Google’s Project Zero vulnerability research team has published details of a flaw in the Microsoft Windows 10 Edge and Internet Explorer 11 browsers that allow them to be remotely crashed – without waiting for a fix to be released.
The vulnerability, which Google has classified as “high severity”, was detailed by Google Project Zero security researcher Ivan Fratric, who privately shared details with Microsoft back in November.
With Google’s self-imposed deadline of 90 days now expired, it has gone public with details of the flaw – in effect, telling the world how to crash the browser.
But could more be done with the flaw than this? When questioned, Fratric appeared to be concerned that exploitation could lead to more serious consequences than just the browser crashing:
“I will not make any further comments on exploitability, at least not until the bug is fixed. The report has too much info on that as it is (I really didn’t expect this one to miss the deadline).”
In other words, Fratric himself doesn’t seem entirely happy with the the details and proof-of-concept code having been made public before Microsoft had issued a patch.
Nonetheless, he and his Google colleagues have published the details. And anyone who relies on the Edge and Internet Explorer 11 browsers is left sitting waiting for a fix.
Regardless of whether Microsoft should have issued a patch for this flaw or not by now, I am left baffled as to how Google can think that its disclosure of this vulnerability and publication of exploit code is a good thing.
This is an ongoing story: Google keeps finding flaws in other vendors’ products, and making the details public before fixes are rolled out.
I have to question whether they are giving software companies enough time to fix and test their products, and whether it is really responsible to release proof-of-concept code onto the net which attackers could potentially exploit.
I have no sympathy for Microsoft at all. Their attitude towards security researchers has got so bad that many have stopped reporting bugs at all. Why you ask? Because Microsoft are ignoring the independent security researchers' reports and doing nothing!
Therefore, instead of going directly to Microsoft, they have to go to a rival (Google) who then add the vulnerability to their centralised list.
If Microsoft started treating researchers with courtesy, respect and acknowledging their efforts then they wouldn't find themselves in this predicament.
Google have a browser, don't they? So they are dishing on their competition. That seems wrong, independent of other considerations.
Should Microsoft have addressed the vulnerability in a more timely fashion? Yes, but that doesn't justify Google needlessly and deliberately putting potentially millions of users at risk.
Millions of users were at risk before Google published the details. If a security researcher found it then there is a good chance bad people have found it too and may be already actively exploiting it. 90 days to create and release a fix is plenty of time for any company, especially one with the resources of MS.
It's good that some 3rd party entity have found some vulnerability for other companies product, addressing vulnerability to such popular software makes the company inherit some kind of social responsibility on the security of its usage.
Independent Security researchers makes the industry to push companies to a security oriented direction, they should not be ignored.
But the timeline with google is too short for Microsoft to address one critical vulnerability when they are addressing multiple security related vulnerabilities every month through windows update. I know, cause we update our servers every week and security related patches keeps comming in.
I'm sorry, but hard as it may be for some of their users, I feel that Google did the right thing. The reason why security researchers give software vendors a reasonable deadline is because before this was established practice, vendors used to ignore vulnerability reports or get their PR departments to claim the vulnerability was merely theoretical.
If they can't be bothered either fixing the flaw in 90 days or making a good case for the researchers to give them a fixed extension of reasonable length, Microsoft are recklessly endangering their customers computers and businesses.
If Google has all this time on their hands finding security holes in other vendors, wouldn't time be better spent patching Android and the 1000s of variations of it?
I agree. People who live in glass houses ought not to throw stones. Do Google think they are infallible? Are there no holes in android? Do they roll out fixes for all android devices in a timely manner? No. They blame 3rd party device manufacturers or telcos for the platform fragmentation, but leave users high and dry, with the only solution open to the user being to buy a premium device that might get updates if you are lucky. Google might be putting pressure on Microsoft but disclosing PoC code is irresponsible and it's a problem for the users who are powerless to act. It's not benefiting users, it's based on commercial imperative and getting one over on one's rival. I'd wish the same back on the mighty Google if it wasn't that I and other 'non-combatants' (users) would be the ones to suffer. "Do no evil" my left foot!
Technically, nobody and everybody owns Android, as it is an open source platform. Google is one of the major contributors to said project along with other companies. Not defending Google, just stating the facts.
Google has now become the pyromaniac fireman who secretly carries gasoline when called to put out a house fire, and douses the house with the gasoline to utterly destroy it.
90 days is a long time to any vendor to fix a vulnerability!…to open the vulnerability only after this condition (or 7d in some cases as per Project Zero definitions) is a really good thing for some reasons:
1. Google is not the only one looking for vulnerabilities and if they found it anyone else can also.
2. Vendors and development teams (try to) ignore security requirements and bug fixes as those have no financial return to them… They prefer to focus on adding functionalities instead. If you dont disclosure it will be in this indefinite status of "to work on eventually if there is nothing else better for us to do and all vacations tume were spent already"
3. Other vendors that focus on keeping security fixes up to date (e.g. Adobe) get this unfair tag as being unsafe. I prefer a product that I get a security patch every other week them a product that never gets it… But I'm the only one on this shoes and many product managers try to avoid the security patches tag to avoid the sentiment of "I was running an unsecure softeware". Not the case of MS (no idea why they missed the 90d on this one tho!) but I am explaining why google is right here
4. Posting a detail information about a bug can drice people to create exploits for it? Well, there is a market to buy 0day exploits and there are specialized services to create those with much less information. There are even exploits created based on decompiling patches! So no matter what information is disclosed there will be exploits to it. Period.
Now some comments here are out of focus (including the author question if they give enough time… Again 90d is a long period for sw) or bringing a open source android vulns up. If you read about those you will see there are patches for it that telcos prefere not to push to avoid increase of operationals costs (calls from users) and to pesh users to buy new phones. This is a telco problem that we cannot enforce at all (if I get hacked because of missing patch on my phone, published by google but not pushed by my provider or my cell phone brand, I cannot go after none of them… )
Hope MS deploys a patch soon.