Security News > 2022 > August > Microsoft finds critical hole in operating system that for once isn't Windows

Microsoft finds critical hole in operating system that for once isn't Windows
2022-08-23 00:58

Microsoft has described a severe ChromeOS security vulnerability that one of its researchers reported to Google in late April.

Microsoft's write-up is noteworthy both for the severity of the bug and for flipping of the script - it has tended to be Google, particularly its Project Zero group, that calls attention to bugs in Microsoft software.

At least as far back as 2010, Google security researchers made a habit of disclosing bugs in software from Microsoft and other vendors after typically 90 days - even if a patch had not been released - in the interest of forcing companies to respond to security flaws more quickly.

Microsoft has chided Google about this several times over the years, though as early as 2011, Redmond showed itself willing to adapt with a revised security disclosure policy that arrived with word of Chrome vulnerabilities - albeit months after Google had fixed them.

Microsoft's disclosure of the ChromeOS critical flaw isn't a zero-day since Google made the necessary repairs.

The ChromeOS memory corruption vulnerability - CVE-2022-2587 - was particularly severe.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/08/23/microsoft_chromeos_bug/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-08-12 CVE-2022-2587 Out-of-bounds Write vulnerability in Google Chrome
Out of bounds write in Chrome OS Audio Server in Google Chrome on Chrome OS prior to 102.0.5005.125 allowed a remote attacker to potentially exploit heap corruption via crafted audio metadata.
network
low complexity
google CWE-787
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 365 50 1369 2819 161 4399