The roles are reversed, now it is Microsoft who finds a vulnerability in Chrome

We are already used to the fact that the security experts team of Google Project Zero constantly reveals vulnerabilities in Microsoft products, either in their browsers, in their antivirus or in the same operating system.

But now it has been the other way around, because it is Microsoft’s security research team that has found a vulnerability in a Google product, specifically in its Chrome browser.

In a post on the Windows security blog, Microsoft has explained how it found and exploited a vulnerability in Chrome that allows remote code execution. But as expected, this was not only there.

We take this message to

At Microsoft they took the opportunity to criticize the way in which Google handled their security patches :

We have responsibly disclosed the discovered vulnerability to Google on September 14, 2017, along with a secure exploit for remote code execution. Google corrected the problem in a week within the beta versions of Chrome, but the stable and public channel remained vulnerable for almost a month

Google published the code of the patch before updating the stable versions of Chrome, consequently doing of the public knowledge a fault before fixing it for the users.

Microsoft finds it problematic that vulnerabilities are disclosed to attackers before the patches become available. A clear criticism in reference to the way in which Project Zero handles the vulnerabilities that it discovers in the products of other companies.

Google’s Project Zero gives companies 90 days to resolve security failures before making them public, something that has earned them a lot of criticism, and a subject that has been based on conflicting opinions.

It is irresponsible for Microsoft to make public these failures without a solution has been found, and several times have complained about this because they insist that it endangers users.

However, others think it is an effective solution in the case of those companies that do not show interest in solving their software errors unless they end up jumping to the front pages of the media, put pressure on them and it is good for the competition.