Microsoft

No good deed remains unpunished, they say, and so is the case of the recent spat between Google and Microsoft's security teams.

This whole "friendly competition" started last fall when Google's Project Zero security team started reporting flaw after flaw in Microsoft products like Internet Explorer, Edge, Windows Defender, and the Windows operating system itself.

While companies reporting bugs to each other isn't anything new, Google went a step further with its reports when in at least two separate occasions its security team disclosed flaws to the public before Microsoft could issue a patch.

The first time this happened was with a bug in the Windows GDI (Graphics Device Interface), and the second time was with a bug affecting both IE and Edge.

Google criticized Microsoft at the start of the month

Despite these headache-inducing public disclosures, Google appears to have crossed a line with Microsoft at the start of the month, when one of the Project Zero researchers took the liberty of criticizing Microsoft's patching methodology.

The researcher pointed out that Microsoft often delivers different patches for older Windows versions, a process that often opens new security flaws on older versions, and could allow attackers to infer the vulnerability's source (attack vector).

This jab didn't go unnoticed at Microsoft. In a blog post today, Microsoft revealed it also found security flaws in Google products, and more precisely in Google's precious Chrome browser.

Microsoft can find bugs in Google products too

Microsoft’s Offensive Security Research (OSR) team found the bug and reported the issue to Google in September. Google fixed it in Chrome 61, and even awarded Microsoft researchers a total of $15,837 for their effort, money that Microsoft plans to donate to charity.

According to Microsoft, the vulnerability (CVE-2017-5121) is a high-severity out-of-bounds information leak that can lead to remote code execution inside a user's browser.

Most of the previous bugs Google researchers found in Microsoft products were found using fuzzers — automated tools for performing fuzzing. Ironically, or not, Microsoft also used a fuzzer to find this bug.

According to Jordan Rabet, the Microsoft researcher who discovered the bug, he used ExprGen, a fuzzer developed by Microsoft and used internally for Edge's Chakra JavaScript engine. Rabet says he used ExprGen on V8, Chrome's own JavaScript engine to find CVE-2017-5121.

It's Microsoft's turn to criticize Google's patching process

But putting the blog post's technical details aside, Microsoft didn't leave old debts unpaid, and just like Chrome criticized its patching methodology, so did Microsoft.

The problem that Rabet pointed out was that the fix for the bug they reported was pushed to the V8 GitHub repository, allowing attackers to potentially reverse engineer the patch and discover the source of the vulnerability.

It didn't help that it took Google three more days to push the fix to the Chromium project and the Chrome browser, time in which an attacker could have exploited the flaw.

Taking into account that this happened in mid-September, Microsoft had no reason to detail a bug in a Chrome version that's not even current. Chrome 62 is the latest Chrome version.

No doubt, Google's criticism of its patching process at the start of October might have touched a nerve with Redmond employees who had no problem in reminding Google today that Google products are not the impenetrable fortresses the company might think they are.