back to article Microsoft Edge bug odyssey shows why we can't have nice things

Earlier this year, Jake Archibald, developer advocate for Google Chrome, found a bug affecting Mozilla Firefox and Microsoft Edge – and had two very different experiences trying to get the problem fixed. Mozilla, he said this week in a blog post recounting the saga, responded within three hours. And because the browser maker …

  1. Gordan

    "The Register asked Microsoft to comment. We haven't heard back."

    Given the reported response timelines mentioned in the article, I guess you have to wait for just under 3.5 months for a response.

    1. gotes

      But wait, they've sent a canned response. Well done Microsoft!

      1. Jay Lenovo Silver badge
        Thumb Down

        Your concerns are important to us, please hold.

        It was addressed previously, mysteriously, and at a time of their choosing.

        Run along now... Your inquiry penetration test has completed.

    2. John Sager

      Standard big company shit. Turf wars, NIH, general mis-communication. You would, however, expect a large software company to be better at this.

      1. Loud Speaker

        Standard big company shit. Turf wars, NIH, general mis-communication.

        You would, however, expect a large software company to be better at this.

        Microsoft IS a big company: as far as I am aware, they are among the world leaders when it comes to Turf wars, NIH, and general mis-communication.

    3. Anonymous Coward
      Anonymous Coward

      Edge aka Trident 12. No thanks.

      No serious employee would use Edge anyway. Buggy and more incompatible than the old IE11, and based on the same source code too. And at home, no one would use that crap. Everyone is using Safari or Chrome.

      1. Ken 16 Silver badge
        Linux

        Re: Edge aka Trident 12. No thanks.

        Actually it's grown on me. I deleted Chrome from my Windows 10 laptop a few weeks back after the last of my work required plugins started working.

        I used to be generally anti-Microsoft and still use Linux for my primary machine but I like the direction they're going at the moment and I feel that they're less likely to monetise my data successfully than Google (whose Chromebooks I otherwise love).

        1. johnnyblaze

          Re: Edge aka Trident 12. No thanks.

          If you're using Windows 10, don't worry, Microsoft are monetizing you, and collecting reams of your info from deep within the OS. You can sleep well at night knowing this now!

      2. DJV Silver badge
        Happy

        Re: Edge aka Trident 12. No thanks.

        I kind of get the vague impression that El Reg is no fan of Edge, either, given that "even the worst web browser on the planet – Microsoft Edge – can open PDFs directly without argument" appears on another of today's articles here: http://www.theregister.co.uk/2018/06/21/how_a_tax_form_kludge_gave_us_25_years_of_pdf/.

        1. Nick Ryan Silver badge

          Re: Edge aka Trident 12. No thanks.

          I suspect that among the El Reg commentards there are very few fans of Edge.

          First impressions count, of course, and starting with Windows 8 it was a resounding failure on every measure except when compared to older versions of Internet Explorer and even that was tenuous. Regrettably, while it has improved since, it's still a long way behind the other browsers on usability, performance and features.

          To make it worse, configuring the damn Operating System to force the use of the damn thing regardless of user preferences, to make switching away from it to another browser a trial of "are you sure" messages and to make it effectively unmanageable using group policy don't endear it to professional users or system administrators.

  2. DrBed
    Facepalm

    Micro Soft's Flying Circusss

    Jake Archibald ... reported the issue though Edge's bug tracker on MARCH 1st

    "Microsoft's security team don't have visibility into Edge security issues."

    Microsoft couldn't investigate without the source code – which would have been evident for web code through the browser's "view source" command.

    Finally, on JUNE 12th, Microsoft fixed the vulnerability in Edge, which could have been abused to force the browser to transmit private data.

    "It means you could visit my site in Edge, and I could read your emails, I could read your Facebook feed, all without you knowing,"

    The Register asked Microsoft to comment. We haven't heard back.

    1. RyokuMas Silver badge
      Stop

      Re: Micro Soft's Flying Circusss

      "Finally, on JUNE 12th, Microsoft fixed the vulnerability in Edge, which could have been abused to force the browser to transmit private data."

      ... perhaps because they wanted to test the fix before releasing?

      I agree, the lack of communication is reprehensible. But at the end of the day - and yes, given that this is Microsoft, I know I am being horribly optimistic here - I would much rather time be given to testing, as opposed to a fix rushed out in a knee-jerk reaction to the self-appointed software police.

      1. Uffish

        Re: Horribly Optimistic

        This is Microsoft - you are being horribly optimistic. And of course they were testing the fix.

        And Mozilla were better.

  3. Anonymous Coward
    Anonymous Coward

    Content Length != Range?

    You may want to inform web cache makers too - how they rationalise Range can Vary..

    1. P. Lee Silver badge

      Re: Content Length != Range?

      I think Range headers can have multiple parameters - you can ask for Range P1-P2, P3-P4, P5-P6 parts of a document.

      I seem to think this caused security problems some time ago when bounds checking was poor and a single request could be used to amplify the reply by requesting the same thing multiple times, use negative ranges (give me a range backwards) etc.

      We can have nice things. Just not from MS. They are too busy working on locking in all authentication - internal and SaaS/business-to-business with AzureAD - browser issues are nothing compared to that horrific idea.

      "And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name." - Rev 13:17

  4. Shadow Systems Silver badge

    It's not that we can't have nice things...

    It's that Microsoft is too incompetent to deliver anything nice.

    "You've found a security flaw in our stuff? We'll think about fixing that in about three or four months. Your bug bounty? Forget it, we ain't payin' you shite. Thanks for using Microsoft!"

    We can have nice things, we just can't get them from Microsoft.

  5. Anonymous Coward
    Anonymous Coward

    Expecting Professionalism?

    NOPE!!

    "Entropy, Clippy. Startup-tier levels of entropy."

  6. Claptrap314 Bronze badge

    Depressing

    The four biggest browsers all failed to validate their inputs? 1980 called. They want their vulnerability back.

    1. Anonymous Coward
      Anonymous Coward

      Re: Depressing

      Microsoft's browsers (IE and Edge) aren't anywhere near top 4 in market share if you count both desktop and mobile. Even UC browser has more than twice Edge's market share.

      1. ROC

        Re: Depressing - more depressing re IE, or not?

        The big hoorah is about Edge support, but what about IE?

        Stats shown on Wikipedia reporting as of May, 2018 show IE still is used far more than Edge (presumably on Win 7, and earlier, plus those stubborn enough to switch the default on Win 8.x/10).

        Seems it would be even more relevant than updates for Edge,

  7. a_yank_lurker Silver badge

    Actions Speak

    The actions of Mozilla and Slurp speak volumes about the organizations. One acknowledges reports and deals with as fast as possible. The other seems to be either too disorganized or suffering from bureaucratic infighting to react. Firefox will get patched in a reasonable time period without prompting; Edge might get patched when some slob bestirs himself to actually do something possibly after several months of harassing.

    It is obvious which browser should be trusted: Firefox.

    1. Anonymous Coward
      Anonymous Coward

      Mozilla and Slurp?

      Not Mozilla and Microslurp?

      1. hplasm Silver badge
        Happy

        Re: Mozilla and Slurp?

        Not Mozilla and Slurpzilla?

        1. LDS Silver badge

          Not Mozilla and Slurpzilla?

          Slurpzilla is Google. Or maybe Facebook.

  8. Anonymous Coward
    Anonymous Coward

    "That's not a bug, that's a feature!" M. Zuckerberg

    Archibald contends the bug is significant. "It means you could visit my site in Edge, and I could read your emails, I could read your Facebook feed, all without you knowing," he said.

    https://www.nytimes.com/interactive/2018/06/03/technology/facebook-device-partners-users-friends-data.html

    Facebook has reached data-sharing partnerships with at least 60 device makers — including Apple, Amazon, BlackBerry, Microsoft and Samsung

    “These partnerships work very differently from the way in which app developers use our platform,” said Ime Archibong, a Facebook vice president. Unlike developers that provide games and services to Facebook users, the device partners can use Facebook data only to provide versions of “the Facebook experience,” the officials said.

    1. Primus Secundus Tertius Silver badge

      Re: "That's not a bug, that's a feature!" M. Zuckerberg

      ["That's not a bug, that's a feature!" M. Zuckerberg]

      I remember that corporate response from Digital Equipment Corporation in the 1970s, long before the Zuck was even thought of.

  9. Andy Mac
    Stop

    Enough

    I really think journalists need to get together and agree to stop reporting canned statements and instead treat them as no response at all.

    1. Dan 55 Silver badge

      Re: Enough

      I wish news media would start putting "we asked them this, but their answer didn't address the question" in response to getting a canned statement back, because it's lately rare to get a reply from business or government that isn't canned.

  10. Anonymous Coward
    Anonymous Coward

    Microsoft Edge?

    You mean the Chrome/Firefox/(insert name of alternative browser) downloader app?

  11. Anonymous Coward
    Anonymous Coward

    Its about time the EU banned microslurp from disabling any way of uninstalling edge. I'd like to rid windows 10 of it.

    1. Dan 55 Silver badge

      You can, with LTSB.

      1. Spanners Silver badge
        Boffin

        @Dan 55

        Microsith say that LTSB won't run office.

        Any thoughts on that? Suggesting Open Office instead is a complete non-starter with most management.

        1. johnnyblaze

          Re: @Dan 55

          LTSB runs Office fine thank you very much. No app store, no Cortana, no Edge, no live tiles. Halleluja!

          1. DJV Silver badge

            @johnnyblaze

            "LTSB runs Office fine thank you very much. No app store, no Cortana, no Edge, no live tiles."

            What, you mean it's really Windows 7?

        2. Dan 55 Silver badge

          Re: @Dan 55

          Office 2019 will run. Office 365 (that thing that just had a wobbly yesterday) won't run from 2020.

  12. Sam Liddicott

    Malicious compliance

    I'm waiting for the other side of the story to show up in Reddit's malicious /r/MaliciousCompliance

  13. Mystic Megabyte Silver badge
    Unhappy

    Microsoft has sent us the following statement:

    blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah

  14. phuzz Silver badge
    Gimp

    Next time I see a comment saying something like "Microsoft saying they support open source is just part of their evil master plan!", I'm going to point at this:

    "Microsoft's security team don't have visibility into Edge security issues"

    MS is a massive organisation, and most of the time the left hand have no idea what the right hand is doing, and neither of them have even realised what the feet are up to.

    This is why it's possible for the same company to be actively trying to crush all perceived competition, whilst at the same time (eg) contributing to the Linux kernel. It's not a nefarious plan, it's just different departments with no communication.

  15. stephanh Silver badge

    why edge?

    I seriously wonder why Microsoft still bothers with Edge. It doesn't bring in any revenue and has negligible marketshare.

    They could just as well strike a deal with Mozilla to have a MS-branded Firefox in Windows (defaulting to Bring), and save some $$$.

    (I presume a similar deal with Google would be a bridge too far.)

  16. J J Carter Silver badge
    Trollface

    Ker-ching?

    How much did he cadge off M$FT for the bug bounty?

    1. Anonymous Coward
      Anonymous Coward

      Re: Ker-ching?

      >How much did he cadge off M$FT for the bug bounty?

      A free Win 10 licence, poor sod.

  17. Anonymous Coward
    Anonymous Coward

    Yes, but

    it would be interesting to know if Mozilla's response would have been equally prompt if the reporter hadn't been Jake Archibald or some other household name amongst web / browser developers, but rather an anonymous user.

  18. phat shantz

    From Hell's Heart I Code At Thee

    Four years ago I would have written this off to Microsquish's abysmal decline into the Eighth Circle of Hell, Ballmer/Sinofsky. Since Nadella took over in 2014, Microsquish has slowly climbed from the depths of technical hell and they are a long way up from the bottom they once plumbed. But they are not out. Not by a long shot, apparently.

    Satya has much to do. I see him doing most of it in his cloud services. However he is one man and I, frankly, don't see a lot of support from amongst his senior executives. Any organization as entrenched as Microsquish will have inertia for the status quo, and any changes (which are necessary for their very survival) will be opposed.

    I fear we are seeing the same behavior that nearly destroyed the MS product still evident in its responses to criticism (which is the way MS perceives bug revelations).

    I, for one, would welcome a "giant flushing sound" from Redmond. Something still rots in the bowels of Microsquish.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019