Google Exposes Unfixed Microsoft Edge Security Flaw

John Lister's picture

Google has revealed a security flaw with the Microsoft Edge browser before Microsoft released a patch. It's a controversial move with arguments across both the tech and security industries.

The flaw in question is somewhat complicated. In very simplified terms, the flaw is to do with how Microsoft Edge converts website code into what users see on their computer screen when visiting a website.

Google realized that it could work out precisely when the browser would access part of the computer's memory and use this knowledge to effectively set a booby trap. That could then force the computer to run content such as malware, bypassing a key Microsoft security defense that's meant to prevent this sort of attack. (Source: slashgear.com)

90 Day Deadline Passed

The controversy isn't about the bug as such, but rather the way Google went public. As a general rule, many security researchers follow a principle called responsible disclosure. In short, this means telling the makers of software or hardware about any security bugs discovered in it as soon as possible, then keeping quiet until the company has fixed the problem.

The idea is to avoid tipping off hackers and giving them a chance to figure out how to exploit the flaw before it's been patched, a situation that's sometimes called a "zero day exploit".

However, Google has a very specific "responsible disclosure" policy that says it will publish bug reports 90 days after informing the developer unless the bug is already fixed. It believes this deadline is needed to avoid developers dragging their heels in finding a fix. Google says it will sometimes go public earlier if there's evidence the bug is already widely known among hackers and being actively exploited, though that's not the case this time.

Commercial Interests at Play

On this occasion, Google gave Microsoft an extra 14 days beyond the deadline. This was to give Microsoft a chance to complete and release the fix in its scheduled monthly update. Microsoft says it missed the extended deadline because the fix proved more complicated than expected. It says the fix will be done by March 13th, 2018. (Source: theverge.com).

One big problem is that while this is a debate over the principles of responsible disclosure, there's a clear commercial element given that Google and Microsoft produce rival web browsers, and so benefit from the other appearing insecure.

What's Your Opinion?

Was Google right to go public before a fix was ready? Should researchers always wait until a company produces a fix? Or is a deadline needed to pressure the developers to patch promptly?

Rate this article: 
Average: 5 (6 votes)

Comments

Doccus's picture

... because Google would never have anything to gain by nailing its competition. They "want" the Edge browser to succeed! After all "we're nice guys" "Do no evil, and all that..."
"Oh.. Corporate boys upstairs have decided we're completely doing away with the "Do no Evil" slogan, never to be mentioned again".
"OK.. when can we start doing evil, then?"
"Right now, if you like"
"Yay! Let's mess up that 'Edge' browser and publicize that bug"
"YO!"

hybridauth_Google_117824835727322852037's picture

Google, Google, what are you doing? you think anyone would actually buy into the idea that you are exposing Ms not because it's a low hanging fruit?
Microsoft's always been crap with security, who cares.