back to article Google reveals Edge bug that Microsoft has had trouble fixing

Google has again decided to disclose a flaw in Microsoft software before the latter company could deliver a fix. Indeed, Microsoft has struggled to fix this problem. Detailed here on Google's Project Zero bug-tracker, the flaw impacts the just-in-time compiler that Microsoft's Edge browser uses to execute JavaScript and makes …

  1. Anonymous Coward
    Anonymous Coward

    Google should worry about their own bugs before they complain about others, like when are they going to fix the regression/bug that disables Android Pay on Android Wear devices, since the Oreo upgrade?

    Or how about fixing the DDoS bug their google home devices cause on your WIFI network?

    1. Anonymous Coward
      Anonymous Coward

      Or the DOS attack they made on my previous employer-

      We had a 10mbps connection and Google were pumping 100mbps down the link for weeks on end. You can't call them, you just go through a list of options, which basically tell you to go to the relevant section of the Google website... But there is no part of the website dedicated to Google misbehaving or attacking other people.

      Emailing the abuse@ mail address gets an automatic reply saying that they have so many mails to this account, that they are automatically dumped and not read...

      We had to pay our ISP to block the address at their perimeter. Luckily, we were in the middle of switching to a new provider, so we only had to get the address blocked for a couple of months.

      The attack came from an IP address registered to Google, but it was probably either a misconfigured server or somebody in their cloud doing something naughty...

    2. Waseem Alkurdi

      Worrying about others' bugs?

      That's called Marketing.

  2. Tom 64
    Windows

    Intel issues

    Not so surprising they didn't disclose the intel bugs quickly - all of their cloud runs on x86 intel and they wouldn't want the expense of cleaning up the outright ownage that would result if they disclosed before intel had decent fixes ready.

    Microsoft of the other hand have a competing software product, so fuck 'em

    1. big_D Silver badge

      Re: Intel issues

      Yes, I find it very arrogant of Google to assume they know more about Microsoft's development capabilities than MS themselves.

      If they had registered the bug with Microsoft and Microsoft had either refused to address it or not responded at all, then I could understand releasing the report. But if the patch is being written and they have a release date, I find it irresponsible of Google to still release information before the patch is released.

      1. RyokuMas
        Devil

        Re: Intel issues

        "I find it irresponsible of Google to still release information before the patch is released."

        But then, as the Intel issue proved, this is nothing to do with altruism and making the web a safer place - although it's dressed up as such.

        As has been pointed out, this is about attacking a competitor and spreading FUD - exactly the same tactics Microsoft themselves were renowned for some 25 or so years ago. The fact that Google's own browser, which has its own share of issues, reached its market leading position largely because of it's being plastered all over their search pages only strengthens the case for anti-competitive behaviour.

        1. I ain't Spartacus Gold badge
          Big Brother

          Re: Intel issues

          Chrome didn't reach market dominance through just being on the Google home page. Though I'm sure that helped.

          Chrome got a huge boost because it was downloaded like malware, when you updated Flash (and some other software) and failed to untick the relevant box. It's how the "Google toolbar" ends up in peoples' browsers too.

          Also Chrome seems to be quite good at getting itself set as default browser, for some reason.

          Apple used similar dodgy tactics with Safari for a while, getting it installed along with itunes updates. But the difference is they never seemed to manage to fool users into making it their default - and most never noticed it was there.

  3. Steve Knox
    Mushroom

    Another Viewpoint

    Which is just great news - NOT - seeing as Microsoft's unwillingness to dedicate enough resources to fixing the flaw in time means it's now visible to anyone who feels like some evil fun.

    This is not the first time Microsoft has failed to fix flaws before Project Zero's published (and then extended (and sometimes extended again)) deadlines, and Redmond is still blaming information disclosure rather than accepting responsibility for their own mistakes.

    Over the past 40 years, security experts have continued to criticize Microsoft on grounds that its irresponsible code security practices can endanger users. Significant change from Microsoft has not been forthcoming.

    Who's more responsible for the explosion, the man who builds the bomb, the man who writes the manual for it, or the man who sets it off?

    1. Steve Browne

      Re: Another Viewpoint

      The man who builds the bomb, without it the other two are redundant.

    2. Anonymous Coward
      Anonymous Coward

      Re: Another Viewpoint

      Who's more responsible for the explosion, the man who builds the bomb, the man who writes the manual for it, or the man who sets it off?

      Disregard that China man built the bomb, India man wrote the manual and USA man set it off, it is obvious that the North Korea man is more responsible for the explosion. /joke

    3. big_D Silver badge

      Re: Another Viewpoint

      I assume you have intimate knowledge of the Edge source code and how their development teams have been working on this problem... You know that they had developers just sitting around kicking their heels during the last 3 months, who had intimate knowledge of Edge and how the JIT works?

      MS were also, like everybody else in the industry, very busy with Meltdown and Spectre during that 90 day period.

      1. bombastic bob Silver badge
        Trollface

        Re: Another Viewpoint

        "MS were also, like everybody else in the industry, very busy with Meltdown and Spectre"

        Agile 'Scrum' meetings, B.S. sessions, and Beer o' clock at 3PM

        "during that 90 day period."

        fixed it for ya

        Seriously, though, I think their most experienced people left at around the Windows "Ape" time period, when everything started to go downhill, and internal policies were driving the good people away.

        So after Win-10-nic and firing all of their testing people [relying instead on CUSTOMERS to beta test their crapware as it's shoved down the pipe onto every Win-10-nic machine - oops, we did it again! So sorry!], they now have a bunch of inexperienced _CHILDREN_ doing most of the work. No doubt they have very good self-esteem and 'team attitude', actual skills and experience not being a major factor in hiring them.

        Would they had someone like ME there, who'd be using profanity for 10 minutes after starting a code dive, then pop up and say "who the HELL wrote THIS crap! Dammit, I need some @#$%)((@#$* coffee and maybe a stiff belt o' something that's more than 90 proof"

        It would inevitably be some snowflake needing a safe space that was responsible for this complete cock-up, and having some 50-something bearded guy with big shoulders and a loud voice having a one-way discussion with you (think drill sergeant) about the stupidity of unchecked buffers and re-used pointers and other "newbie" kinds of mistakes, using military terms/phrases like "What is your major malfunction, numbnuts?" and hacker terms like "well, rape me hard with 19 feet of curari tipped wrought iron fence and no lubricant" and other things that are too profane to even be posted in an El Reg comment... and then I fix it all myself in 1/4 of the time some "team" could do it in, if I didn't simply rage-quit over the lame and stupid and complete bull-crappery.

        yeah, they wouldn't want ME there, even IF I got things accomplished in record time with a shoestring budget. Heh.

        (ok I'm not THAT bad...)

    4. DavCrav

      Re: Another Viewpoint

      "Who's more responsible for the explosion, the man who builds the bomb, the man who writes the manual for it, or the man who sets it off?"

      Well, in the UK, all three of you would be going to jail for a while. All are illegal.

      In the UK, and I suspect in other countries, try writing an instruction manual for hacking ATMs and distributing it, and see how long it is before you find your collar felt.

      Google is doing the digital equivalent of that, and I would be surprised if an offence hasn't been committed under UK law. (And Google does have a UK presence, so UK law applies as well as other countries'.)

      1. Mark 75

        Re: Another Viewpoint

        "Google is doing the digital equivalent of that, and I would be surprised if an offence hasn't been committed under UK law. (And Google does have a UK presence, so UK law applies as well as other countries'.)"

        *sigh* - more arm-chair legal speculation

  4. Anonymous Coward
    Anonymous Coward

    If Google's justification is to push Microsoft to fix it (they've left plenty of Windows bugs for years), then announcing that there is a bug in a particular system (rather than spelling out what it is and how to exploit it) would be a better way.

    1. FrankAlphaXII

      MS will just say the corporate-speak equivalent of "We Know!" and then do precisely nothing. And they're not unique or special in that regard.

      1. Anonymous Coward
        Anonymous Coward

        Sure but if they don't fix it people will at least know. Their solution is to just hide the bug so no-one can complain.

    2. Notas Badoff

      They are pushing...

      Microsoft towards the ever-green model of browser releases. As much as people may not like the rainforest model of daily afternoon releases, it does offer hope that the vendor is _trying_ to keep up.

      I wish I could remember which software, but I recently saw an instance where the developer/company simply said "we can't work with browsers that are updated only rarely" and identified only Chrome and Firefox as actually cooperating with the ecosystem.

      They specifically called out Edge and Safari as always last year's news. Later on, the developers relented and worked extra to provide Safari workarounds. Maybe bribery works?

      But given Microsoft's past misdeeds, miscommunications and plain stonewalling on browsers, is using the 'lash' really unwarranted?

      (BTW: individuals like @awbjs and associated others at MS are great, yet somehow only infrared shines through the dusty nebula that is Microsoft)

      1. Charlie Clark Silver badge

        Re: They are pushing...

        They specifically called out Edge and Safari as always last year's news.

        When it comes to standards support there is a lot to be said for this. Apple does one major release a year and has been pretty slow over the last few years to implement some of the new standards, though happy enough to try and get the world to adopt its own hair-brained shit such as the notch.

        Microsoft is still struggling with the shitty internals of IE but has recently got much better at feature implementation for IE. It's even release a version of Edge for Android.

        And the features are important: having support for common use cases built in to browsers can significantly reduce the amount of boilerplate JS otherwise required.

        1. Anonymous Coward
          Anonymous Coward

          Re: They are pushing...

          > Microsoft is still struggling with the shitty internals of IE but has recently got much better at feature implementation for IE. It's even release a version of Edge for Android.

          What they released isn't "Edge for Android", it's just yet another GUI wrapper for Webkit/Blink with "Edgy" features. They've not innovated nor have they moved forward in this regard, they've just re-skinned the same browser that everyone and his dog has released and added yet another "desktop integration" kit, just like every other cross-platform browser.

          https://www.theregister.co.uk/2017/10/05/microsoft_edge_ios_android_beta/

          I'd love to see a second passable and fast rendering engine on Android, or even third if Mozilla manage to pull their thumbs out, but Edge for Android is not where it is at.

      2. David Nash Silver badge
        FAIL

        Re: They are pushing...

        "we can't work with browsers that are updated only rarely"

        If I were that developer I would say "I can't work with browsers that change daily and whose features we can't be sure of, and which version our customers have is uncertain"

        1. bombastic bob Silver badge
          FAIL

          Re: They are pushing...

          "I can't work with browsers that change daily and whose features we can't be sure of, and which version our customers have is uncertain"

          right, the constant "feature creep" being jammed up everyone's as down everyone's throat, instead of WORKING! ON! RELIABILITY! AND! SECURITY! is a continuous problem with ALL of the browser makers, as far as I'm concerned.

          If I like the old one, I should be able to keep it. Re-re-re-re-re-re-re-doing the interface just PISSES OFF THE END USERS. What are these _IDIOT_ _CHILDREN_ thinking?

          OK I already know...

          a) It's OUR turn now

          b) Change is ALWAYS better

          c) Old fuddy-duddy stick-in-the-muds will JUST! HAVE! TO! GET! ON! BOARD! with this "new, shiny"

          d) It's "Modern"

          e) You can re-learn it in NO time!

          f) WE like what WE did, so EMBRACE it and SHUT THE HELL UP (it's for YOUR own good!)

          etc.

          arrogant children, running the show without the real experience and skills to do the thing properly, building on the works of others by SMASHING IT TO HELL FIRST, then re-re-re-writing it THEIR way, and THEN jamming it up everyone else's a down everyone else's throats, and criticizing everyone who asks for some Astro Gl wants to wash it down with some liquid, to make the process easier.

    3. Charlie Clark Silver badge

      The whole argument against disclosure presupposes that nobody apart from Google could discover the flaw. Whichever way you spin this is alaming: either it's true and somehow Google has amassed the best hackers in the world, in which case all hail King Larry and King Sergey; it's negligent to assume that no one else among the usual suspects (spooks, security research teams, organised crime, etc.) is able to run the same off-the-shelf fuzzers to find the problems.

      I think there might be some proviso in the DMCA for Microsoft to get the notice withdrawn but you can just imagine where this will go if the lawyers get involved.

      In summary, Google is doing the right thing.

      1. bombastic bob Silver badge
        Devil

        "In summary, Google is doing the right thing."

        I tend to agree. A while back, maybe a decade or so ago, there was this security research company in France that I can't recall who they were... at any rate, they used to give 30 days to get a bug patched [after they announced it] before they'd release the details about it, with the assumption that it would drive Micro-shaft (and others) to fixing the problem. OCCASIONALLY, at their discretion, they'd extend the time limit.

        So I'd say Google is basically doing the SAME THING. Good. It helps drive the solution.

        /me points out that, with no stress, with no urgency, and maybe even with no catastrophe, there's no evolution. The theory is that you need "a stresser" to drive a species improvement and produce a viable gene pool with "the thing" that helps to ensure survival. Otherwise, a viable population with a positive mutation/change/epigenetic-gene-change might not even be possible.

        In the case of software, I'd say it's right on, that without some kind of STRESSER, we'll just be subjected to the same kinds of bloated crapware we've seen way too much lately.

        So GO! GOOGLE! and *STRESS* Micro-shaft into fixing their browser!

        1. RyokuMas
          FAIL

          "So GO! GOOGLE! and *STRESS* Micro-shaft into fixing their browser!"

          Yeah, publish the details so that the black-hatters can take advantage of the problem! *STRESS* them and force them to fix it as fast as possible - maybe they won't have time to test the patch properly, so it causes more problems than it fixes, thus giving the "because it's Microsoft" brigade more to write about in with lots of capital letters!

          Really responsible behaviour and use of power there...

          1. Charlie Clark Silver badge
            FAIL

            Yeah, publish the details so that the black-hatters can take advantage of the problem!

            See my original post on this logical fallacy.

  5. danR2

    You Beijing didn't know?

    They probably have unearthed 10 zero-days they keep to themselves for every one that is disclosed in the West. They do very little in the way of contribution to the White hat community. When a new vulnerability is discovered, or patched, how often does it come out from some Chinese researcher, company, computer academic, programmer, hacker or otherwise?

    On the contrary, they have started to muzzle what little voice there was.

    1. IneptAdept

      Re: You Beijing didn't know?

      Actually pretty regularly, There are a lot of chinese / korean hackers who go to the hacking summits blackhat etc

      And a lot of the browser bypasses are done by these guys and are generally reported to the browser people guys pretty swiftly....

      Now I dont know if that is only x% and they keep the rest behind but they are definitely one of the larger groups of whitehats that dont act like google and just unless all hell after 90 days

    2. Tom Paine

      Re: You Beijing didn't know?

      They do very little in the way of contribution to the White hat community. When a new vulnerability is discovered, or patched, how often does it come out from some Chinese researcher, company, computer academic, programmer, hacker or otherwise?

      Actually,.. if you take the trouble to review a bulletin"s acknowledgements section for one of those vendors who dump huge patch batches (Oracle, Adobe, Apple,..)* I think you'll find there's a torrent of vulnerability disclosure coming out of China.

      * Microsoft have wrecked their bulletin format do it's hard to see the info in one place)

  6. Sampler

    To be fair to google

    Only people using Edge will be affected, so, no real harm really - it's only a small window as they use it the first time to download chrome or firefox...

    1. Mark 85

      Re: To be fair to MS

      They've busy trying to convince the holdouts how glorious Win10 is plus trying to get everyone to stop using the old OS and browsers. They're working hard also to sell more ads for the OS you pay for.. dual income opportunity. So who's got time for patching bugs when there is more profit to be made?

    2. sabroni Silver badge

      Re: as they use it the first time to download chrome

      Because we all remember how great it is when there's only one popular browser.

      1. Sampler

        Re: as they use it the first time to download chrome

        I did say or firefox...

        Though, I probably should've used the "joke alert" icon given the number of downvotes = \

  7. Charlie Clark Silver badge

    Less dramatic copy, please

    the flaw impacts the just-in-time compiler

    Simon, I suggest you look up the word impact and in the meantime use the less dramatic, but also more helpful term affect otherwise we'll get confused the next time an asteroid arrives…

  8. tiggity Silver badge

    JS

    Given its a bug in JS engine then Edge users would presumably be safe if they disable JS...

    Caveat, not an edge user as avoiding Win 10 as long as possible, but I would hope its possible to disable scripting!

    1. Steve Jackson

      Re: JS

      You've not seen the controls (or lack of) in Modern Apps.

      I don't believe that there's a specific setting in Edge, most of the methods outlined on the web involve Group Policy Editor, so I'm not sure where that leaves W10 Home users.

      The 'global' setting works for IE11 (Internet Options|Security|Custom Level|Scripting|Active Scripting) Enable/Disable.

      1. bombastic bob Silver badge
        Coffee/keyboard

        Re: JS

        "Modern Apps"

        every time I hear (or see) the word 'Modern' associated with Win-10-nic and 'Apps' I have to choke back my bile and then RUN to the toilet so I can let loose my technicolor frustration at the porcelain god, Ralph.

  9. Anonymous Coward
    Anonymous Coward

    Actually, the best use for Googles "AI" ...

    might be bug-spotting ...

  10. Christian Berger

    One should note, that it was Microsoft who wrote this bug

    We expect virtually all things we usually buy to be sufficiently bug free. If there's a bug in your washing machine causing it to leak after a few month, we expect the manufacturer to fix that problem at their cost, and perhaps even go give you a new one for free.

    Why do we accept so much from software companies? We allow them to push out fix after fix, with some even breaking important functionality. We even pay for the fixes ourselves, by downloading and installing them.

    Microsoft took risks by not checking that piece of software adequately, and by making it so complex they cannot fix it easily, however now that they failed they don't want to carry the blame for it. It's not like they took propper precautions for example by writing it as simple as possible and using a memory safe language.

    1. Anonymous Coward
      Anonymous Coward

      Re: One should note, that it was Microsoft who wrote this bug

      @Christian Berger

      How much did you pay for your copy of Edge? How much did you pay MS to patch it?

      Downloading and installing isn't a cost of using the software any more than going to the shop and buying a washing machine, then plugging it in, is part of the cost of the machine.

      What blame is MS trying to avoid here? They are trying to patch it. Compare this to the fun and games you will have when IOT-enabled Washing Machines are more common. Then the analogy will be better because the washing machines will have exploitable bugs, they will be exploited and no one will fix them.

      Getting arsey about a vulnerability in a free web browser seems misguided.

      1. anonymous boring coward Silver badge

        Re: One should note, that it was Microsoft who wrote this bug

        Free web browser? You're kidding, right?

      2. bombastic bob Silver badge
        Unhappy

        Re: One should note, that it was Microsoft who wrote this bug

        "How much did you pay for your copy of Edge? How much did you pay MS to patch it?"

        indirect payment: you have to run Win-10-nic to be able to run Edge.

        You have to endure the slurp, tracking, and ads jammed up your as down your throat, "the Metro" [because We know better how You need to use your computer], and FORCED UPDATES [even if they brick, it's better than NOT accepting the "new, shiny", getting your custom settings reset periodically, and wasting INFINITE BANDWIDTH and YOUR time waiting for infinite updates to load, install, and potentially BRICK *your* computer]. THAT is "payment" (more than) *ENOUGH*.

  11. Dr Mantis Toboggan
    FAIL

    how to make Edge run dodgy code

    Microsoft browsers have been running dodgy code for years... ActiveX anyone???

    Who even uses Edge browser anyway? Their whole userbase seems to be build around tricking people into using it, or creating fake rules that say to use feature X you must use Edge/bing to pump their stats...

  12. Anonymous Coward
    Anonymous Coward

    So Microsoft ought to do the same

    Have a team of people poking around Android, and find themselves a really serious remotely-root-you type bug. Release the details after 90 days. Even if Google fixes the bug in time, it won't make it out to any phones in that time except maybe their own brand. Maybe the chaos that would result once bad guys got their hands on it would make Google a bit more willing to work with them on bugs that are harder to deliver fixes for in 90 days...

    1. Anonymous Coward
      Anonymous Coward

      Re: So Microsoft ought to do the same

      Weird, as my Pixel 2 gets updated every month, and Google seem really on the ball when it comes to fixing Android bugs.

      Perhaps you bought a shite Android phone?

      We have a couple of Samsungs around the house on Jan 2018 security patch, and my ancient Xperia Tablet Z3 Compact that nicely runs Lineago Orea 8.1 with Feb 2018 security update (same patch level as Google).

      1. jbuk1

        Re: So Microsoft ought to do the same

        Did you even read what he wrote AC?

        >>Even if Google fixes the bug in time, it won't make it out to any phones in that time except maybe their own brand

        Who is Pixel made by? Come again please.

  13. anonymous boring coward Silver badge

    MS didn't prioritise it high enough.

    And now they try to act the poor hard working company being wronged by Google doing what they promised from the start.

    Only MS is to blame in this instance.

  14. mix
    Meh

    Edge for Android

    Would be interesting to see if Google spotted the problem via checking Edge code for Play store approval.

  15. LeoP

    Most alarming though ...

    ... is the fact, that 90+14 days are not enough to fix a bloody memeory management bug. Is there really noone left at MS, who is an at least partly competent developer?

  16. Michael Wojcik Silver badge

    Eternal September is eternal

    Ah, how I love seeing the same arguments over responsible disclosure rehashed yet again. It's like rfp never published RFPolicy. Almost twenty years ago, now.

    Maybe someday someone will have something new to say on the subject. Not today, though.

  17. Anonymous Coward
    Anonymous Coward

    Mixed motives

    Google's Project Zero is a significant PR bonus for Google. It is also a long-term significant security bonus for users generally, as we have very strong evidence that many vendors, M$ at the top, are, at best, very slow to fix security bugs without being spurred.

    M$ is being M$--primary competence in marketing and cross-segment leverage, not in engineering. I don't know that this has ever changed. Google is being Google--preening how they are helping everyone while helping their bottom line the most.

    The story never changes, but we keep watching anyway because the details of each performance are interesting in and of themselves.

  18. Anonymous Coward
    Anonymous Coward

    GlaDOS says

    "Deadline exceeded -- automatically derestricting"

    Upon which the laboratory is flooded with deadly neurotoxin.

    You do not wish to install your stuff in the GlaDOS cloud!

  19. Anonymous Coward
    Terminator

    Considering Google's behaviour

    "Also worth considering is Google's behaviour in the revelation of the Meltdown/Spectre CPU design flaws, as on that occasion it listed the problems in June 2017 but didn't disclose until January 2018."

    Actually Google shared their findings with Intel, AMD and ARM on June 2017 and Intel informed their partners on Nov 2017. Before giving Lenova and Alibaba advanced notice.

  20. Anonymous Coward
    Anonymous Coward

    How many remember the 90s?

    How many where active and remember the vendors approach to security holes and bugs in general back in the 90s (and 80s too for that matter)? It was the good old days where bug reports at best got completely ignored, at worst you where threatened by legal action if you mentioned them to someone else (this is especially true for security issues). Then came full disclosure lists like bugtraq (in 93 or so I think) and started to force vendors to fix their security issues. Vendors of course did complain that this only helped criminals etc. wanting to go back to not having to fix security issues.

    This is basically more of the same. I think it is good to give vendors time to fix an issue but if that time is flexible and extensible fixes tend to get low priority.

    Basically every software developer I've talked to in larger companies (and many smaller) tells the same story, bugs be it security or not have a very low priority among management unless it is clear that it can damage reputation. If it does damage reputation fix it fast and do it just enough to avoid more reputation damage.

    New features are always top priority, especially those you can use in your promotional material to increase sales.

    Unfortunately the strict deadline and then we disclosure policy seems to be needed to keep vendors to do what they should.

  21. Mahhn

    Strategy

    It's only about driving people to Chrome to get the ad revenue. They could care less about the actual bugs or anyone security. (proof is in how much malware they push from google play store) Strategy

  22. damianstuart@gmail.com

    I love the lies

    Google has 'decided' to follow the industry standard has it? Really? Every software company across the world works on the same system. You find a bug, you report it to the developer and make it public 90 days later to ensure that if that publisher chooses they can fix it.

    Microsoft 'chose' to not invest the resources required to fix the problem, Google followed the rules set to ensure software companies that 'choose' to put their users at risk at punished.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like