This is not a new thing for Google, of course, who have been disclosing unpatched and actively-exploited vulnerabilities since 2013, in an attempt to goad Microsoft into patching some of them. This was the whole point of Project Zero - the vulnerabilities at issue were already actively being attacked, and the companies who should be plugging these security holes were dragging their feet on fixing them.
Microsoft's products, being in widespread use, were often targets of these attacks, and Microsoft have often been slow to patch them, which has led to Google's team embarrassing Microsoft over and over again, for four long years, on the subject of their products' security. Well, Microsoft appears to have decided that it's time for some tit-for-tat payback, of the absolutely pettiest sort, and are now going out of their way to embarrass Google over vulnerabilities in Chrome... which Google had already quite responsibly patched shortly after being privately notified of them, and without needing to be publicly shamed into doing so. Something that Microsoft currently aren't doing.
From Paul Thurrott:
“Security is now a strong differentiator in picking the right browser,” a post on the Microsoft Security Response Center begins.
Yikes.
Worse, Microsoft didn’t randomly discover a flaw in Chrome, alert Google, and then wait some period of time before disclosing it publicly. Instead, it specifically started a project to “examine Google’s Chrome web browser” for security problems. And it found some. Alerted Google. And then disclosed it publicly, after taking careful note of how long Google took to fix them. In short, Microsoft just wanted some revenge on Google.To compare what Microsoft just did (attempting to embarrass Google for having responsibly patched a product in a timely manner after being alerted of a weakness) to what Google did two weeks ago (attempting to embarrass Microsoft into patching vulnerabilities in Windows 7 and 8.1 that they'd already patched in Windows 10, but inexplicably left open to attack for 53.1% of desktop PC users) is to compare bowling balls to oranges. The two things might both be round, but that is where the similarities end.
Microsoft's lax approach to security for Windows 7 and 8.1 users, i.e. most Windows users, is bad practice, and makes those users less safe. Google only started calling them out on this sort of shit, four years ago, because it was the only way to goad them into sluggish action where a quick response was clearly called for. The vulnerabilities that GPZ was calling Microsoft out for, two weeks ago, are still not patched, unless I've missed something.
For Microsoft to research security problem in Chrome is fine; most Windows users also use Chrome, so alerting Google of potential vulnerabilities keep Microsoft's customers safer, assuming that Google can issue patches in the timely fashion, which they did. For Microsoft to turn around and try to embarrass Google for responsible behaviour, however, behaviour in which Microsoft themselves do not engage, all in an attempt to push users from Chrome to Edge by baseless scare-mongering, is reprehensible.
Microsoft haven't just surrendered the high ground here; they've wallowed in the filth, and accomplished nothing in the process except to make themselves look desperate.