The existence of a nasty bug that affected the Firefox and Edge browsers has been revealed, and although the flaw has now been patched in both cases, Mozilla’s response to the issue was a far more efficient affair than Microsoft’s.
Jake Archibald, a developer advocate for Google’s Chrome browser – which wasn’t impacted by the flaw – discovered the bug, which he dubbed ‘Wavethrough’, because it involves exploiting WAV audio in the browser to allow data through which shouldn’t be viewable by the attacker.
And it could potentially be used to spill some alarming personal data, if the user is persuaded to visit a malicious site primed to take advantage of the vulnerability. Archibald notes that: “It means you could visit my site in Edge, and I could read your emails, I could read your Facebook feed, all without you knowing.”
Nasty indeed. The good news, as we noted at the outset, is that this has been patched in both the affected browsers – but what’s almost as interesting as the bug itself is how Mozilla and Microsoft reacted to the report of the problem.
Archibald observed that “Firefox handled this brilliantly,” – within three hours the bug had been confirmed, and Mozilla had looked into other potential similar leaks.
“I was able to engage with engineers directly on how the issue should be fixed,” Archibald added, and as the vulnerability was caught in a beta version, Mozilla patched things up before it ever made the release version of Firefox. That happened back in March.
Jumping through hoops
As for Microsoft, however, Archibald tells a very different story. He reported the bug to the firm’s security team on March 1, then had to jump through several hoops to actually get them to look at the issue, and he subsequently waited 20 days without any response.
Eventually, after some chasing, Microsoft’s security team informed Archibald that they were indeed developing a fix, but gave no further details. More waiting, and further chasing on the bug bounty – which Archibald wanted to donate to charity – ensued.
Archibald essentially observes that the whole process felt like something of a trial, and noted: “I really want Microsoft to look at the experience I had with Firefox and learn from it. Security issues like this put their users at huge risk, and they need to ensure reporting these things isn’t more effort than it’s worth.”
Microsoft fixed the issue in Edge in its latest round of patches earlier this month, with the severity of the update labelled as ‘important’. Indeed, Archibald provides a link in his blog post to test if the attack works on your version of Edge, and advises that you should (obviously) immediately update your browser if it does.
Microsoft has always been big on emphasizing the security of Windows 10 in general, as well as Edge, which it’s pushing hard as the operating system’s go-to browser, but as we’ve seen in the past it hasn’t always come up trumps in terms of defeating vulnerabilities or hackers.
If Archibald’s experience is anything to go by, there’s certainly some work to be done in terms of organization and communication for Microsoft’s security team.
This isn’t the first time Edge has been criticized this year in terms of a sluggish response to fixing a vulnerability, either, as we saw back in February.