Google has a habit of telling the world when it finds a security problem in Microsoft software. The officials in Redmond like to wring their hands and complain about Google putting Microsoft customers at risk, but eventually they just acknowledge the bugs and fix them as best they can.
But there's nothing stopping Microsoft researchers from poking through Google software and finding bugs of their own. And that's just what they're doing now, announcing a new vulnerability disclosure policy for non-Microsoft products, and kicking off the program today with two security reports covering products made by none other than Google.
Both security reports affect the Chrome browser. Google likes to brag that its sandboxing method keeps users safer than they would otherwise be in Internet Explorer. But no browser is bullet-proof and Microsoft wants Web surfers to know that Chrome has problems of its own.
In the previous Google/Microsoft dustups, Microsoft has complained that Google didn't give enough warning to Microsoft before disclosing vulnerabilities publicly, while Google officials protested that they had given Microsoft plenty of time and that the company dragged its feet.
Microsoft is making it clear in its security reports that it discussed them with Google before going public, and in fact says that Google has already fixed the security bugs Microsoft is disclosing. Computerworld reports that the security holes were fixed by late last year, and a Google spokesperson tells me via email "these issues are actually quite old" and were covered in Google announcements in September and December.
So from that perspective, the bug reports don't seem all that groundbreaking. But on to the specific Chrome problems. Microsoft's new bug report MSVR11-002 says the "HTML5 implementation in Chrome and Opera could allow information disclosure."
"An information disclosure vulnerability exists in the implementation of HTML5 in these Web browsers [Chrome and Opera]," Microsoft says. "Specifically, as the World Wide Web Consortium (W3C) describes in the HTML5 specification for security with canvas elements, information leakage can occur if scripts from one origin can access information from another origin."
The other bug report says a vulnerability in Chrome "could allow sandboxed remote code execution."
"A sandboxed remote code execution vulnerability exists in the way that Google Chrome attempts to reference memory that has been freed," Microsoft said. "An attacker could exploit the vulnerability to cause the browser to become unresponsive and/or exit unexpectedly, allowing an attacker to run arbitrary code within the Google Chrome Sandbox. The Google Chrome Sandbox is read and write isolated from the local file system which limits an attacker."
There are limitations to both of these threats. The HTML5 vulnerability for example, requires attackers to "possess the IP address of the network resource that contains the private information." And in the case of the sandboxing risk, "Successful exploitation of this vulnerability does not allow for code to run outside of the Google Chrome Sandbox, which is read and write isolated from the local file system, although other attacks may be possible."
These are just the first bug reports affecting third-party software we're seeing from Microsoft, so it will be interesting to see which other vendors might fall in Microsoft's cross-hairs.
But Microsoft is proceeding cautiously. Google researchers on occasion seem to act alone, with no involvement from higher-ups. But Microsoft is dictating standards to its employees for how they can report vulnerabilities, and waiting until the bugs are fixed before disclosing them publicly, at least in these first examples. Still, a shift is evident. After years of being put on the defensive by security researchers pointing out holes in Microsoft software, the hunted has become the hunter.