"The Register asked Microsoft to comment. We haven't heard back."
Given the reported response timelines mentioned in the article, I guess you have to wait for just under 3.5 months for a response.
Earlier this year, Jake Archibald, developer advocate for Google Chrome, found a bug affecting Mozilla Firefox and Microsoft Edge – and had two very different experiences trying to get the problem fixed. Mozilla, he said this week in a blog post recounting the saga, responded within three hours. And because the browser maker …
Standard big company shit. Turf wars, NIH, general mis-communication.
You would, however, expect a large software company to be better at this.
Microsoft IS a big company: as far as I am aware, they are among the world leaders when it comes to Turf wars, NIH, and general mis-communication.
Actually it's grown on me. I deleted Chrome from my Windows 10 laptop a few weeks back after the last of my work required plugins started working.
I used to be generally anti-Microsoft and still use Linux for my primary machine but I like the direction they're going at the moment and I feel that they're less likely to monetise my data successfully than Google (whose Chromebooks I otherwise love).
I kind of get the vague impression that El Reg is no fan of Edge, either, given that "even the worst web browser on the planet – Microsoft Edge – can open PDFs directly without argument" appears on another of today's articles here: http://www.theregister.co.uk/2018/06/21/how_a_tax_form_kludge_gave_us_25_years_of_pdf/.
I suspect that among the El Reg commentards there are very few fans of Edge.
First impressions count, of course, and starting with Windows 8 it was a resounding failure on every measure except when compared to older versions of Internet Explorer and even that was tenuous. Regrettably, while it has improved since, it's still a long way behind the other browsers on usability, performance and features.
To make it worse, configuring the damn Operating System to force the use of the damn thing regardless of user preferences, to make switching away from it to another browser a trial of "are you sure" messages and to make it effectively unmanageable using group policy don't endear it to professional users or system administrators.
Jake Archibald ... reported the issue though Edge's bug tracker on MARCH 1st
"Microsoft's security team don't have visibility into Edge security issues."
Microsoft couldn't investigate without the source code – which would have been evident for web code through the browser's "view source" command.
Finally, on JUNE 12th, Microsoft fixed the vulnerability in Edge, which could have been abused to force the browser to transmit private data.
"It means you could visit my site in Edge, and I could read your emails, I could read your Facebook feed, all without you knowing,"
The Register asked Microsoft to comment. We haven't heard back.
"Finally, on JUNE 12th, Microsoft fixed the vulnerability in Edge, which could have been abused to force the browser to transmit private data."
... perhaps because they wanted to test the fix before releasing?
I agree, the lack of communication is reprehensible. But at the end of the day - and yes, given that this is Microsoft, I know I am being horribly optimistic here - I would much rather time be given to testing, as opposed to a fix rushed out in a knee-jerk reaction to the self-appointed software police.
I think Range headers can have multiple parameters - you can ask for Range P1-P2, P3-P4, P5-P6 parts of a document.
I seem to think this caused security problems some time ago when bounds checking was poor and a single request could be used to amplify the reply by requesting the same thing multiple times, use negative ranges (give me a range backwards) etc.
We can have nice things. Just not from MS. They are too busy working on locking in all authentication - internal and SaaS/business-to-business with AzureAD - browser issues are nothing compared to that horrific idea.
"And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name." - Rev 13:17
It's that Microsoft is too incompetent to deliver anything nice.
"You've found a security flaw in our stuff? We'll think about fixing that in about three or four months. Your bug bounty? Forget it, we ain't payin' you shite. Thanks for using Microsoft!"
We can have nice things, we just can't get them from Microsoft.
The big hoorah is about Edge support, but what about IE?
Stats shown on Wikipedia reporting as of May, 2018 show IE still is used far more than Edge (presumably on Win 7, and earlier, plus those stubborn enough to switch the default on Win 8.x/10).
Seems it would be even more relevant than updates for Edge,
The actions of Mozilla and Slurp speak volumes about the organizations. One acknowledges reports and deals with as fast as possible. The other seems to be either too disorganized or suffering from bureaucratic infighting to react. Firefox will get patched in a reasonable time period without prompting; Edge might get patched when some slob bestirs himself to actually do something possibly after several months of harassing.
It is obvious which browser should be trusted: Firefox.
Archibald contends the bug is significant. "It means you could visit my site in Edge, and I could read your emails, I could read your Facebook feed, all without you knowing," he said.
Facebook has reached data-sharing partnerships with at least 60 device makers — including Apple, Amazon, BlackBerry, Microsoft and Samsung
“These partnerships work very differently from the way in which app developers use our platform,” said Ime Archibong, a Facebook vice president. Unlike developers that provide games and services to Facebook users, the device partners can use Facebook data only to provide versions of “the Facebook experience,” the officials said.
blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah
Next time I see a comment saying something like "Microsoft saying they support open source is just part of their evil master plan!", I'm going to point at this:
"Microsoft's security team don't have visibility into Edge security issues"
MS is a massive organisation, and most of the time the left hand have no idea what the right hand is doing, and neither of them have even realised what the feet are up to.
This is why it's possible for the same company to be actively trying to crush all perceived competition, whilst at the same time (eg) contributing to the Linux kernel. It's not a nefarious plan, it's just different departments with no communication.
I seriously wonder why Microsoft still bothers with Edge. It doesn't bring in any revenue and has negligible marketshare.
They could just as well strike a deal with Mozilla to have a MS-branded Firefox in Windows (defaulting to Bring), and save some $$$.
(I presume a similar deal with Google would be a bridge too far.)
Four years ago I would have written this off to Microsquish's abysmal decline into the Eighth Circle of Hell, Ballmer/Sinofsky. Since Nadella took over in 2014, Microsquish has slowly climbed from the depths of technical hell and they are a long way up from the bottom they once plumbed. But they are not out. Not by a long shot, apparently.
Satya has much to do. I see him doing most of it in his cloud services. However he is one man and I, frankly, don't see a lot of support from amongst his senior executives. Any organization as entrenched as Microsquish will have inertia for the status quo, and any changes (which are necessary for their very survival) will be opposed.
I fear we are seeing the same behavior that nearly destroyed the MS product still evident in its responses to criticism (which is the way MS perceives bug revelations).
I, for one, would welcome a "giant flushing sound" from Redmond. Something still rots in the bowels of Microsquish.
Biting the hand that feeds IT © 1998–2019