Security News > 2022 > August > Microsoft finds critical hole in operating system that for once isn't Windows
Microsoft has described a severe ChromeOS security vulnerability that one of its researchers reported to Google in late April.
Microsoft's write-up is noteworthy both for the severity of the bug and for flipping of the script - it has tended to be Google, particularly its Project Zero group, that calls attention to bugs in Microsoft software.
At least as far back as 2010, Google security researchers made a habit of disclosing bugs in software from Microsoft and other vendors after typically 90 days - even if a patch had not been released - in the interest of forcing companies to respond to security flaws more quickly.
Microsoft has chided Google about this several times over the years, though as early as 2011, Redmond showed itself willing to adapt with a revised security disclosure policy that arrived with word of Chrome vulnerabilities - albeit months after Google had fixed them.
Microsoft's disclosure of the ChromeOS critical flaw isn't a zero-day since Google made the necessary repairs.
The ChromeOS memory corruption vulnerability - CVE-2022-2587 - was particularly severe.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/08/23/microsoft_chromeos_bug/
Related news
- Microsoft lifts Windows 11 update block for some AutoCAD users (source)
- Microsoft replacing Remote Desktop app with Windows App in May (source)
- Microsoft: Recent Windows updates make USB printers print random text (source)
- Microsoft patches Windows Kernel zero-day exploited since 2023 (source)
- Microsoft: March Windows updates mistakenly uninstall Copilot (source)
- Microsoft fixes Windows update bug that uninstalled Copilot (source)
- Microsoft lifts Windows 11 upgrade block after Asphalt 8 crash fix (source)
- Microsoft: Recent Windows updates cause Remote Desktop issues (source)
- Microsoft fixes printing issues caused by January Windows updates (source)
- Mozilla warns Windows users of critical Firefox sandbox escape flaw (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-08-12 | CVE-2022-2587 | Out-of-bounds Write vulnerability in Google Chrome Out of bounds write in Chrome OS Audio Server in Google Chrome on Chrome OS prior to 102.0.5005.125 allowed a remote attacker to potentially exploit heap corruption via crafted audio metadata. | 9.8 |