local impact is muddier.
  There are obvious trade-offs the other way, as well. But Microsoft
  pretending that full disclosure is inherently bad for security is duplicitous.
  
  --
  rage, rage against the dying of the light
24. Re:Really? by hcs_$reboot · 2017-10-22 06:41 · Score: 1
  
  You do know IE 6 came out almost 17 years ago right?
  More importantly, how long did developers and businesses had to suffer from this garbage browser?
  
  --
  Slashdot, fix the reply notifications... You won't get away with it...
25. Re:Really? by Billly+Gates · 2017-10-22 08:21 · Score: 1, Informative
  
  Did they stop having security flaws with IE 7? 8? Edge? Office? Sharepoint? Exchange? Skype? (continue listing all of Microsofts products...)
  You want to talk ignorance and then act like there hasn't been ample evidence of bugs from Microsoft Products in the last 16 years...
  Ok how many exploits have been found in Chrome, Firefox, Linux, or any other product not from Microsoft? So far Chrome has 9 pages worth!
  It's not reported here because we love Linux and Google is cool and we hate Microsoft. I do say this not as a troll but fact with the audience and who selects stories here. My point is most complex software has flaws. Stuff written in C/C++ has lots too as bounds checking and code execution around a buffer overflow were common and both Windows and Unix historically had these problems. Though by default the C libraries in both platforms now prevent this or try to mitigate.
  Microsoft has a security buddy now for each product which analyzes and gives project managers security details which is how how Microsoft products changed after the 2005 memo. It's why Vista got those annoying UAC prompts and why later webpages made for IE 6 started to have trouble rendering in later versions.
  
  --
  http://saveie6.com/
26. Re:Really? by Billly+Gates · 2017-10-22 08:28 · Score: 1
  
  You do know IE 6 came out almost 17 years ago right?
  More importantly, how long did developers and businesses had to suffer from this garbage browser?
  My last employer still used IE 6 heavily. Actually our customers did. 1/3 of our enterprise customers still in 2017 still standardized and developed for IE 6 as the code was written between 1999 - 2004 when it had 95% marketshare and we all logically thought no changes would ever be made again since Microsoft set the standards which was common at the time.
  Due to technical debt and the importance of the apps it is impossible to ever upgrade. THey waited until 2014 to leave XP behind due to IE 6 and decided to have us host Citrix running unpatched Windows Server 2003 to keep their critical apps going.
  It was a pain at around 2015 when UPS stopped supported IE 6 as our agents were screaming to install Chrome (total HIPPA violation). After threatening us all with job termination we installed Chrome without telling the client secretly to keep our jobs since our call flow REQUIRED our agents to check in with UPS on deliveries ... face to palm.
  I left the company a few months later as I would be fired anyway by the auditors for installing Chrome and the customer/managers would deny they told me to install it so it's on me etc. What is also scary is the other client that used IE 6 processed credit cards and social security numbers.
  We have a problem which Equifax is just now showing. It is non technical MBA types bossing IT around and outsourcing who compromise security and of course whose jobs are always secure.
  
  --
  http://saveie6.com/
27. Re:Really? by tlhIngan · 2017-10-23 05:53 · Score: 1
  
  Unicode is beyond annoying
  /. has supported Unicode for over a decade now (it was implemented as part of Slashdot.jp, for obvious reasons).
  The problem has always been people who do nothing but use Unicode to abuse the site layout - there's a lot of Unicode codepoints out there and a lot of them have side effects that allow you to easily mess up websites. It's a sure sign of "Unicode is so easy let's add it" and then two days later the comment area is rendered useless because all the trolls abuse it.
  And besides screwing up site layouts using the various text flow codepoints (e.g., RTL override) they can also add all the various character adornments that can render a single sentence into a huge block of black. And since most Unicode renderers do not properly handle hundreds of adornments, you end up with a black blob int he middle of the webpage. /. took the easy way out and added a character whitelist - which only includes the ASCII table set. In theory they could add more characters to the whitelist as well, but they haven't.
28. Re:Really? by KingBenny · 2017-10-24 09:54 · Score: 1
  
  nope, i would call this "healthy competition" as long as it results in the bug getting patched, just keep 'em hacking at each other
  
  --
  Free speech was meant to be free for all... how can anyone grow up in a nanny state ?
The failure of open source security by Anonymous Coward · 2017-10-21 19:19 · Score: 0, Troll

Was demonstrated once more by the Equifax mega breach.
1. Re:The failure of open source security by Anonymous Coward · 2017-10-21 19:27 · Score: 0
  
  https://www.wired.com/story/eq...
  It does not matter what you run if you treat your security in the way Equifax does..
2. Re:The failure of open source security by Anonymous Coward · 2017-10-21 20:26 · Score: 0
  
  The patched software had already been released. Equifax failed to apply the patch. That can and does happen with closed source software too.
3. Re:The failure of open source security by Anonymous Coward · 2017-10-21 21:09 · Score: 3, Insightful
  
  In a professional setting, updates are tested on a test server to make sure they don't break anything before they are applied to production servers. And the moment they are applied is planned carefully. Auto update is irrelevant there, what is relevant is that Euqifax didn't handle their environment like a professional should.
4. Re:The failure of open source security by Anonymous Coward · 2017-10-21 23:05 · Score: 0
  
  That sounds reasonable but tend to not work out for non-trivial systems. It's better to always update, even in production, and detect failures and mitigate them. You have workload tests that you can run in production, right? If they start failing then pause the update roll-out and take the already updated systems out of service for investigation. This is trivial to automate.
  Doing manual updates and testing that every single aspect of the workload works before applying it to production is a nightmare. It takes huge amounts of work and a lot of failures will never be detected until you hit production anyway. It leads to production systems falling way behind, eventually you just stop patching altogether. It's not like Euqifax is unique in any way.
5. Re:The failure of open source security by najajomo · 2017-10-21 23:50 · Score: 2
  
  Anonymous Coward: 'Was demonstrated once more by the Equifax mega breach.'
  
  The Equifax mega breach demonstrated what happens when a company with an annual turnover of US$ 3.1 billion, uses software on an Internet facing machine without testing it for security vulnerabilities. In fact they didn't even have a patch strategy in place or even know who was responsible for implementing such patches.
6. Re:The failure of open source security by I'm+New+Around+Here · 2017-10-22 00:34 · Score: 1
  
  That sounds reasonable but tend to not work out for non-trivial systems. It's better to always update, even in production, and detect failures and mitigate them.
  
  You've had experience mitigating boot failures on 50,000 PCs, while every minute of downtime is costing the company many thousands of dollars?
  
  --
  If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
7. Re: The failure of open source security by Anonymous Coward · 2017-10-22 01:45 · Score: 0
  
  That sounds reasonable but tend to not work out for non-trivial systems. It's better to always update, even in production, and detect failures and mitigate them.
  
  You've had experience mitigating boot failures on 50,000 PCs, while every minute of downtime is costing the company many thousands of dollars?
  
  No, because I release/stage updates to a small pilot group first the first night(s) and only roll them out to the masses if the pilot group(s) have no issues or only when those issues are resolved.
  I suppose your "ignore problems and then blame any/everyone else" for not properly managing your infrastructure style works for you too.
8. Re: The failure of open source security by q_e_t · 2017-10-22 05:49 · Score: 1
  
  That sounds reasonable but tend to not work out for non-trivial systems. It's better to always update, even in production, and detect failures and mitigate them.
  
  You've had experience mitigating boot failures on 50,000 PCs, while every minute of downtime is costing the company many thousands of dollars?
  
  No, because I release/stage updates to a small pilot group first the first night(s) and only roll them out to the masses if the pilot group(s) have no issues or only when those issues are resolved.
  I suppose your "ignore problems and then blame any/everyone else" for not properly managing your infrastructure style works for you too.
  Ahh... not auto-updates, then.
9. Re: The failure of open source security by I'm+New+Around+Here · 2017-10-22 11:39 · Score: 1
  
  It does seem like he is claiming both side of that issue.
  
  --
  If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
10. Re: The failure of open source security by Anonymous Coward · 2017-10-23 04:20 · Score: 0
  
  Automated updates does not mean that every single host applies the update at the same time though.
11. Re: The failure of open source security by q_e_t · 2017-10-24 09:17 · Score: 1
  
  Automated updates does not mean that every single host applies the update at the same time though.
  If you are testing on a subset, then deciding whether or not these then are applied to a wider set of machines, I am hard pressed to see how that is an auto-update and not a traditional test and release methodology.
Of course by phantomfive · 2017-10-21 19:27 · Score: 2

Good has some really good programmers, and so does Microsoft. In the past they were even more impressive.

But both of them are now process driven companies, primarily focused on not overturning the boat, and the result is code that follows process. As long as process is followed, you don't have to worry about whether you did a good job or not. Just go home at the end of the day. That is the mentality of the vast majority of mediocre programmers at both companies.

--
"First they came for the slanderers and i said nothing."
1. Re:Of course by Anonymous Coward · 2017-10-21 20:41 · Score: 0
  
  Good has some really good programmers, and so does Microsoft. In the past they were even more impressive.
  But both of them are now process driven companies, primarily focused on not overturning the boat, and the result is code that follows process. As long as process is followed, you don't have to worry about whether you did a good job or not. Just go home at the end of the day. That is the mentality of the vast majority of mediocre programmers at both companies.
  Yep. We are just better used for open-source products. It is embarrassing to see Google's poor project management and over-staffing of mediocrity on full display in the Chromium project.
2. Re:Of course by swillden · 2017-10-22 03:16 · Score: 1
  
  Good has some really good programmers, and so does Microsoft. In the past they were even more impressive. But both of them are now process driven companies, primarily focused on not overturning the boat, and the result is code that follows process. As long as process is followed, you don't have to worry about whether you did a good job or not. Just go home at the end of the day. That is the mentality of the vast majority of mediocre programmers at both companies.
  Cite?
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
3. Re:Of course by phantomfive · 2017-10-22 04:08 · Score: 1
  
  Which part exactly do you disagree with?
  
  --
  "First they came for the slanderers and i said nothing."
4. Re:Of course by hcs_$reboot · 2017-10-22 06:24 · Score: 1
  
  In the past they were even more impressive
  One of them, yes (hint: not MS)
  
  --
  Slashdot, fix the reply notifications... You won't get away with it...
5. Re:Of course by swillden · 2017-10-22 11:02 · Score: 1
  
  Which part exactly do you disagree with?
  I didn't say I disagreed (or agreed), I just asked for substantiation of your claims. Are you speaking from personal experience, having worked at Microsoft and Google? Are you relaying information from friends who work there? Do you have some other sort of basis for your claim?
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
6. Re:Of course by phantomfive · 2017-10-22 11:24 · Score: 1
  
  You'll have to narrow it down a bit more, I'm not going to give you a citation for every sentence in my post. If there's something I said that seems particularly unlikely, let me know, and I will either give some evidence to support it, give it a disclaimer, or outright retract it.
  
  --
  "First they came for the slanderers and i said nothing."
7. Re:Of course by swillden · 2017-10-22 14:16 · Score: 1
  
  You'll have to narrow it down a bit more, I'm not going to give you a citation for every sentence in my post. If there's something I said that seems particularly unlikely, let me know, and I will either give some evidence to support it, give it a disclaimer, or outright retract it.
  There wasn't that much in the post in question. But, here:
  
  But both of them are now process driven companies, primarily focused on not overturning the boat, and the result is code that follows process.
  And
  
  As long as process is followed, you don't have to worry about whether you did a good job or not. Just go home at the end of the day.
  And
  
  That is the mentality of the vast majority of mediocre programmers at both companies.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
8. Re:Of course by phantomfive · 2017-10-24 06:24 · Score: 1
  
  But both of them are now process driven companies, primarily focused on not overturning the boat, and the result is code that follows process.
  I see evidence of this in a lot of different places. For Microsoft, there is this, and from what I've heard from people who worked there, it's basically like that all over Microsoft. Similarly, you can see the results in their products (that link shows an example of their processes entering the product in an obvious way). Similarly, at Google, I've talked to people who work there, and it seems about the same. Again you can see it in the output of their product (they must have some good people on the search team, though).
  
  Honestly though, looking at the turnover these two company (check out their turnover rate) you have to focus on process, because you need them to be able to replace engineers when they leave.
  
  As long as process is followed, you don't have to worry about whether you did a good job or not. Just go home at the end of the day
  This isn't an assertion about Microsoft or Google, it's a description of how process driven companies are in general. This has been my experience both observing and being a part of them.
  
  That is the mentality of the vast majority of mediocre programmers at both companies
  This is what I get from talking to people who've worked there. Note that not everyone is a mediocre programmer.
  
  --
  "First they came for the slanderers and i said nothing."
Pot criticises kettle by cyber-vandal · 2017-10-21 19:53 · Score: 1

Says it has poor cleanliness standards.
1. Re:Pot criticises kettle by Anonymous Coward · 2017-10-21 20:21 · Score: 0
  
  Says it has poor cleanliness standards.
  Yeah, but I think we can actually see two companies competing with each other to be more secure. Google has been showing up Microsoft's security process as inadequate for years now. This is like the very first time a novice badminton player wins a set. Now they are going to find both sides up their game. The sad thing is that it's two companies that care about your data only because they want privileged access to sell the use of it it on to others. Neither of them will ever properly do security because they ignore the most important part - privacy without which the rest doesn't work. Apple is sort of doing the privacy aspect, what we need now is a competitor to Apple who will push the market forward in that direction.
2. Re:Pot criticises kettle by Anonymous Coward · 2017-10-21 20:23 · Score: 0
  
  Coming up next: Microsoft to chastise Google for invasion of privacy.
3. Re: Pot criticises kettle by Anonymous Coward · 2017-10-21 20:34 · Score: 0
  
  And being "too cozy" with Three Letter Orgs. No NSA backdoors in Microsoft products, no siree...
4. Re:Pot criticises kettle by Billly+Gates · 2017-10-21 20:59 · Score: 4, Informative
  
  IE 6 was made 17 years ago.
  Disclaimer I am using Chrome so I am not drinking the coolaid.
  MS changed to being secure in 2004 with the famous Bill Gates memo. IE 8 matched Chrome 1.0 with kernel level sandboxing in %appdata/lowrights and per threading process since 2009. Firefox just matched IE 8's security this year which is why I dumped it for Chrome in 2011 after the 4.0 fiasco.
  IE 9 started the change to standards with hardware acceleration and IE 11/Edge are fully 100% W3C compliant. Infact I think IE 10 is W3C compliant too and no longer sucked but was a bit behind Chrome and Firefox at the time.
  Anyway I welcome the rapid improvement to security and standards compliance for both. Where Edge sucks is it is more of a mobile browser than a desktop and had issues crashing during the initial Windows 10 build 204100 release 2015. But that is my take.
  
  --
  http://saveie6.com/
5. Re:Pot criticises kettle by drinkypoo · 2017-10-21 23:27 · Score: 2
  
  MS changed to being all spyware, all the time with Windows 10.
  An OS which spies on you is the diametric opposite of security.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
6. Re:Pot criticises kettle by Anonymous Coward · 2017-10-21 23:58 · Score: 0
  
  Oh, cool, it's the desktop support guy weighing in with outlandish statements like "MS changed to being secure in 2004". I wish, then there wouldn't be hundreds of millions of Windows computers infected with malware and spyware right now.
7. Re:Pot criticises kettle by Anonymous Coward · 2017-10-22 01:15 · Score: 0
  
  MS changed to being secure in 2004 with the famous Bill Gates memo.
  
  This is nonsense. "Being secure" isn't a binary switch you can just flip on. Did they put a greater emphasis on security? Sure. Can you reasonably describe that as "changing to being secure"? That's ludicrous.
  
  IE 9 started the change to standards with hardware acceleration
  
  This too is nonsense. Hardware acceleration has nothing to do with it, and Microsoft's "change to standards" can't be pinned down to a single version, it happened over a much longer period of time.
  
  IE 11/Edge are fully 100% W3C compliant. Infact I think IE 10 is W3C compliant too
  
  More nonsense that just shows how little you know. The W3C is a standards organisation, not a standard itself; there's no such thing as "100% W3C compliant". They publish hundreds of specifications and no single piece of software comes anywhere near implementing them all because they cover all sorts of different things.
8. Re:Pot criticises kettle by wjcofkc · 2017-10-22 01:17 · Score: 1
  
  "Disclaimer I am using Chrome so I am not drinking the coolaid."
  
  Just what do you think coolaid is?
  
  Disclaimer, I do not use Chrome since I don't like coolaid, but I have had the chance to use Edge extensively over the past year and found it favorable in every respect. Although Edge is not my primary browser, so I would really like you to elaborate on, "Where Edge sucks is it is more of a mobile browser than a desktop..." As I have no idea what you are talking about.
  
  --
  Brought to you by Carl's Junior.
9. Re:Pot criticises kettle by Anonymous Coward · 2017-10-22 02:55 · Score: 0
  
  using chrome is just drinking cherry kool-aid instead of grape. both are full of sugar and will rot your teeth.
10. Re:Pot criticises kettle by hcs_$reboot · 2017-10-22 05:38 · Score: 1
  
  Well, ok, but MS could have pushed way more to get rid of that IE6 insanity earlier and make it more standard (and secure), even during the XP era.
  
  --
  Slashdot, fix the reply notifications... You won't get away with it...
In other news by Anonymous Coward · 2017-10-21 19:56 · Score: 1

Local high school basketball coach criticizes NFL team for its poor tackling form on Sunday.
While I agree with them, it should be noted that Edge is not even in the same league as Chrome.
1. Re:In other news by Anonymous Coward · 2017-10-21 21:11 · Score: 0
  
  If the tackling was in such poor form that even a high school basketball coach could see it, perhaps the criticism is justified?
2. Re:In other news by Anonymous Coward · 2017-10-21 21:50 · Score: 0
  
  If the tackling was in such poor form that even a high school basketball coach could see it, perhaps the criticism is justified?
  The point isn't that the criticism isn't justified, the point is that this is the exception that proves the rule.
month long release wait? by jarkus4 · 2017-10-21 20:00 · Score: 2, Interesting

Bugs happen. What has me worried is a month long waiting time between security fix in public facing repository and release. This pretty much asks for exploitation even by not very skilled "hackers" as interested parties have lots of time to prepare viable exploit based on provided regression tests.
Damn Google! by thegarbz · 2017-10-21 20:21 · Score: 3, Funny

I don't know of any other company that has a monthly release cycle for security updates, even for zero day bugs! Google you are evil, you should be like Micros... oh.
1. Re:Damn Google! by thomst · 2017-10-21 23:35 · Score: 1
  
  thegarbz quipped:
  
  I don't know of any other company that has a monthly release cycle for security updates, even for zero day bugs! Google you are evil, you should be like Micros... oh.
  Mod parent +1 Funny, please ...
  
  --
  Check out my novel.
2. Re:Damn Google! by thegarbz · 2017-10-22 03:26 · Score: 1
  
  Mod parent +1 Funny, please ...
  I appreciate the support. I have to admit it did not occur to me that a moderator may not have a sense of humour and may need instructions.
3. Re:Damn Google! by thomst · 2017-10-23 01:51 · Score: 1
  
  I requested:
  
  Mod parent +1 Funny, please ...
  Prompting thegarbz to respond:
  
  I appreciate the support. I have to admit it did not occur to me that a moderator may not have a sense of humour and may need instructions.
  In my experience, most people do not, in fact, possess an actual sense of humor. That's why laugh tracks exist.
  You're welcome, btw - and I'm gratified to see that some moderators have followed my advice, regardless of whether they required it or not ...
  
  --
  Check out my novel.
People who live in glass houses... by ledow · 2017-10-21 20:29 · Score: 1

People who live in glass houses...
1. Re: People who live in glass houses... by Anonymous Coward · 2017-10-22 00:06 · Score: 0
  
  ...Should consider painting their walls.
2. Re:People who live in glass houses... by Opportunist · 2017-10-22 01:37 · Score: 1
  
  ...shouldn't parade around in clothing made for emperors.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
3. Re: People who live in glass houses... by Anonymous Coward · 2017-10-22 11:00 · Score: 0
  
  Should invest in heavy curtains to avoid heat loss and embarrassment.
4. Re:People who live in glass houses... by Anonymous Coward · 2017-10-23 09:46 · Score: 0
  
  What? What about them?
I hope they enter a pissing contest... by aepervius · 2017-10-21 20:31 · Score: 4, Insightful

...Trying to outdo each other at finding browser vulnerabilities. Outcome : both browser become more secure.

--
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
1. Re:I hope they enter a pissing contest... by Anonymous Coward · 2017-10-21 22:55 · Score: 0
  
  It'll converge to the following browser:
  int main() {
  printf("BEHOLD THE WEB\n"); return 0;
  }
Did they just blame open source? by Ayano · 2017-10-21 20:36 · Score: 2

I mean.. seriously?

--
I don't read AC
*Cough* Pwn2Own *Cough* by mentil · 2017-10-21 20:37 · Score: 2

Well this was covered recently

--
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
1. Re:*Cough* Pwn2Own *Cough* by hcs_$reboot · 2017-10-22 05:41 · Score: 1
  
  Fortunately MS doesn't reward bugs the same way Google does, or they would bankrupt quick
  
  --
  Slashdot, fix the reply notifications... You won't get away with it...
Re:What a bunch of chislers by Anonymous Coward · 2017-10-21 20:56 · Score: 0

Ehm, that's since the bug was introduced. What matters is how fast you distribute the patch once you know about it and can fix it.
Microsoft oversells their CFI mitigations by roca · 2017-10-21 21:30 · Score: 2

I wrote about this:
http://robert.ocallahan.org/20...
Summary: In practice, attackers can leverage arbitrary-write bugs to produce the same-origin violations Microsoft warns about without requiring RCE, completely bypassing the CFI mitigations Microsoft is touting here.
Both Edge and Chrome are unusable spyware. by Anonymous Coward · 2017-10-21 21:40 · Score: 0

Just the other day, I genuinely tried to use Edge because Azure is a worthless piece of shit that didn't work at all in Firefox. I gave up. I literally couldn't use it. Unusable piece of shit. And Chrome is never even getting installed -- it's pure spyware from an evil corporation. Just worthless shit. (Not promoting Firefox in any way as it's also almost as bad.)
Please donate to MS by hcs_$reboot · 2017-10-21 22:13 · Score: 1

Microsoft desperately needs money. They are left to find bugs in Chrome to get the $1,000 award

--
Slashdot, fix the reply notifications... You won't get away with it...
1. Re:Please donate to MS by Dutch+Gun · 2017-10-22 05:02 · Score: 1
  
  Joking aside, I thought people might like to know the actual numbers and result:
  
  We responsibly disclosed the vulnerability that we discovered along with a reliable RCE exploit to Google on September 14, 2017. The vulnerability was assigned CVE-2017-5121, and the report was awarded a $7,500 bug bounty by Google. Along with other bugs our team reported but didn’t exploit, the total bounty amount we were awarded was $15,837. Google matched this amount and donated $30,000 to Denise Louie Education Center, our chosen organization in Seattle. The bug tracker item for the vulnerability described in this article is still private at time of writing.
  It appears these companies don't pay each other directly, but donate to company-chosen charities. And in Google's case, it looks like it matched those donations, in effect paying double. So, I guess good on both of them for that.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
2. Re:Please donate to MS by hcs_$reboot · 2017-10-22 05:40 · Score: 1
  
  It appears these companies don't pay each other directly, but donate to company-chosen charities. And in Google's case, it looks like it matched those donations, in effect paying double. So, I guess good on both of them for that.
  The magic of operations made public.
  
  --
  Slashdot, fix the reply notifications... You won't get away with it...
Re:What a bunch of chislers by Anonymous Coward · 2017-10-21 22:25 · Score: 0

You think MS fixed every bug within 30 days eh? Fuck you then moron.
Blame Chrome for Windows defects .. by najajomo · 2017-10-21 23:39 · Score: 2, Insightful

"we set out to examine Google’s Chrome web browser .. is having a strong sandboxing model sufficient to make a browser secure?" Jordan Rabet Microsoft Offensive Security Research team

That's a bit rich coming from Microsoft. Security resides in the Operating not in the Browser. Chrome wouldn't need sandboxing if the underlying Operating System did its job. That is isolate one processes memory from the other. Something the WinTEL platform seem unable to do despite numerous iterations of the x86 processor.

I love how the original "research" article tried to spin defects in the underlying Operating System into, it's somehow the fault of sandboxing in Chrome. Sandboxing, OSR, RCE, CFG, ACG, LPAC, WDAG, all designed to protect the underlying Operating System from the browser. Microsoft, the company that fights malware with self-serving adverts masquerading as technical research.
1. Re:Blame Chrome for Windows defects .. by Anonymous Coward · 2017-10-22 00:36 · Score: 0
  
  That's a bit rich coming from Microsoft. Security resides in the Operating not in the Browser. Chrome wouldn't need sandboxing if the underlying Operating System did its job. That is isolate one processes memory from the other. Something the WinTEL platform seem unable to do despite numerous iterations of the x86 processor.
  
  So you are ok with an attacker reading or writing anywhere you can on the system once he finds an exploitable bug in the rendering- or javascript engine of a browser? I'm not.
  Any executable installed on your machine that takes data or code from an untrusted source has the responsibility to ensure that bugs do not allow untrusted sources of that data or code to exploit the host to perform actions not intended by the author of the executable. Unfortunately, some code like html rendering engines and javascript engines are very complex and bugs will happen. Hence, such an executable *also* has the responsibility to ensure that when an exploitable bug *does* happen, then the consequences of that are mitigated.
  The operating system *can not* from the outside determine which actions were intended by the original author an which may be because the processes has been taken over by an attacker. The executable may have certain permissions (like accessing camera) that it can declare and request access to. An attacker can usually not overstep those permissions, but he *can* access anything the host process has been granted access to.
  Hence, sandboxing. It is entirely the responsibility of the host process to divide up it's task and isolate them as much as possible. The operating system may provide more or less support for this, but leveraging such facilities provided by the OS falls on the application developer.
  Windows certainly has much more support in that department than Linux, MacOS or other Unix'es. Instead of stupidly assuming that any process launched by a user should be able to do whatever the user could do, the current strain of Windows (the NT lineage) has actual proper *tokens* per process right from the start. It has *always* supported running a process with less privileges than the current user, even if running with the identity of the current user. Unix was designed with no token supprt - privileges of a process was inferred from the "effective user" - a user ID. Granular permission control was not possible. Hence apparmor, SELinux etc creates a competing token-based security.
  On top of that, Windows has exploit mitigations which actually *do* reach into processes. See EMET. These exploit mitigations are designed to foil attempts to exploit bugs *in applications* i.e. not in Windows itself. You need something like grsecurity to mimic some of those mitigations that are now built into Windows.
2. Re:Blame Chrome for Windows defects .. by Anonymous Coward · 2017-10-22 01:16 · Score: 0
  
  You're comparing security features of the Windows against the Linux kernel, and saying that Windows is better than Linux security-wise because you need all these optional security features to be comparable.
  Well, distributions which ship Linux and are serious about security (ie RHEL, to simply start with) come with those optional features built in with system-level tools to support their administration and use. Those arguments are extremely misleading. You should also look at the timelines where those features were implemented. Windows has come a long way, so has Linux, and some features may have been implemented in one before the other, but I would argue that much of that development occurred first on Linux because open source practices made it much more accessible to researchers to create proof of concept that engineers further refined into production quality code.
3. Re:Blame Chrome for Windows defects .. by Anonymous Coward · 2017-10-22 01:58 · Score: 0
  
  You're comparing security features of the Windows against the Linux kernel, and saying that Windows is better than Linux security-wise because you need all these optional security features to be comparable.
  Well, distributions which ship Linux and are serious about security (ie RHEL, to simply start with) come with those optional features built in with system-level tools to support their administration and use. ...
  Selinux had pontential, the last I looked. Basically security needs to be downgraded based on context
  User level security is the start. Nothing gets beyond its permissions
  Application level security is next. Applications to not step outside of their permissions. That means a game does not get rw access outside its one single folder, nor does anything else normally get access there. Getting this right is hard.
  Sub application level security is next. One web site should not know about another by default. This includes you google. Just because I'm logged into google, does not mean I should be logged into every google service.
  Basically it is the set of things that should determine permissions, with the average website being highly restricted by default.
  I like the idea of lightweight visualization containers, where by default each web page or at least each web site is locked into its own sandboxed/virtualized area, but isn't that what we are basically getting?
4. Re:Blame Chrome for Windows defects .. by drinkypoo · 2017-10-22 03:36 · Score: 1
  
  Chrome wouldn't need sandboxing if the underlying Operating System did its job. That is isolate one processes memory from the other. Something the WinTEL platform seem unable to do despite numerous iterations of the x86 processor.
  Except you still have all the same kinds of flaws in other operating systems, too, which is why Chrome is also sandboxed on other platforms, e.g. Linux. It's not just Windows. The techniques vary, but no mainstream OS is designed for security first. That would impinge upon performance. Microsoft literally decided to go the other direction in NT4, specifically in the name of graphics performance.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
5. Re:Blame Chrome for Windows defects .. by najajomo · 2017-10-22 03:38 · Score: 1
  
  @Anonymous Coward: "So you are ok with an attacker reading or writing anywhere you can on the system once he finds an exploitable bug in the rendering- or javascript engine of a browser? I'm not."
  
  How did you manage to read that into what I actually wrote. If the Operating System did this one thing: isolate process memory from each other then we wouldn't need SANDBOXING, OSR, RCE, CFG, ACG, LPAC or WDAG. What just occurred to me is when and if Microsoft disclosed such mitigations to the Chrome developers or did they keep it to themselves to give EDGE an edge up on their competitors.
6. Re:Blame Chrome for Windows defects .. by Anonymous Coward · 2017-10-22 05:10 · Score: 0
  
  (Different AC here.) I cannot tell if you're trolling or if you just stopped reading after the first paragraph.
  But let me make things a bit more concrete for you. It doesn't matter if you use Windows or Linux; if a JavaScript vulnerability in Chrome causes arbitrary code execution, isolating the process from other processes isn't going to help since all the problem exists within the process itself. Without sandboxing, the attacker's code can read, delete or modify your documents and downloads and it doesn't need access to other processes to do so. Browser exploits don't tend to require access to an OpenOffice process's memory for example.
  Note that all modern operating systems provide process isolation and Chrome still uses sandboxing precisely because the security model you describe doesn't shield against the threats we face today. What you also seem to miss completely is that a common sandboxing technique is to run the code to be sandboxed in a separate process with lower permissions.
  Oh, and as an afterthought... To the moderators who modded this guy's post as Insightful: it's fairly obvious when you read the article he links to that there were real bugs in Chrome's JavaScript implementation caused by a faulty optimising phase. Now that you know that, do you still think this idiot is insightful? And how do you feel about yourself, moderating the comment without checking the linked article to see if what he says about it is correct?
7. Re:Blame Chrome for Windows defects .. by najajomo · 2017-10-22 07:04 · Score: 1
  
  @Anonymous Coward: "Without sandboxing, the attacker's code can read, delete or modify your documents and downloads and it doesn't need access to other processes to do so".
  
  Why do you persist in willfully sowing confusion here. Isolating process memory means exactly that, therefore the browser don't need sandboxing and cannot access external data. At least if the browser wasn't running under Windows. Where presumably EDGE is so welded to the OS that a bug can lead to total compromise of the System. A bug in the browser that can lead to System compromise is a defect in the Operating System. And don't presume to lecture the moderators on what is acceptable here on slashdot.
*stab from the band* *laughter in the audience* by Qbertino · 2017-10-21 23:50 · Score: 1

*Bill Maher enters the stage, waits for cheering to calm down*
Bill - "Good evening ladies and gentlemen, as we've just heard from the tech community,
Microsoft Chastises Google over Security ..."
*laughter errupts* ...

--
We suffer more in our imagination than in reality. - Seneca
That's great, but.... by Anonymous Coward · 2017-10-22 00:57 · Score: 0

That's great, but at least Chrome doesn't take down the OS when it crashes. With Microsofts history of poor security I still trust them the least. I tried using Edge for day to day activities at work but stopped after it died and I had to reboot. After it crashed the start menu stopped working and I couldn't get to the reboot menu option. Doh.
Pop the champagne! by Opportunist · 2017-10-22 01:34 · Score: 1

We found something that's insecure in Chrome that Edge isn't susceptible to!
Hey, that's reason to celebrate, and use the good champagne. It's not like it happens often.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
liking the new MS by Anonymous Coward · 2017-10-22 02:01 · Score: 0

I don't know exactly at what point Microsoft stopped sucking but they definitely have at the very least sucked more less the last couple years or so. I'm guessing it's Nadella's changes.
1. Re:liking the new MS by Anonymous Coward · 2017-10-22 02:06 · Score: 0
  
  they have at the least SUCKED LESS... man, need coffee.
2. Re:liking the new MS by hcs_$reboot · 2017-10-22 06:45 · Score: 1
  
  I'm guessing it's Nadella's changes.
  Don't want to be tough on Ballmer, but that's a fact.
  
  --
  Slashdot, fix the reply notifications... You won't get away with it...
Can I block ads and javascript in Edge by Gojira+Shipi-Taro · 2017-10-22 02:32 · Score: 1

...as easily as I do in Chrome?
No?
Then fuck off with that.

--
"Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
I don't stick up for either company by Anonymous Coward · 2017-10-22 03:00 · Score: 0

I know people defend companies that they think can do no wrong, and trash one's they personally dislike. I take a more common sense approach that a browser of any kind can be vulnerable to a exploit at any given time. This ideal that my browser is better than yours is only relative to the time and date your saying it. I do know Edge and Chrome are no slouch when it comes to focusing on security, and just about every comparison gives both browsers good marks. Its Firefox that lately has lacked good security, and yet I wouldn't caution anyone about using it.
Quotable by Neo-Rio-101 · 2017-10-22 09:42 · Score: 1

"He who is without sin cast the first .... something or other"

--
READY.
PRINT ""+-0
OK, fine, where can I download Edge for Linux? by molarmass192 · 2017-10-22 13:18 · Score: 1

... yeah, that's what I thought. They can't fully secure a browser on 1 platform but they're going to call out a browser that runs on no less than 5 platforms? Amateurs.

https://www.cvedetails.com/vul...

--

Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws-Plato
Please dont say throw some shade by irrational_design · 2017-10-22 15:53 · Score: 1

Unless you are a teenager, please don't use the slang "throwing shade". It just makes you sound like a old person, desperately trying to appear cool by talking like a teenager.
Ironic, Don't you think? by AlejandroTejadaC · 2017-10-23 06:39 · Score: 1

This article brings me the first laugh of this day. Ironic, Don't you think?