With technology becoming so ubiquitous in our lives, tech firms are constantly on the lookout for security loopholes in products that hackers and the like can use to cause harm. In many cases, the loopholes are fixed, but every so often, one of them slips through the checks. With its vast resources and presence in cyberspace, search engine giant Google created Project Zero in 2014, a team of cybersecurity professionals dedicated to finding zero-day vulnerabilities in popular software, and its latest revelation deals with Microsoft.
The team recently publicly revealed a security flaw in Microsoft’s popular browser Edge before the company was able to come up with a fix for it. While not severe, the flaw – which is in the way Microsoft Edge handles code execution – could potentially let hackers bypass the browser’s security features and insert malicious code in the target computer’s memory. Researcher Ivan Fratric from Project Zero discovered the error on November 17, 2017, following which Google notified the company as per its policy.
Standard Project Zero policy is to give companies 90 days after discovering a security flaw to fix it. In case the company is unable to come up with a fix within this period, a further grace period of 14 days is available. However, if the company indicates that it is unable to come up with a fix during this period, the extra 14 days are not given, as happened in Microsoft’s case. In its response to Fratric’s notification, Microsoft had said, “It is very likely that we will not be able to meet the February release deadline due to these memory management issues. The team is positive that this will be ready to ship on March 13th.” As the company indicated that it would be unable to release a security fix in time, Google went ahead and made the discovery of the flaw public.
This is not the first time the two tech giants have sparred over disclosures of security vulnerabilities. Microsoft has long been resistant to Google’s aggressive disclosure policy, leading to some tension between the two. In the past, Google has voided its own 90-day policy in cases where the security flaw presents a serious threat or is being actively exploited, such as when it publicly revealed a major bug in Windows in 2016 just 10 days after reporting it to Microsoft. In response, Microsoft has publicly questioned the fairness of Google’s 90-day policy, even pointedly “responsibly” disclosing a flaw it discovered in the Chrome browser in October 2017 to Google to give it enough time to come up with a patch.
While the latest reveal is not a major embarrassment for Microsoft (Project Zero has rated the security flaw as “medium” in terms of severity), it is unlikely to make the company happy. This latest episode in the Microsoft-Google rivalry will also likely lead to a fresh debate on whether Google, a tech company with vested commercial interests, has the right to disclose security flaw in competitor products in the name of public interest.