Skip Links

Microsoft, Google make amends over IE8 zero-day flaw

Microsoft fixes bug after criticism from Google security researcher

By Jon Brodkin on Wed, 10/13/10 - 10:48am.

Last month, a little dustup occurred between rivals Microsoft and Google over a years-old security flaw in Internet Explorer that a Google researcher had been pushing Microsoft to fix.

But the companies have seemed to make amends, with Microsoft fixing the bug this week in its monthly Patch Tuesday security update, and even publicly thanking Google researchers three separate times for reporting flaws in Microsoft software.

In September, Google security researcher Chris Evans complained that he had been "unsuccessful in persuading the vendor to issue a fix" and posted a link to a proof-of-concept demonstrating how the vulnerability could be exploited in Internet Explorer 8.

The example Evans used showed how an attacker could take over a Twitter account and force a victim to make tweets. The bug could also let hackers "hijack Web mail accounts" and "steal data," Computerworld's Gregg Keizer reported.

Upon Evans' actions, Microsoft acknowledged the bug and developed a patch, which was released yesterday as part of security update MS10-071, which fixed ten vulnerabilities in total and was rated critical for IE6, IE7 and IE8.

"The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles objects in memory, CSS special characters, HTML sanitization, the AutoComplete feature, the Anchor element, and script during certain processes," Microsoft said.

Most IE users won't have to take any action because the update will be downloaded and installed automatically, Microsoft said.

Microsoft thanked Google researcher Eduardo Vela, or "Sirdarckcat," for reporting a security issue described in update MS10-071, but did not thank Evans by name.

Microsoft also thanked Vela for reporting one other flaw and another Google researcher for reporting a third flaw, both of which were fixed yesterday.

This is common practice - Microsoft issued more than 20 thank you notes to researchers who contributed to the latest security update.

Google executives still claim that its own Chrome is a more secure browser, even releasing "Chrome Frame," an Internet Explorer add-on that supposedly improves the Microsoft browser's performance and security. Microsoft, in turn, claims that Chrome Frame simply doubles the attack surface of Internet Explorer. 

So it would probably be going too far to argue that Microsoft closing the security hole publicized by Evans signals a resolution to the browser security arguments contested between Microsoft and Google. But at least it brings one issue to a close, and hopefully will make users of Internet Explorer just a little bit safer.

Follow Jon Brodkin on Twitter

On The Web
Facebook
Twitter