There is no love lost between Microsoft and Google when it comes to security patches.
Google last year disclosed a major bug in Windows before Microsoft was ready to patch it.
Microsoft was put-out by the public embarrassment, with Windows Chief Terry Myerson publishing a blog post that criticised Google for not disclosing security flaws responsibly.
One year later, and the spat between the technology companies rumbles on.
Microsoft unearthed a remote Chrome vulnerability last month, and has now penned a blog post about Google’s approach to security patches.
“We responsibly disclosed the vulnerability that we discovered along with a reliable remote code execution exploit to Google on September 14,” Microsoft Offensive Security Research team member Jordan Rabet writes.
Google was quick to patch the vulnerability in the beta version of Chrome, but the stable version of the app that most users will actually have installed “remained vulnerable for nearly a month”.
This would not usually be an issue, however, Google makes its source code available for free on Github (also known as Git) ahead of the update to the stable version of the app.
This allowed hackers time to uncover the flaw.
The Microsoft security researcher blasts this approach, writing that it is “problematic when the vulnerabilities are made known to attackers ahead of the patches being made available”.
“In this specific case, the stable channel of Chrome remained vulnerable for nearly a month after that commit was pushed to git.
“That is more than enough time for an attacker to exploit it.”
Rabet cautions: “A single compromise through a web browser can have catastrophic results.”
Microsoft also uses the blog post to reiterate that it disclosed the bug in Chrome to Google privately – which it believes is the right approach for the industry.
Meanwhile, Google allows its engineers to disclose details of a vulnerability seven days after they have reported to vendors.
The California-based company has unearthed a number of security issues within Microsoft software, and has occasionally revealed details publicly before the products are patched.
“Our strategies may differ, but we believe in collaborating across the security industry in order to help protect customers,” Microsoft concludes.