Microsoft security’s unseemly jab at Google

Topic

New Reply

In yesterday’s Windows Security blog post Browser security beyond sandboxing, Microsoft’s Jordan Rabet (part of the “Microsoft Offensive Security Rese
[See the full post at: Microsoft security’s unseemly jab at Google]

Reply | Quote

Replies

Google might actually appreciate the jab – now they know a few things they need to fix. Of course, as Cimpanu points out, Google was the one who started it.

That is a pretty funny name: “Microsoft Offensive Security Research team”. Amazing how Microsoft is making misstep after misstep these days, and losing their dominant position in the process. Just like they did to so many other companies in days gone by.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

@ MrJimPhelps

Of course, as Cimpanu points out, Google was the one who started it.

People often criticize others and each other, eg you, me, etc. I like to criticize over-greedy M$ for making Win 10 unpalatable.
… The point here is, whose criticism is constructive, has basis and whose intentions are for good, ie Google’s or M$’s.?
… Seems, M$ are hitting back at Google like an angry sore loser. Google then “hit back” at M$ with a bug bounty of about US$45,000.

“Microsoft Offensive Security Research team” says a lot about M$’s intentions = ie, to offend others ?

Reply | Quote

Offensive security indeed!

Microsoft does not have any business writing about security, when they could (but DON’T) build decent managed blacklist-based security into their systems (and yes, I know about SmartScreen, which IMO is ineffective AND intrusive).

It could be something like UBlock Origin – or an even better, more integrated solution that runs at the OS level and keeps the entire system away from the bad parts of the web. These things ALREADY EXIST and do wonders for security. Little guys like me and others have such things working – and they ARE effective! Ask yourself why they’re just not provided as a cornerstone of managed security by the browser/OS makers.

No, they deliver software to you TODAY that freely downloads malware, that snoops on you, removes user control, that allows outgoing connections by default, and that carries a constant string of vulnerabilities – old and NEW – that constantly NEED to be patched.

When have we ever known a software package that’s had SO many terrible bugs for SO many years? When would such poor software have ever been acceptable for sale?

They have the cloud infrastructure, the auto-update process, and knowledge of what’s bad out there (besides the fact that anyone can download lists that others have compiled)… Imagine how good such a subsystem could be if a company with real funding backed it.

Also imagine how careful web operators would become if hosting malware would just cause their sites to stop being visited by giant numbers of people running Windows.

My suggestion: Ignore Microsoft’s talk about sandbox this and vulnerability that and what Google does here or there and use common sense. What these big companies keep shoveling on us is quite offensive.

-Noel

5 users thanked author for this post.

flackcatcher, Elly, samak, SueW, EyesOnWindows

Reply | Quote

Noel:

I actually first came to realize this in the Windows 3.1 days. I noticed that Windows was constructed in such a way as to make it very easy for malicious people to do their mischief. The thing that caught my attention was all of the different “temp” folders everywhere. Only one of these folders was actually called “temp”; but all of them were places that websites, software, etc., could tuck things away, making them hard to find for all but the most expert of Windows techs.

I often wondered if Windows was purposely constructed in that way. Maybe Microsoft had secret deals with software companies?

I agree with you — why does Microsoft leave these vulnerabilities in place?

Jim

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

2 users thanked author for this post.

Steve, HiFlyer

Reply | Quote

This is bit like “the pot calling the kettle black“. People who live in glass houses shouldn’t throw stones.

HP Compaq 6000 Pro SFF PC / Windows 10 Pro / 22H2
Intel®Core™2 “Wolfdale” E8400 3.0 GHz / 8.00 GB
HP ProDesk 400 G5 SFF PC / Windows 11 Pro / 23H2
Intel®Core™ “Coffee Lake” i3-8100 3.6 GHz / 16.00 GB

Reply | Quote

So MS is complaining about Google when they have done far worse and sat on bugs until shamed into fixing them (maybe).

Reply | Quote

Tavis Ormandy had a responsive idea.

Reply | Quote

He is being kind, only triggering 5 and not more.

Reply | Quote

Thurrott misquotes the Microsoft blog (by conflating two different bugs/fixes).

Woody fails to notice that Bleepingcomputer says the fix for the bug discovered by Microsoft was made public by Google three days before being pushed to Chrome but Thurrott says a month.

Microsoft: “to Google’s credit, their turnaround was impressive”
Thurrott: “Calling Google out like that seems petty to me.”

Bleepingcomputer: “Microsoft had no reason to detail a bug in a Chrome version that’s not even current.”
This was a research project; should its security recommendations have been kept secret?
What’s wrong with discussing the nature of a flaw after it’s been fixed? It happens all the time.

Reply | Quote

b said, … What’s wrong with discussing the nature of a flaw after it’s been fixed? It happens all the time.

Fyi, Win 7/8.1/10 have 23 critical bugs/flaws that were fixed by M$ in October 2017. Is there a point in discussing those 23 flaws?
https://www.ghacks.net/2017/10/10/microsoft-security-updates-october-2017-release/

Reply | Quote