Microsoft Chastises Google Over Chrome Security

An anonymous reader quotes PCMag: In a Wednesday blog post, Redmond examined Google's browser security and took the opportunity to throw some shade at Chrome's security philosophy, while also touting the benefits of its own Edge browser. The post, written by Microsoft security team member Jordan Rabet, noted that Google's Chrome browser uses "sandboxing" and isolation techniques designed to contain any malicious code. Nevertheless, Microsoft still managed to find a security hole in Chrome that could be used to execute malicious code on the browser.

The bug involved a Javascript engine in Chrome. Microsoft notified Google about the problem, which was patched last month. The company even received a $7,500 reward for finding the flaw. However, Microsoft made sure to point out that its own Edge browser was protected from the same kind of security threat. It also criticized Google for the way it handled the patching process. Prior to the patch's official rollout, the source code for the fix was made public on GitHub, a software collaboration site that hosts computer code. That meant attentive hackers could have learned about the vulnerability before the patch was pushed out to customers, Microsoft claimed. "In this specific case, the stable channel of Chrome remained vulnerable for nearly a month," the blog post said. "That is more than enough time for an attacker to exploit it."
In the past Google has also disclosed vulnerabilities found in Microsoft products -- including Edge.

Re:Pot criticises kettle

[Billly+Gates]

IE 6 was made 17 years ago.

Disclaimer I am using Chrome so I am not drinking the coolaid.

MS changed to being secure in 2004 with the famous Bill Gates memo. IE 8 matched Chrome 1.0 with kernel level sandboxing in %appdata/lowrights and per threading process since 2009. Firefox just matched IE 8's security this year which is why I dumped it for Chrome in 2011 after the 4.0 fiasco.

IE 9 started the change to standards with hardware acceleration and IE 11/Edge are fully 100% W3C compliant. Infact I think IE 10 is W3C compliant too and no longer sucked but was a bit behind Chrome and Firefox at the time.

Anyway I welcome the rapid improvement to security and standards compliance for both. Where Edge sucks is it is more of a mobile browser than a desktop and had issues crashing during the initial Windows 10 build 204100 release 2015. But that is my take.

Re:Really?

[Billly+Gates]

Did they stop having security flaws with IE 7? 8? Edge? Office? Sharepoint? Exchange? Skype? (continue listing all of Microsofts products...)

You want to talk ignorance and then act like there hasn't been ample evidence of bugs from Microsoft Products in the last 16 years...

Ok how many exploits have been found in Chrome, Firefox, Linux, or any other product not from Microsoft? So far Chrome has 9 pages worth!

It's not reported here because we love Linux and Google is cool and we hate Microsoft. I do say this not as a troll but fact with the audience and who selects stories here. My point is most complex software has flaws. Stuff written in C/C++ has lots too as bounds checking and code execution around a buffer overflow were common and both Windows and Unix historically had these problems. Though by default the C libraries in both platforms now prevent this or try to mitigate.

Microsoft has a security buddy now for each product which analyzes and gives project managers security details which is how how Microsoft products changed after the 2005 memo. It's why Vista got those annoying UAC prompts and why later webpages made for IE 6 started to have trouble rendering in later versions.