Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Chastises Google Over Chrome Security (pcmag.com)

Posted by EditorDavid on from the no-you dept.

An anonymous reader quotes PCMag: In a Wednesday blog post, Redmond examined Google's browser security and took the opportunity to throw some shade at Chrome's security philosophy, while also touting the benefits of its own Edge browser. The post, written by Microsoft security team member Jordan Rabet, noted that Google's Chrome browser uses "sandboxing" and isolation techniques designed to contain any malicious code. Nevertheless, Microsoft still managed to find a security hole in Chrome that could be used to execute malicious code on the browser.

The bug involved a Javascript engine in Chrome. Microsoft notified Google about the problem, which was patched last month. The company even received a $7,500 reward for finding the flaw. However, Microsoft made sure to point out that its own Edge browser was protected from the same kind of security threat. It also criticized Google for the way it handled the patching process. Prior to the patch's official rollout, the source code for the fix was made public on GitHub, a software collaboration site that hosts computer code. That meant attentive hackers could have learned about the vulnerability before the patch was pushed out to customers, Microsoft claimed. "In this specific case, the stable channel of Chrome remained vulnerable for nearly a month," the blog post said. "That is more than enough time for an attacker to exploit it."
In the past Google has also disclosed vulnerabilities found in Microsoft products -- including Edge.

21 of 111 comments (clear)

  1. Really? by Anonymous Coward · · Score: 5, Insightful

    Do we point out Microsoft's long and illustrious history of ignoring critical security flaws now or...

    Do we just point out Chrome isn't crashing computers with their security updates, thus training their users to turn off automatic updates?

    I know, I know, its not the same thing exactly. But you know what they say about people in glass houses.

    1. Re:Really? by dreamchaser · · Score: 4, Insightful

      I would actually prefer that the major players all try to keep each other honest.

    2. Re:Really? by rtb61 · · Score: 2

      How about I can uninstall chrome and gain privacy from google but I can not uninstall wildly privacy invasive elements of Windows 10 and I can not stop M$ installing what ever software they want to unless I never connect a Windows 10 computer to the internet, literally impossible and I can stop Google from install software on my computer. Google my claim a right to my privacy but M$ actually claims a right to my privacy, my PC and my internet connection, well, if I am stupid enough to run Windows 10.

      You can not secure Windows 10 form the worst bastards of the lot M$.

      --
      Chaos - everything, everywhere, everywhen
    3. Re:Really? by geekmux · · Score: 3, Insightful

      I would actually prefer that the major players all try to keep each other honest.

      Being honest is one thing, which I do appreciate.

      That said, Microsoft doesn't have the right to bash a garage-band IoT maker about security flaws response.

    4. Re:Really? by GrumpySteen · · Score: 2

      You do know that the person you replied to didn't mention IE 6, right?

    5. Re:Really? by dreamchaser · · Score: 5, Insightful

      I would actually prefer that the major players all try to keep each other honest.

      Being honest is one thing, which I do appreciate.

      That said, Microsoft doesn't have the right to bash a garage-band IoT maker about security flaws response.

      Everyone, from the lone user to a mega-corporation, has the right to call out security flaws on anyone who exposes others to risk.

    6. Re:Really? by geekmux · · Score: 2

      Microsoft sucked at security before, they don't now...

      Given Microsoft Telemetry, I really don't see products as any more secure, even when the masses exchange privacy for a free upgrade.

    7. Re:Really? by Dutch+Gun · · Score: 3, Insightful

      Agreed. In addition, I'd definitely recommend reading the original Microsoft blog post. It's actually not nearly so flame-bait-ish as the breathless headlines and summary imply. It's a fascinating piece of technical detective work, and I think that, while they obviously use this as good propaganda to promote their own technology, the issues they presented seem fair to me.

      They also gave Google kudos where that was deserved, but that doesn't make for very good headlines. For instance:

      This kind of attack drives our commitment to keep on making our products secure on all fronts. With Microsoft Edge, we continue to both improve the isolation technology and to make arbitrary code execution difficult to achieve in the first place. For their part, Google is working on a site isolation feature which, once complete, should make Chrome more resilient to this kind of RCE attack by guaranteeing that any given renderer process can only ever interact with a single origin. A highly experimental version of this site isolation feature can be enabled by users through the chrome://flags interface.

      And consider this:

      Servicing security fixes is an important part of the process and, to Google’s credit, their turnaround was impressive: the bug fix was committed just four days after the initial report, and the fixed build was released three days after that. However, it’s important to note that the source code for the fix was made available publicly on Github before being pushed to customers. Although the fix for this issue does not immediately give away the underlying vulnerability, other cases can be less subtle.

      Note that they don't actually blame open source. That would be foolish, as they're embracing it more and more themselves.

      Some Microsoft Edge components, such as Chakra, are also open source. Because we believe that it’s important to ship fixes to customers before making them public knowledge, we only update the Chakra git repository after the patch has shipped.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    8. Re:Really? by pthisis · · Score: 2

      Yes. The real problem is that Microsoft is advocating for slow-rolling disclosure of security vulnerabilities by hiding patches until the stable release comes out. That's fine, it's not an insane stance, but they're presenting it as though that's obvious and noncontroversial and that there are no drawbacks to their methodology and no advantages to Google's full disclosure policy. That's where they're being disingenuous--full disclosure vs. slow disclosure is one of the more hotly debated topics in security circles, and Microsoft knows it (or should).

      If they want to advocate for slow disclosure, they should at least acknowledge that they're taking one side of a controversial topic about which a lot of serious security people disagree, not pretend that Google is just doing something recklessly idiotic and should clearly do things the Microsoft way.

      Bruce Schneier summarizes the counterargument here: https://www.schneier.com/essay...

      On the surface slow-rolling things seems like a good idea--why show the attackers the breach before you've repaired the wall? The problem with that line of thinking is that it presumes that you're the only one who's found the breach, and that attackers aren't already exploiting it. That's generally naÃve, you have no way of knowing whether a vulnerability is being actively exploited or not.

      By disclosing fully, you make it possible for people to protect themselves or to make judgements about how serious the issue is for them. You also make companies take security more seriously in the future, which hopefully leads to greater global security even if the local impact is muddier.

      There are obvious trade-offs the other way, as well. But Microsoft
      pretending that full disclosure is inherently bad for security is duplicitous.

      --
      rage, rage against the dying of the light
  2. Of course by phantomfive · · Score: 2

    Good has some really good programmers, and so does Microsoft. In the past they were even more impressive.

    But both of them are now process driven companies, primarily focused on not overturning the boat, and the result is code that follows process. As long as process is followed, you don't have to worry about whether you did a good job or not. Just go home at the end of the day. That is the mentality of the vast majority of mediocre programmers at both companies.

    --
    "First they came for the slanderers and i said nothing."
  3. month long release wait? by jarkus4 · · Score: 2, Interesting

    Bugs happen. What has me worried is a month long waiting time between security fix in public facing repository and release. This pretty much asks for exploitation even by not very skilled "hackers" as interested parties have lots of time to prepare viable exploit based on provided regression tests.

  4. Damn Google! by thegarbz · · Score: 3, Funny

    I don't know of any other company that has a monthly release cycle for security updates, even for zero day bugs! Google you are evil, you should be like Micros... oh.

  5. I hope they enter a pissing contest... by aepervius · · Score: 4, Insightful

    ...Trying to outdo each other at finding browser vulnerabilities. Outcome : both browser become more secure.

    --
    C. Sagan : A demon haunted world:
    http://www.amazon.com/gp/product/0345409469/
    visit randi.org
  6. Did they just blame open source? by Ayano · · Score: 2

    I mean.. seriously?

    --
    I don't read AC
  7. *Cough* Pwn2Own *Cough* by mentil · · Score: 2

    Well this was covered recently

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
  8. Re:Pot criticises kettle by Billly+Gates · · Score: 4, Informative

    IE 6 was made 17 years ago.

    Disclaimer I am using Chrome so I am not drinking the coolaid.

    MS changed to being secure in 2004 with the famous Bill Gates memo. IE 8 matched Chrome 1.0 with kernel level sandboxing in %appdata/lowrights and per threading process since 2009. Firefox just matched IE 8's security this year which is why I dumped it for Chrome in 2011 after the 4.0 fiasco.

    IE 9 started the change to standards with hardware acceleration and IE 11/Edge are fully 100% W3C compliant. Infact I think IE 10 is W3C compliant too and no longer sucked but was a bit behind Chrome and Firefox at the time.

    Anyway I welcome the rapid improvement to security and standards compliance for both. Where Edge sucks is it is more of a mobile browser than a desktop and had issues crashing during the initial Windows 10 build 204100 release 2015. But that is my take.

    --
    http://saveie6.com/
  9. Re:The failure of open source security by Anonymous Coward · · Score: 3, Insightful

    In a professional setting, updates are tested on a test server to make sure they don't break anything before they are applied to production servers. And the moment they are applied is planned carefully. Auto update is irrelevant there, what is relevant is that Euqifax didn't handle their environment like a professional should.

  10. Microsoft oversells their CFI mitigations by roca · · Score: 2

    I wrote about this:
    http://robert.ocallahan.org/20...
    Summary: In practice, attackers can leverage arbitrary-write bugs to produce the same-origin violations Microsoft warns about without requiring RCE, completely bypassing the CFI mitigations Microsoft is touting here.

  11. Re:Pot criticises kettle by drinkypoo · · Score: 2

    MS changed to being all spyware, all the time with Windows 10.

    An OS which spies on you is the diametric opposite of security.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  12. Blame Chrome for Windows defects .. by najajomo · · Score: 2, Insightful

    "we set out to examine Google’s Chrome web browser .. is having a strong sandboxing model sufficient to make a browser secure?" Jordan Rabet Microsoft Offensive Security Research team

    That's a bit rich coming from Microsoft. Security resides in the Operating not in the Browser. Chrome wouldn't need sandboxing if the underlying Operating System did its job. That is isolate one processes memory from the other. Something the WinTEL platform seem unable to do despite numerous iterations of the x86 processor.

    I love how the original "research" article tried to spin defects in the underlying Operating System into, it's somehow the fault of sandboxing in Chrome. Sandboxing, OSR, RCE, CFG, ACG, LPAC, WDAG, all designed to protect the underlying Operating System from the browser. Microsoft, the company that fights malware with self-serving adverts masquerading as technical research.

  13. Re:The failure of open source security by najajomo · · Score: 2

    Anonymous Coward: 'Was demonstrated once more by the Equifax mega breach.'

    The Equifax mega breach demonstrated what happens when a company with an annual turnover of US$ 3.1 billion, uses software on an Internet facing machine without testing it for security vulnerabilities. In fact they didn't even have a patch strategy in place or even know who was responsible for implementing such patches.