You're doing open source wrong, Microsoft tsk-tsk-tsks at Google: Chrome security fixes made public too early

Redmond wags its finger

By Iain Thomson in San Francisco


A few weeks ago, Google paid Microsoft $7,500 after Redmond's security gurus found, exploited and reported a vulnerability in the Chrome browser – a flaw that would allow malicious webpages to run malware on PCs.

Now Microsoft isn't entirely happy with the way Google handled it, and having been schooled a few times on security by the web giant, the Windows goliath has taken the opportunity to turn the tables and do a little finger wagging of its own.

As it turns out, the Chrome bug is pretty interesting. The Microsoft Offensive Security Research fired up its internal ExprGen fuzzer, normally used to hunt for vulnerabilities in Edge's Chakra JavaScript, and pointed it at Google's browser. The Redmond gang found that they could reliably crash Chrome's V8 JavaScript interpreter, but couldn't work out what the exact issue was.

They found that the Chrome programming cockup appeared in code dynamically generated by V8's just-in-time compiler, but only when, on a 64-bit Intel system, the processor's rax register was zero and used as a base pointer. This wasn't good news, because it looked like a classic null-dereference bug – rax had been set to null but used anyway – which is a pain to exploit because today's operating systems forbid access at and near address zero.

Google cyber-knight lances Microsoft for bug-hunter 'hostilities'


The issue was traced to a memory slot being used before it is initialized with a valid pointer, and the team found it could spray enough values over memory to fill in the slot with their own pointer. The team then found a way to exploit this to read and write as they pleased in memory. This arbitrary access was, as usual, the bridge the gang needed to place their own code in memory and then change a function pointer to that code, so it is executed by the browser. Now they have control of Chrome from data injected from a webpage: straight up remote-code execution, and a ticket to compromising the browser and potentially the underlying system.

You can read the full, highly detailed, explanation here.

Google fixed the issue within days of being alerted to the bug by Microsoft, and paid a bug bounty to the researchers, along with another $8,337 for other uncovered blunders. And the team may have been tempted to go for dinner and lots of drinks, but instead donated the dosh to charity. But while the problem was easy enough to fix, it was what happened next that had the Microsofties raising their eyebrows.

The team sent its bug report to Chrome engineers on September 14 and it was acknowledged and fixed within a week. The fix was pushed out to the public Chrome GitHub source code repository days before new builds featuring the security patch were released to the world. This approach, this delay between security fixes appearing in the GitHub repo and updated binaries going out to the public, Redmond felt, poses a real danger.

Eagle-eyed miscreants watching the GitHub repo can spot fixes applied publicly in the Chrome source code, and develop and deploy malware exploiting these bugs before people get a chance to download and install corrected versions of the browser. During that delay, their Chrome installations are vulnerable.

For example, the above V8 hole was fixed publicly in the source code here, and Chrome was updated and released three days later. Microsoft gave another example, though: this private security bug report with an accompanying public patch. The code wasn't released as a stable build until a month later.

On Wednesday this week, Microsoft team member Jordan Rabet said:

Servicing security fixes is an important part of the process and, to Google’s credit, their turnaround was impressive: the [V8 engine] bug fix was committed just four days after the initial report, and the fixed build was released three days after that. However, it’s important to note that the source code for the fix was made available publicly on Github before being pushed to customers. Although the fix for this issue does not immediately give away the underlying vulnerability, other cases can be less subtle.

Case in point, this security bug tracker item was also kept private at the time, but the public fix made the vulnerability obvious, especially as it came with a regression test.

This can be expected of an open source project, but it is problematic when the vulnerabilities are made known to attackers ahead of the patches being made available. In this specific case, the stable channel of Chrome remained vulnerable for nearly a month after that commit was pushed to git. That is more than enough time for an attacker to exploit it.

Somewhat primly, Rabet noted that Microsoft's own Chakra JavaScript engine is open source, and Redmond would never release a flaw report before it was fixed for just this reason.

"Some Microsoft Edge components, such as Chakra, are also open source. Because we believe that it’s important to ship fixes to customers before making them public knowledge, we only update the Chakra git repository after the patch has shipped," said Rabet.

"Our strategies may differ, but we believe in collaborating across the security industry in order to help protect customers. This includes disclosing vulnerabilities to vendors through Coordinated Vulnerability Disclosure (CVD), and partnering throughout the process of delivering security fixes."

Back in old Blighty, we'd call that a score draw, Google. The advertising giant did not respond to a request for comment. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

No do-overs! Appeals court won’t hear $8.8bn Oracle v Google rehash

Only thing left now is a Supreme Court bid in row over Android and Java copyright

Oracle tells tales about Google data slurps to Australian regulator

At an inquiry into news and ads, of all things. Is Big Red playing a deeper game?

Google skewered in ad sting after Oracle-backed bods turn troll

Search giant complains of misrepresentation, database titan raises an eyebrow

Facebook, Google, Microsoft, Twitter make it easier to download your info and upload to, er, Facebook, Google, Microsoft, Twitter etc...

GDPR put a gun to their heads

Google and Microsoft boffins playing nicely together to stop replay attacks in their tracks

Internet Engineering Task Force doc examines how to better protect authentication tokens

Oracle gets busy with Lazy FPU fix, adds more CPU Spectre-protectors

Oracle Linux and VM get their innoculations

Whoa, AWS, don't slip off your cloudy perch. Google and Microsoft are coming up to help

While Alibaba dips a tentative toe in the challenger pool

Oracle: Run, don't walk, to patch this critical Database takeover bug

Flaw in House Larry's flagship product allows 'complete compromise' of servers

Oracle Database 18: Now in downloadable Linux flavour

Oh, and Windows, but cool kids don't use that

Happy as Larry: Why Oracle won the Google Java Android case

Comment Get a licence or build something new. It's really that simple