July 2014, Google launched it's project zero initiative to identify Zero-Day vulnerabilities in commercial software thus making computing generally more secure.
Google's modus operandi is to inform affected vendors and give them 60 days to release patches. After the 60 day window, they go public even if a patch is not yet available.
“Our standing recommendation is that companies should fix critical vulnerabilities within 60 days — or, if a fix is not possible, they should notify the public about the risk and offer workarounds. We encourage researchers to publish their findings if reported issues will take longer to patch”
There have been situations where Microsoft has not been able to release a public patch within that 60-day Window and obviously this has created a tense relationship between Google and Microsoft.
“Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.”
You can read this Microsoft blog entry about their disappointment with google. not wanting to take the hit and move on, it looks like Microsoft security research has been looking for flaws in Google's products and found 2 bad ones. Realizing security is now a major differentiator, they decided to play Google's game and disclose the vulnerabilities after an elapsed wait time.
Here is a sentence that takes a jab at Google's Chrome while praising their own Microsoft Edge security architecture :
“This kind of attack drives our commitment to keep on making our products secure on all fronts. With Microsoft Edge, we continue to both improve the isolation technology and to make arbitrary code execution difficult to achieve in the first place. For their part, Google is working on a site isolation feature which, once complete, should make Chrome more resilient to this kind of RCE attack by guaranteeing that any given renderer process can only ever interact with a single origin”
Microsoft justified the release of the detailed vulnerability information with this sentence:
“it’s important to note that the source code for the fix was made available publicly on Github before being pushed to customers.”
I think large well-funded companies should be doing general security research and helping improve the overall security of the entire ecosystem. I wish they could agree on a more friendly approach to vulnerability disclosure, not leaving their customers open and unprotected. This should not become a marketing tool but more of a commitment to societal improvement.
A guy can dream, can't he?
