
Google discloses Microsoft Edge security flaw before a patch is ready - IntronExon
https://www.theverge.com/2018/2/19/17027138/google-microsoft-edge-security-flaw-disclosure
======
tptacek
Here's the bug:

[https://bugs.chromium.org/p/project-
zero/issues/detail?id=14...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1435)

It's a race condition that allows an ACG bypass. Under ACG, only privileged
processes in the browser process ensemble can create new executable pages. But
the mechanism by which privileged processes "give" executable pages to less-
privileged processes enables the lesser processes to populate them with code
of their choosing. It's medium severity because it's just a bypass of a
(relatively new) security control. For it to be useful, you already need to
have an RCE-able bug.

The headline is a bit misleading, and the article keeps you on the hook for a
couple grafs before explaining.

You don't get "indefinitely, until the patch is released" from Google. You get
90 days. It's on you, the vendor that shipped the buggy software, to figure
out how to ship a patch within 3 months. If you can't, you can ask for a grace
period, which Google isn't obliged to give you (but did give here). I believe,
but am not sure, that Google will give longer grace periods for very severe
vulnerabilities, at their discretion.

This is how it has to be. Big vendors --- Google almost surely included! ---
will backburner patches for months and months if they aren't given hard
deadlines. Deadlines serve the users --- not just of the vulnerable software,
but of all the other users that might depend on the people who use that
software in some indirect way.

Either way, it doesn't look like anything was done to spite Microsoft. But a
"business continued as usual" headline wouldn't attract as many clicks, I get
that.

~~~
jacksmith21006
Yes Google allows longer for bigger issues. Meltdown and Spectre two great
examples.

What surprises me is that so many of the really big ones seem to be found by
Google.

Spectre and Meltdown by multiple poeple. But Shellshock, Broadpwn, Heartbleed,
and Cloudbleed if memory serves all found by Google.

Off the top of my head can not think of a major one the last couple of years
found by anyone but Google. Anyone else?

~~~
ocdtrekkie
Project Zero remains one of the few true gems at Google. They do good work.
They probably don't call out their own employer as much as they should
(understandable, considering), but they do darn good work, and have made a
significant impact in making the Internet more secure. Everything from
competitors' operating systems to browser extensions has gotten their
attention, almost seemingly at random.

I'd actually be super curious to know how they pick what they look into. Just
a "hey, I wonder about this" while going about their day, or if they have some
sort of agenda laid out for when to look at what software.

~~~
seanmcdirmid
They probably call out their employer internally, know who to call directly
when they find something, and so on. For stuff that isn't their own, the rules
are probably very different.

At least that is how I would run something like this.

~~~
xbmcuser
If I recall correctly a bug in chrome was disclosed before Google could fix it
by the project zero team as the 3 month deadline had passed.

------
tehlike
Whether google should disclose after 90 days or not is up for debate maybe,
but i for one applaud the effort. Many many years, exploits have gone
undetected/unpatched. If googles approach is to force people fix them, so be
it.

Microsoft has no right to be angry - they should be thankful. This is peoples
data, their business at risk. After being in the business for so long time,
and with the resources they have, they can afford to put a small army of swes
to fix security bugs.

Unlike a small company, the bugs in widely used software, by definition,
affects a large set of people.

Disclaimer: google employee.

~~~
zamalek
> If googles approach is to force people fix them, so be it.

That's not actually what responsible disclosure is for. Responsible disclosure
is a process that [correctly] assumes that a malicious third party has also
discovered the bug and is currently exploiting it or selling it, but
acknowledges the assumption. If you disclosed bugs immediately, the could be
novel and you could have let the cat out of the bag. If you never disclose
bugs, they could already be in the wild and doing damage.

Forcing Microsoft to fix it is just a beneficial side-effect.

~~~
lawnchair_larry
That’s called coordinated disclosure. There can be no such thing as
“responsible” disclosure, and Microsoft has disavowed that term.

------
appleflaxen
Or, the equivalent title: "Google gives Microsoft the standard 90 day window
that it gives everyone"

~~~
lucb1e
Except Intel's CPU bugs, and perhaps others that I don't know about.

------
TwoNineA
90 days + 14 days grace time.

Why isn't that enough?

~~~
ocdtrekkie
It took Google five months to get KRACK patched on the Pixel 2, despite third
party ROM authors doing it in two days. Suffice to say, many vendors miss
deadlines for this stuff on occasion. There are probably a number of reasons
for this, including difficulty of repair, the fact that third party software
may depend on the broken functionality, etc.

Microsoft and Google both patch security updates every single month that fall
well within the common 90 day disclosure window. And then every so often, they
fail to.

------
ninjanautsi
"The public disclosure will likely anger Microsoft, once again." What has
Microsoft done to retaliate in, if any, previous disclosures?

