back to article Google's Project Zero reveals another Microsoft flaw

Google's Project Zero has revealed a bug in Microsoft's Internet Explorer and Edge browsers. First turned up on November 25, the bug offers evildoers a technique that would let a malicious web site crash a visitor's browser as the main course, with code execution as the dessert. Detailed here, the bug works by attacking a …

  1. a_yank_lurker

    Capable of Learning?

    When will Slurp realize that ignoring bugs is a recipe for getting hammered in the tech press?

    1. Voland's right hand Silver badge

      Re: Capable of Learning?

      The day when it will have real effect on the day-to-day bottom line which the tech press does not.

    2. Anonymous Coward
      Anonymous Coward

      Re: Capable of Learning?

      Are you sure it is ignoring them? A rushed patch may be dangerous as well. Borking systems gets you hammered by the press as well.

      More than the tech press, it looks it's Google that is using its hammer against competitors. Taking advantage it has far less customer-side code that can be analyzed - only Google has access to the code it runs on its servers.

      1. Charlie Clark Silver badge

        Re: Capable of Learning?

        More than the tech press, it looks it's Google that is using its hammer against competitors.

        Give it a rest: the only way to judge Google is how they respond to similar reports about their software and so far their record is pretty good.

        1. WatAWorld

          Re: Capable of Learning?

          Give it a rest??? I beg to differ.

          Google's record is abysmal. They're still unable to push security updates out to their Android installations.

          Yeah, sure, there are OEMs in between them and their customers, but the same is true for Microsoft. (Only Apple doesn't have that barrier.)

          Google is living in a glass house and it it putting its customers in that same glass house.

        2. Wade Burchette

          Re: Capable of Learning?

          "the only way to judge Google is how they respond to similar reports about their software and so far their record is pretty good."

          Probably because to fix Chrome does not require a full restart of a computer, unlike IE or Edge.

          1. bombastic bob Silver badge
            Thumb Up

            Re: Capable of Learning?

            "Probably because to fix Chrome does not require a full restart of a computer, unlike IE or Edge."

            WELL SAID!

      2. WatAWorld

        Re: Capable of Learning?

        It is shit simple to toss a brick through a competitors window and any idiot with a PhD could do it.

        The difficulty is making brick proof glass cheap enough for widespread consumer use, nobody at any company and no academic has done that yet.

        It seems LDS is the only one of you lot with practical experience in massive scale systems deployed on a wide variety of hardware under the administration of a massive multi-locationed enterprise.

        Rushing out fixes is a sure fire recipe for disaster.

        Which is why the ethical thing to do is to register the bug with your nation's CERT and only release zero days when your nation's CERT says enough time has elapsed.

        Too many inexperienced arrogant people outside are guessing the complexity with orders of magnitude error.

        Especially these security types. If they think they're so smart why haven't they created a better operating system? Come on, the way they talk they should have it done in a fortnight.

      3. Tom Samplonius

        Re: Capable of Learning?

        "More than the tech press, it looks it's Google that is using its hammer against competitors. Taking advantage it has far less customer-side code that can be analyzed - only Google has access to the code it runs on its servers."

        Wrong. Google doesn't have access to the source for Edge. Some parts have been open-sourced, but not all of it. Google is finding these issues simply through fuzzing. Google has way more customer facing code than Microsoft. About 2 billion lines in total, and it is fair to say it is all customer facing, as all services are provided over the Internet.

        Microsoft supposedly views Edge as strategic, but they can't fix a simple out of bounds bug in 90 days? What is their status page @ https://developer.microsoft.com/en-us/microsoft-edge/platform/status/ all about? Are security fixes not getting enough upvotes? BTW, the Edge status page code IS open sourced.

  2. WatAWorld

    Is this the same Google that is still unable to update Android?

    Dumb question, I know, but is this the same Google that is still unable to update Android?

    Maybe instead of publishing "how to hacks" for other people's products and systems they should put some more time and effort into making their own products secure:

    1. Figuring out how to make automatic updates work (like Apple did decades ago) and,

    2. Getting vendors and re-sellers to agree to let that automatic update process work (like Microsoft did a decade ago).

    Or is this some different Google?

    Or does Google measure itself by different means than it measures other companies?

    I know this other stuff, zero days in other people's products and systems, is important.

    However, JOB ONE for Google should be taking care of its own products, its own customers and making stuff attached to its name secure -- rather than sitting up in their in their giant glass house throwing stones.

    1. hplasm
      Gimp

      Re: Is this the same Google that is still unable to update Android?

      Your Waaaambulance is here.

      Don't forget your coat and mask.

    2. ratfox

      Re: Is this the same Google that is still unable to update Android?

      @WatAWorld: the essential difference is that it's not Google's OS running on Android phones. Android is open source, and Samsung and others write their own version adapted to their own phones.

      In comparison, Windows machines don't have a different OS depending whether it's sold by Dell or Lenovo. And of course only Apple sells iPhones.

      1. Naselus

        Re: Is this the same Google that is still unable to update Android?

        "the essential difference is that it's not Google's OS running on Android phones. Android is open source, and Samsung and others write their own version adapted to their own phones."

        Um... no. That's just not true.

        Leaving aside the fact that there's big chunks of Android which aren't open source, most of the phone manufacturers using it don't interfere with the core OS anyway - in fact, if you're a member of the Open Handset Alliance (which is pretty much everyone in the phone business) then you're contractually forbidden to fork Android. At most, you have a few proprietary drivers, a different skin on top and a few bonus apps. That's a pretty accurate description of Touchwiz, which is Samsung's Android 'skin'.

        .

        As a rule of thumb, if the device has access to the Google Play store, then it's full-fat Android in there with at most a reskin and some device-specific drivers. No-one is sat at Samsung, or Sony, or HTC re-writing Android code.

    3. Tom Samplonius

      Re: Is this the same Google that is still unable to update Android?

      "Dumb question, I know, but is this the same Google that is still unable to update Android?"

      It is not their Android though. It is Sony's, LG's, or whoever names is on the front. Android is just an OS, that is everyone can use. While Google has been tightening up access, basically anyone can throw it onto a device, and sell that device. Why is Google now responsible for pushing updates to that device? Complain to your vendor about not making updates available for the device they sold you.

  3. Mikel

    Again

    Friends don't let friends use IE.

    1. Wade Burchette

      Re: Again

      Or Edge.

  4. Anonymous Coward
    Anonymous Coward

    A 32 function deep call stack just to handle a column break??

    Someone at MS should suggest a project to rationalise their libraries as that is borderline absurd and also means that it is very unlikely that one person knows the entire stack tree code well enough to spot any more flaws. Mind you, it nicely explains why modern code requires such powerful processors to do tasks that used to be successfully done on devices with 1/100th the power.

    1. Naselus

      Re: A 32 function deep call stack just to handle a column break??

      Pretty sure Edge was supposed to be that project...

      1. Charlie Clark Silver badge

        Re: A 32 function deep call stack just to handle a column break??

        Pretty sure Edge was supposed to be that project...

        Nah, IE 9 was the rewrite but it still contained wonderful things like Active X. All MS did with Edge was remove stuff like that and focus on graphics and JS performance.

  5. Tim 11

    ground-up rewrite?

    I thought edge was supposed to be an all-new browser, finally throwing off the shackles of legacy IE code. Is it just coincidence the two have the exact same bug, or is Edge just a skin on top of a load of old IE code?

    1. Anonymous Coward
      Anonymous Coward

      Re: ground-up rewrite?

      They've obviously reused some core code. The question is how much?

  6. Pirate Dave Silver badge
    Pirate

    Flash?

    Why is Microsoft releasing patches for Flash? Are they actually writing the patches, or just (re-)releasing Adobe's patches?

  7. evlncrn8
    FAIL

    rax and rcx are registers in x64.. not variables.. sich

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like