Microsoft has detailed its approach to browser security patches in a recent blog post from yesterday, and it has used Google’s Chrome browser to showcase what it feels is the right way to go about these patches, which includes its belief that security vulnerabilities should be disclosed privately and ahead of time, opening up the opportunity for the vulnerability to be patched before the information is made public. Microsoft’s reasons for this are such that it views making the information about any risks public before they have a chance to be patched gives attackers time to find and potentially exploit the vulnerability, which would obviously be an issue should it end up happening.
In Microsoft’s post, it mentions that it used a remote code execution vulnerability that it found in Chrome to determine whether or not a strong sandboxing model is a sufficient way to keep a browser secure. For those unaware, Google focuses a lot on sandboxing for its Chrome browser security efforts, so if Microsoft’s testing of the vulnerability seems like a bit of jab, that’s likely because it is, following from an instance last year where Google disclosed a major bug in Microsoft’s Edge browser on Windows before it alerted Microsoft to the problem and gave it a chance to patch the vulnerability, which the company saw as a security risk.
Microsoft feels that giving sufficient time to patch such an issue is imperative and the responsible way to disclose security risks that need to be patched, citing that it alerted Google to this RCE vulnerability back on September 14th of this year, and that Google took nearly a month to patch it into the stable version of Chrome. This time to patch the stable version of Chrome is what Microsoft sees as another problem, as Google made the code for the patch publicly available on Github within just a few days after patching the vulnerability. Though Google was able to patch the vulnerability in Chrome stable before any exploits were made, Microsoft points out that nearly a month is more than enough time for attackers to find the vulnerability information through a website like Github and utilize that information to exploit things if they saw fit. Both Microsoft and Google take security seriously when it comes to their browsers, but it’s evident that both companies take a different approach to their strategies for patching issues.