Microsoft released security update number 3200970 today. It patches a vulnerability that Google discovered and published before it was fixed. However, this marketing move backfired on Google, as it turned out that Microsoft Edge users on Windows 10.0.14393 are better off than Google Chrome users.
It used to be a good habit that if a developer discovered a security flaw in the operating system, he reported the vulnerability (even to a competitor) company and waited to publish it until it was fixed. While disclosing vulnerabilities before they are publicly disclosed may be beneficial for one company in the short term, the competitive environment encourages response. In the end, it damages the entire communication industry.
If a company does not fix the vulnerability, its disclosure along with the competitive environment will eventually force the culprit to remedy it. However, a vulnerability is usually disclosed 2-3 months after it is reported.
Google is a creative company and decided to take a different approach a week ago. It decided not to wait for the second Tuesday of the month, when Microsoft regularly releases updates, and to publish the vulnerability after 10 days. The motivation was to make money. The vulnerability (CVE-2016-7855) was (surprisingly) related to Flash from Adobe. Google waited for Adobe to release a new patched version of Flash. Once that happened, he started spreading it to Chrome a little earlier than Microsoft did to Edge. Immediately afterwards, it disclosed the vulnerability, saying that Chrome users already have the update ready, while users of other browsers on Windows are out of luck.
The reaction was not long in coming, and the next day, Microsoft Vice President Terry Myerson wrote that Microsoft Edge users on Windows 10 with the Anniversary Update are not affected by the vulnerability. This also applies to users of other browsers if they use Windows Defender Advanced Threat Protection (which is a service that is not included in the OEM versions of Windows 10).
I believe that for normal web browsing, it is enough if Adobe Flash Player is turned off in the browser, as it is notorious for its security issues. On some outdated websites (such as the Czech Television website – beware, this link will redirect you from an encrypted connection to an open one – the correct way is to do it the other way around) video streaming may stop working. It’s about finding the right balance between safety and usability.
Serious bugs are found quite often in operating systems. Not so long ago, a security vulnerability (CVE-2016-5195) was found in all Linux kernel operating systems that allowed any user to elevate their root privileges and take control of the system since 2007.