14 DAY TRIAL // Google has been one of the most vocal companies lately when it comes to security flaws in Microsoft products, with members of its security team disclosing vulnerabilities in a series of Windows-related programs, including Edge browser.
And now here’s Microsoft finding a security flaw in Google Chrome and posting an analysis of a remote code execution exploit trying to emphasize how secure its Edge browser actually is.
Discovered by Microsoft’s Offensive Security Research (OSR) team, the vulnerability is documented as CVE-2017-5121 and could allow attackers to access online services that are being used by the victim, including email, documents, online banking, while also exposing saved credentials.
Microsoft criticized the way Google handles security in its browser, pointing out that “Chrome’s relative lack of RCE mitigations means the path from memory corruption bug to exploit can be a short one.”
To discover the vulnerability, Microsoft turned to a method called fuzzing and often used by Google engineers to look for security flaws in Microsoft’s own products.
“Microsoft Edge the more secure option”
Google awarded Microsoft’s security team with a bounty of $15,837 for this security flaw and other bugs that weren’t disclosed, and the company also matched the payment and issued a $30,000 donation for the Denise Louie Education Center.
Of course, Microsoft couldn’t miss the occasion to praise its Edge browser, explaining that its significantly different approach makes the Windows 10 default substantially more secure and harder to compromise, even when vulnerabilities are discovered.
“Neither of those techniques would be directly applicable to Microsoft Edge, which features both CFG and ACG. ACG, which was introduced in Windows 10 Creators Update, enforces strict Data Execution Prevention (DEP) and moves the JIT compiler to an external process. This creates a strong guarantee that attackers cannot overwrite executable code without first somehow compromising the JIT process, which would require the discovery and exploitation of additional vulnerabilities,” Microsoft explained pointing to its mitigation tech bundled into Windows 10.