Microsoft this week threw a subtle jab at Google by revealing a security hole in Chrome.

In a Wednesday blog post, Redmond examined Google's browser security, and took the opportunity to throw some shade at Chrome's security philosophy, while also touting the benefits of its own Edge browser.

The post, written by Microsoft security team member Jordan Rabet, noted that Google's Chrome browser uses "sandboxing" and isolation techniques designed to contain any malicious code. Nevertheless, Microsoft still managed to find a security hole in Chrome that could be used to execute malicious code on the browser.

The bug involved a Javascript engine in Chrome. Microsoft notified Google about the problem, which was patched last month. The company even received a $7,500 reward for finding the flaw.

However, Microsoft made sure to point out that its own Edge browser was protected from the same kind of security threat. It also also criticized Google for the way it handled the patching process. Prior to the patch's official rollout, the source code for the fix was made public on GitHub, a software collaboration site that hosts computer code. That meant attentive hackers could have learned about the vulnerability before the patch was pushed out to customers, Microsoft claimed.

"In this specific case, the stable channel of Chrome remained vulnerable for nearly a month," the blog post said. "That is more than enough time for an attacker to exploit it."

Google did not immediately respond to a request for comment. But the two companies have previously clashed over vulnerability disclosure. Last year, Google warned the public about a serious security flaw in Windows, but did so before Microsoft could issue a patch.

Despite the criticism, Microsoft's blog post did acknowledge that Chrome's isolation techniques should eventually make the browser more resilient against similar threats that try to trigger remote code execution.

And in a bit of irony, engineers from Google tweeted out praise for Microsoft's blog post for raising discussion about the ongoing efforts to secure Chrome.

It is good to see more people discussing the fact that sandbox escape is not always the end goal in exploiting browsers. — Nasko Oskov (@nasko) October 18, 2017

Excellent blog by Windows OSR team showing why the ongoing work on #siteisolation in Chrome is so important. https://t.co/FsSRBF0l33 — Will Harris (@parityzero) October 18, 2017

Further Reading