Security News > 2022 > August > Microsoft finds critical hole in operating system that for once isn't Windows

Microsoft has described a severe ChromeOS security vulnerability that one of its researchers reported to Google in late April.
Microsoft's write-up is noteworthy both for the severity of the bug and for flipping of the script - it has tended to be Google, particularly its Project Zero group, that calls attention to bugs in Microsoft software.
At least as far back as 2010, Google security researchers made a habit of disclosing bugs in software from Microsoft and other vendors after typically 90 days - even if a patch had not been released - in the interest of forcing companies to respond to security flaws more quickly.
Microsoft has chided Google about this several times over the years, though as early as 2011, Redmond showed itself willing to adapt with a revised security disclosure policy that arrived with word of Chrome vulnerabilities - albeit months after Google had fixed them.
Microsoft's disclosure of the ChromeOS critical flaw isn't a zero-day since Google made the necessary repairs.
The ChromeOS memory corruption vulnerability - CVE-2022-2587 - was particularly severe.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/08/23/microsoft_chromeos_bug/
Related news
- Critical RCE bug in Microsoft Outlook now exploited in attacks (source)
- Microsoft has finally fixed Date & Time bug in Windows 11 (source)
- Microsoft shares workaround for Windows security update issues (source)
- Windows 10 KB5051974 update force installs new Microsoft Outlook app (source)
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)
- Microsoft fixes bug causing Windows Server 2025 boot errors (source)
- Microsoft to remove the Location History feature in Windows (source)
- Microsoft testing fix for Windows 11 bug breaking SSH connections (source)
- Microsoft launches ad-supported Office apps for Windows users (source)
- Microsoft tests ad-supported Office apps for Windows users (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-08-12 | CVE-2022-2587 | Out-of-bounds Write vulnerability in Google Chrome Out of bounds write in Chrome OS Audio Server in Google Chrome on Chrome OS prior to 102.0.5005.125 allowed a remote attacker to potentially exploit heap corruption via crafted audio metadata. | 9.8 |