
Disclosure
I wonder if someone who notified them of a bug a couple months ago that didn't make this release will make it public like they've been doing to Microsoft?
Google has patched 62 security vulnerabilities in Chrome 40 and handed out US$88,500 to bug hunters who spotted the problems. Of those fixes, 17 swatted dangerous memory corruption and use-after-free vulnerabilities in Chrome elements including FFmpeg, ICU and DOM. The Chocolate Factory's digital guardians pushed the flagship …
CVE-2014-7923 was created on October 6th, 2014 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7923) - and that is only the date when the CVE identifier was created - not when the vulnerabilty was discovered, which of course happened *before*.
(It looks the other CVE entries too were created on 20141006 - thereby it looks Google too needs time to fix things and release them... how many other later vulns are there and waiting to be patched well after 90 days?)
"Strangely" they waited a "few days" for the release of a patch.... but of course wait for googledrones flying in to say this is different....
The press release doesn't make it clear when the CVE was made public. As the bugfix has just gone into the stable version of the browser, it will have been fixed in beta and canary channels earlier and presumably available as a hotfix if required.
Not that Google might not get caught out by its 90 day rule at some point but at the moment it has the PR on its side.
From the security page:
One of the quickest ways to get involved is finding and reporting security bugs. It will get prompt attention from a security sheriff, be kept private until we coordinate disclosure, and possibly qualify for a cash reward through our Vulnerability Rewards Program. We occasionally run security contests outside of our regular reward program (e.g. Pwnium2, Pwnium3) too.
Oh, and the code is all open source so that miscreants have a head start finding bugs. Except, of course, that automated scans are better than code review for detecting exploits.
Of course the press release doesn't tell it - but it doesn't take much effort to go to CVE site and discover it ... The CVE entry was created at the beginning of October. Unlike Google, they don't publish detail whenever they like - they take security seriously, unlike Google which is now using it as a weapon against MS even if it put users at more risks.
But the very fact that the CVE entry was reserved, assigned and thereby "timestamped", mean that the vulnerability was discovered and sent to Google well before the 90 days Google decided *others* should fix their issues within.
Also, it can be very dangerous to fix vulnerabilities in beta and hotfix - because as soon as that code is released, a simple diff tells you where to look at, even if details are not made public. Vulnerabilities are not alike other bugs - disclosure *must* be very careful or you just get explotable zero days ones. A sound practice is to fix vulnerabilities first in production release and then backport them to any public beta or whatever - the other way round could be much more dangerous.
And, read: "be kept private until we coordinate disclosure" - so they keep them private until they are ready for a disclosure - no matter how long it takes, no deadline here - so what they ask others to comply with is not valid for them. What is funny is people like you thing it's OK.... but Google has washbrained a lot of people who are scared as hell if they have to pay for the software they use...
I didn't find the release date of the CVE anywhere. Contrary to your insinuation I don't think Google is wonderful. There's a lot to criticise about the company. But they're handsomely winning the PR war about security. And I think they understand better than most, that you can only keep the most severe exploits under wraps and even then only a for a very short time (OpenBSD is the model here).
I haven't done a look at the commits but I can't imagine they put something in stable without first having it in the beta version. A hotfix for all versions would be the exception here. I suppose that checking this would prove which of us is right about this.
This post has been deleted by its author