Security News > 2022 > August > Microsoft finds critical hole in operating system that for once isn't Windows

Microsoft has described a severe ChromeOS security vulnerability that one of its researchers reported to Google in late April.

Microsoft's write-up is noteworthy both for the severity of the bug and for flipping of the script - it has tended to be Google, particularly its Project Zero group, that calls attention to bugs in Microsoft software.

At least as far back as 2010, Google security researchers made a habit of disclosing bugs in software from Microsoft and other vendors after typically 90 days - even if a patch had not been released - in the interest of forcing companies to respond to security flaws more quickly.

Microsoft has chided Google about this several times over the years, though as early as 2011, Redmond showed itself willing to adapt with a revised security disclosure policy that arrived with word of Chrome vulnerabilities - albeit months after Google had fixed them.

Microsoft's disclosure of the ChromeOS critical flaw isn't a zero-day since Google made the necessary repairs.

The ChromeOS memory corruption vulnerability - CVE-2022-2587 - was particularly severe.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/08/23/microsoft_chromeos_bug/