London: Microsoft Windows Security team late Thursday discovered a vulnerability in the Chrome web browser the details of which the leading software giant made public in what it feels is a responsible disclosure.
Jordan Rabet of Microsoft’s Offensive Security Research Team in an official blog said they have identified a remote code execution process in the Chrome browser running on Windows PCs, and called out Google’s lax attitude towards patching that vulnerability.
“In this specific case, the stable channel of Chrome remained vulnerable for nearly a month after that commit was pushed to "git". That is more than enough time for an attacker to exploit it", Jordan Rabet wrote.
Git refers to GitHub - a software development platform and a repository for distributed software.
"Chrome's process for servicing vulnerabilities can result in the public disclosure of details for security flaws before fixes are pushed to customers," Rabet added.
On its part, Google had rolled out a fix for the vulnerability on GitHub within four days of the initial report, but did not roll out the update on the stable channel for almost a month—stable channel is the route by which you get updates for the newest versions of Google Chrome on our PCs.
The bug involved a Javascript engine in Chrome. Microsoft notified Google about the problem, which was patched last month. Interestingly, Microsoft even received a $7,500 reward for finding the flaw, which it donated to charity.
However, Microsoft is using the security flaw in Chrome to claim that its own Edge browser was protected from the same kind of security threat.
Google and Microsoft have previously clashed over vulnerability disclosure. Last year, Google warned the public about a serious security flaw in Windows, but did so before Microsoft could issue a patch.