Microsoft Chastises Google Over Chrome Security (pcmag.com) 111
An anonymous reader quotes PCMag:
In a Wednesday blog post, Redmond examined Google's browser security and took the opportunity to throw some shade at Chrome's security philosophy, while also touting the benefits of its own Edge browser. The post, written by Microsoft security team member Jordan Rabet, noted that Google's Chrome browser uses "sandboxing" and isolation techniques designed to contain any malicious code. Nevertheless, Microsoft still managed to find a security hole in Chrome that could be used to execute malicious code on the browser.
The bug involved a Javascript engine in Chrome. Microsoft notified Google about the problem, which was patched last month. The company even received a $7,500 reward for finding the flaw. However, Microsoft made sure to point out that its own Edge browser was protected from the same kind of security threat. It also criticized Google for the way it handled the patching process. Prior to the patch's official rollout, the source code for the fix was made public on GitHub, a software collaboration site that hosts computer code. That meant attentive hackers could have learned about the vulnerability before the patch was pushed out to customers, Microsoft claimed. "In this specific case, the stable channel of Chrome remained vulnerable for nearly a month," the blog post said. "That is more than enough time for an attacker to exploit it."
In the past Google has also disclosed vulnerabilities found in Microsoft products -- including Edge.
The bug involved a Javascript engine in Chrome. Microsoft notified Google about the problem, which was patched last month. The company even received a $7,500 reward for finding the flaw. However, Microsoft made sure to point out that its own Edge browser was protected from the same kind of security threat. It also criticized Google for the way it handled the patching process. Prior to the patch's official rollout, the source code for the fix was made public on GitHub, a software collaboration site that hosts computer code. That meant attentive hackers could have learned about the vulnerability before the patch was pushed out to customers, Microsoft claimed. "In this specific case, the stable channel of Chrome remained vulnerable for nearly a month," the blog post said. "That is more than enough time for an attacker to exploit it."
In the past Google has also disclosed vulnerabilities found in Microsoft products -- including Edge.
Really? (Score:5, Insightful)
Do we point out Microsoft's long and illustrious history of ignoring critical security flaws now or...
Do we just point out Chrome isn't crashing computers with their security updates, thus training their users to turn off automatic updates?
I know, I know, its not the same thing exactly. But you know what they say about people in glass houses.
Re:Really? (Score:5, Insightful)
I would actually prefer that the major players all try to keep each other honest.
Re:Really? (Score:4, Insightful)
I would actually prefer that the major players all try to keep each other honest.
Being honest is one thing, which I do appreciate.
That said, Microsoft doesn't have the right to bash a garage-band IoT maker about security flaws response.
Re:Really? (Score:5, Insightful)
I would actually prefer that the major players all try to keep each other honest.
Being honest is one thing, which I do appreciate.
That said, Microsoft doesn't have the right to bash a garage-band IoT maker about security flaws response.
Everyone, from the lone user to a mega-corporation, has the right to call out security flaws on anyone who exposes others to risk.
Re: (Score:2)
I would actually prefer that the major players all try to keep each other honest.
Being honest is one thing, which I do appreciate.
That said, Microsoft doesn't have the right to bash a garage-band IoT maker about security flaws response.
Everyone, from the lone user to a mega-corporation, has the right to call out security flaws on anyone who exposes others to risk.
I was more intending to highlight the fucking irony of Microsoft doing so. As others have said, those in glass houses...
Re:Really? (Score:4, Insightful)
Agreed. In addition, I'd definitely recommend reading the original Microsoft blog post. [microsoft.com] It's actually not nearly so flame-bait-ish as the breathless headlines and summary imply. It's a fascinating piece of technical detective work, and I think that, while they obviously use this as good propaganda to promote their own technology, the issues they presented seem fair to me.
They also gave Google kudos where that was deserved, but that doesn't make for very good headlines. For instance:
This kind of attack drives our commitment to keep on making our products secure on all fronts. With Microsoft Edge, we continue to both improve the isolation technology and to make arbitrary code execution difficult to achieve in the first place. For their part, Google is working on a site isolation feature which, once complete, should make Chrome more resilient to this kind of RCE attack by guaranteeing that any given renderer process can only ever interact with a single origin. A highly experimental version of this site isolation feature can be enabled by users through the chrome://flags interface.
And consider this:
Servicing security fixes is an important part of the process and, to Google’s credit, their turnaround was impressive: the bug fix was committed just four days after the initial report, and the fixed build was released three days after that. However, it’s important to note that the source code for the fix was made available publicly on Github before being pushed to customers. Although the fix for this issue does not immediately give away the underlying vulnerability, other cases can be less subtle.
Note that they don't actually blame open source. That would be foolish, as they're embracing it more and more themselves.
Some Microsoft Edge components, such as Chakra, are also open source. Because we believe that it’s important to ship fixes to customers before making them public knowledge, we only update the Chakra git repository after the patch has shipped.
Re: (Score:2)
Empirically, one can only conclude that nerds like headlines and summaries that suck moonshite, it's what gives our puny, breathless existence meaning and purpose.
I tend to judge by the worse thing a person or organization won't fix. Unicode is beyond annoying, but the weedy quality of story summaries here (not all of them, but a sizeable proportion) is far and away the worst thing Slashdot won't fix.
Yet Slas
Re: (Score:2)
The problem has always been people who do nothing but use Unicode to abuse the site layout - there's a lot of Unicode codepoints out there and a lot of them have side effects that allow you to easily mess up websites. It's a sure sign of "Unicode is so easy let's add it" and then two days later the comment area is rendered useless because all the trolls abuse it.
And besi
Re: (Score:3)
Yes. The real problem is that Microsoft is advocating for slow-rolling disclosure of security vulnerabilities by hiding patches until the stable release comes out. That's fine, it's not an insane stance, but they're presenting it as though that's obvious and noncontroversial and that there are no drawbacks to their methodology and no advantages to Google's full disclosure policy. That's where they're being disingenuous--full disclosure vs. slow disclosure is one of the more hotly debated topics in securi
Re: (Score:2, Troll)
You do know IE 6 came out almost 17 years ago right?
Re: (Score:3)
You do know that the person you replied to didn't mention IE 6, right?
Re: (Score:2, Informative)
Did they stop having security flaws with IE 7? 8? Edge? Office? Sharepoint? Exchange? Skype? (continue listing all of Microsofts products...)
You want to talk ignorance and then act like there hasn't been ample evidence of bugs from Microsoft Products in the last 16 years...
Ok how many exploits have been found in Chrome, Firefox, Linux, or any other product not from Microsoft? So far Chrome has 9 pages worth! [cvedetails.com]
It's not reported here because we love Linux and Google is cool and we hate Microsoft. I do say this not as a troll but fact with the audience and who selects stories here. My point is most complex software has flaws. Stuff written in C/C++ has lots too as bounds checking and code execution around a buffer overflow were common and both Windows and Unix historically had the
Re: (Score:2)
You do know IE 6 came out almost 17 years ago right?
More importantly, how long did developers and businesses had to suffer from this garbage browser?
Re: (Score:2)
You do know IE 6 came out almost 17 years ago right?
More importantly, how long did developers and businesses had to suffer from this garbage browser?
My last employer still used IE 6 heavily. Actually our customers did. 1/3 of our enterprise customers still in 2017 still standardized and developed for IE 6 as the code was written between 1999 - 2004 when it had 95% marketshare and we all logically thought no changes would ever be made again since Microsoft set the standards which was common at the time.
Due to technical debt and the importance of the apps it is impossible to ever upgrade. THey waited until 2014 to leave XP behind due to IE 6 and decided t
Re: (Score:3)
Microsoft sucked at security before, they don't now...
Given Microsoft Telemetry, I really don't see products as any more secure, even when the masses exchange privacy for a free upgrade.
Re: (Score:3)
How about I can uninstall chrome and gain privacy from google but I can not uninstall wildly privacy invasive elements of Windows 10 and I can not stop M$ installing what ever software they want to unless I never connect a Windows 10 computer to the internet, literally impossible and I can stop Google from install software on my computer. Google my claim a right to my privacy but M$ actually claims a right to my privacy, my PC and my internet connection, well, if I am stupid enough to run Windows 10.
You ca
Re: (Score:2)
Do we just point out Chrome isn't crashing computers with their security updates, thus training their users to turn off automatic updates?
Huh? You can turn off security updates in Chrome and Windows?
Re: (Score:1)
Do you have a cite for that, and not just drive-by FUD?
Re: (Score:2)
Why it hasn't been exploited yet, I don't know. But since day one the Windows Firewall lets traffic pass without notification.
This link claims it's for Windows Product Activation https://support.microsoft.com/... [microsoft.com] and always open. When first released it was known to pass any with a license held by microsoft.
Takes me Autoruns, and gpedit to disable the Windows firewall and defender.
Re: (Score:1)
Re: (Score:3, Insightful)
In a professional setting, updates are tested on a test server to make sure they don't break anything before they are applied to production servers. And the moment they are applied is planned carefully. Auto update is irrelevant there, what is relevant is that Euqifax didn't handle their environment like a professional should.
Re: (Score:2)
That sounds reasonable but tend to not work out for non-trivial systems. It's better to always update, even in production, and detect failures and mitigate them.
You've had experience mitigating boot failures on 50,000 PCs, while every minute of downtime is costing the company many thousands of dollars?
Re: (Score:1)
That sounds reasonable but tend to not work out for non-trivial systems. It's better to always update, even in production, and detect failures and mitigate them.
You've had experience mitigating boot failures on 50,000 PCs, while every minute of downtime is costing the company many thousands of dollars?
No, because I release/stage updates to a small pilot group first the first night(s) and only roll them out to the masses if the pilot group(s) have no issues or only when those issues are resolved.
I suppose your "ignore problems and then blame any/everyone else" for not properly managing your infrastructure style works for you too.
Ahh... not auto-updates, then.
Re: (Score:2)
It does seem like he is claiming both side of that issue.
Re: (Score:1)
Automated updates does not mean that every single host applies the update at the same time though.
If you are testing on a subset, then deciding whether or not these then are applied to a wider set of machines, I am hard pressed to see how that is an auto-update and not a traditional test and release methodology.
Re: (Score:2)
The Equifax mega breach demonstrated what happens when a company with an annual turnover of US$ 3.1 billion, uses software on an Internet facing machine without testing it for security vulnerabilities. In fact they didn't even have a patch strategy in place or even know who was responsible for implementing such patches.
Of course (Score:3)
But both of them are now process driven companies, primarily focused on not overturning the boat, and the result is code that follows process. As long as process is followed, you don't have to worry about whether you did a good job or not. Just go home at the end of the day. That is the mentality of the vast majority of mediocre programmers at both companies.
Re: (Score:2)
Good has some really good programmers, and so does Microsoft. In the past they were even more impressive. But both of them are now process driven companies, primarily focused on not overturning the boat, and the result is code that follows process. As long as process is followed, you don't have to worry about whether you did a good job or not. Just go home at the end of the day. That is the mentality of the vast majority of mediocre programmers at both companies.
Cite?
Re: (Score:2)
Re: (Score:2)
Which part exactly do you disagree with?
I didn't say I disagreed (or agreed), I just asked for substantiation of your claims. Are you speaking from personal experience, having worked at Microsoft and Google? Are you relaying information from friends who work there? Do you have some other sort of basis for your claim?
Re: (Score:2)
Re: (Score:2)
You'll have to narrow it down a bit more, I'm not going to give you a citation for every sentence in my post. If there's something I said that seems particularly unlikely, let me know, and I will either give some evidence to support it, give it a disclaimer, or outright retract it.
There wasn't that much in the post in question. But, here:
But both of them are now process driven companies, primarily focused on not overturning the boat, and the result is code that follows process.
And
As long as process is followed, you don't have to worry about whether you did a good job or not. Just go home at the end of the day.
And
That is the mentality of the vast majority of mediocre programmers at both companies.
Re: (Score:2)
But both of them are now process driven companies, primarily focused on not overturning the boat, and the result is code that follows process.
I see evidence of this in a lot of different places. For Microsoft, there is this [blogspot.com], and from what I've heard from people who worked there, it's basically like that all over Microsoft. Similarly, you can see the results in their products (that link shows an example of their processes entering the product in an obvious way). Similarly, at Google, I've talked to people who work there, and it seems about the same. Again you can see it in the output of their product (they must have some good people on the search
Re: (Score:2)
In the past they were even more impressive
One of them, yes (hint: not MS)
Pot criticises kettle (Score:2)
Says it has poor cleanliness standards.
Re:Pot criticises kettle (Score:5, Informative)
IE 6 was made 17 years ago.
Disclaimer I am using Chrome so I am not drinking the coolaid.
MS changed to being secure in 2004 with the famous Bill Gates memo. IE 8 matched Chrome 1.0 with kernel level sandboxing in %appdata/lowrights and per threading process since 2009. Firefox just matched IE 8's security this year which is why I dumped it for Chrome in 2011 after the 4.0 fiasco.
IE 9 started the change to standards with hardware acceleration and IE 11/Edge are fully 100% W3C compliant. Infact I think IE 10 is W3C compliant too and no longer sucked but was a bit behind Chrome and Firefox at the time.
Anyway I welcome the rapid improvement to security and standards compliance for both. Where Edge sucks is it is more of a mobile browser than a desktop and had issues crashing during the initial Windows 10 build 204100 release 2015. But that is my take.
Re: (Score:3)
MS changed to being all spyware, all the time with Windows 10.
An OS which spies on you is the diametric opposite of security.
Re: (Score:2)
Just what do you think coolaid is?
Disclaimer, I do not use Chrome since I don't like coolaid, but I have had the chance to use Edge extensively over the past year and found it favorable in every respect. Although Edge is not my primary browser, so I would really like you to elaborate on, "Where Edge sucks is it is more of a mobile browser than a desktop..." As I have no idea what you are talking about.
Re: (Score:2)
In other news (Score:1)
Local high school basketball coach criticizes NFL team for its poor tackling form on Sunday.
While I agree with them, it should be noted that Edge is not even in the same league as Chrome.
month long release wait? (Score:3, Interesting)
Bugs happen. What has me worried is a month long waiting time between security fix in public facing repository and release. This pretty much asks for exploitation even by not very skilled "hackers" as interested parties have lots of time to prepare viable exploit based on provided regression tests.
Damn Google! (Score:4, Funny)
I don't know of any other company that has a monthly release cycle for security updates, even for zero day bugs! Google you are evil, you should be like Micros... oh.
Re: (Score:2)
thegarbz quipped:
I don't know of any other company that has a monthly release cycle for security updates, even for zero day bugs! Google you are evil, you should be like Micros... oh.
Mod parent +1 Funny, please ...
Re: (Score:2)
Mod parent +1 Funny, please ...
I appreciate the support. I have to admit it did not occur to me that a moderator may not have a sense of humour and may need instructions.
Re: (Score:2)
I requested:
Mod parent +1 Funny, please ...
Prompting thegarbz to respond:
I appreciate the support. I have to admit it did not occur to me that a moderator may not have a sense of humour and may need instructions.
In my experience, most people do not, in fact, possess an actual sense of humor. That's why laugh tracks exist.
You're welcome, btw - and I'm gratified to see that some moderators have followed my advice, regardless of whether they required it or not ...
People who live in glass houses... (Score:2)
People who live in glass houses...
Re: (Score:2)
...shouldn't parade around in clothing made for emperors.
I hope they enter a pissing contest... (Score:5, Insightful)
Did they just blame open source? (Score:2)
*Cough* Pwn2Own *Cough* (Score:3)
Well this was covered recently [slashdot.org]
Re: (Score:2)
Microsoft oversells their CFI mitigations (Score:3)
I wrote about this:
http://robert.ocallahan.org/20... [ocallahan.org]
Summary: In practice, attackers can leverage arbitrary-write bugs to produce the same-origin violations Microsoft warns about without requiring RCE, completely bypassing the CFI mitigations Microsoft is touting here.
Please donate to MS (Score:2)
Re: (Score:2)
Joking aside, I thought people might like to know the actual numbers and result:
We responsibly disclosed the vulnerability that we discovered along with a reliable RCE exploit to Google on September 14, 2017. The vulnerability was assigned CVE-2017-5121, and the report was awarded a $7,500 bug bounty by Google. Along with other bugs our team reported but didn’t exploit, the total bounty amount we were awarded was $15,837. Google matched this amount and donated $30,000 to Denise Louie Education Center, our chosen organization in Seattle. The bug tracker item for the vulnerability described in this article is still private at time of writing.
It appears these companies don't pay each other directly, but donate to company-chosen charities. And in Google's case, it looks like it matched those donations, in effect paying double. So, I guess good on both of them for that.
Re: (Score:2)
It appears these companies don't pay each other directly, but donate to company-chosen charities. And in Google's case, it looks like it matched those donations, in effect paying double. So, I guess good on both of them for that.
The magic of operations made public.
Blame Chrome for Windows defects .. (Score:2, Insightful)
That's a bit rich coming from Microsoft. Security resides in the Operating not in the Browser. Chrome wouldn't need sandboxing if the underlying Operating System did its job. That is isolate one processes memory from the other. Something the WinTEL platform seem unable to do despite numerous iterations of the x86 proc
Re: (Score:1)
How did you manage to read that into what I actually wrote. If the Operating System did this one thing: isolate process memory from each other then we wouldn't need SANDBOXING, OSR, RCE, CFG, ACG, LPAC or WDAG. What just occurred to me is when and if Microsoft disclosed such mitigations to the Chrome developers
Re: (Score:1)
Why do you persist in willfully sowing confusion here. Isolating process memory means exactly that, therefore the browser don't need sandboxing and cannot access external data. At least if the browser wasn't running under Windows. Where presumably EDGE is so welded to the OS that a bug can lead to total compromise of the System. A bug
Re: (Score:2)
Chrome wouldn't need sandboxing if the underlying Operating System did its job. That is isolate one processes memory from the other. Something the WinTEL platform seem unable to do despite numerous iterations of the x86 processor.
Except you still have all the same kinds of flaws in other operating systems, too, which is why Chrome is also sandboxed on other platforms, e.g. Linux [googlesource.com]. It's not just Windows. The techniques vary, but no mainstream OS is designed for security first. That would impinge upon performance. Microsoft literally decided to go the other direction in NT4, specifically in the name of graphics performance.
*stab from the band* *laughter in the audience* (Score:2)
*Bill Maher enters the stage, waits for cheering to calm down*
Bill - "Good evening ladies and gentlemen, as we've just heard from the tech community, ..."
Microsoft Chastises Google over Security
*laughter errupts* ...
Pop the champagne! (Score:2)
We found something that's insecure in Chrome that Edge isn't susceptible to!
Hey, that's reason to celebrate, and use the good champagne. It's not like it happens often.
Re: (Score:2)
I'm guessing it's Nadella's changes.
Don't want to be tough on Ballmer, but that's a fact.
Can I block ads and javascript in Edge (Score:2)
...as easily as I do in Chrome?
No?
Then fuck off with that.
Re: (Score:2)
OK, fine, where can I download Edge for Linux? (Score:2)
https://www.cvedetails.com/vul... [cvedetails.com]
Please dont say throw some shade (Score:2)
Unless you are a teenager, please don't use the slang "throwing shade". It just makes you sound like a old person, desperately trying to appear cool by talking like a teenager.
Ironic, Don't you think? (Score:1)