Microsoft, Googler tussle over bug timeline

Spar over Google security engineer's 'fuzzer' release, IE vulnerability

Microsoft and a Google security engineer are sparring over a bug the researcher reported to Microsoft last July.

On Saturday, Michal Zalewski, a vulnerability researcher who works on Google's security team, publicly released a new "fuzzing" tool called "cross_fuzz" that he had used to find more than 100 bugs in the five major browsers: Chrome, Firefox, Internet Explorer (IE), Opera and Safari. He also published a crash dump of one of the IE bugs he believed could be exploited.

Zalewski said he released cross_fuzzer and the crash dump because Chinese hackers were already investigating the vulnerability, and because Microsoft had not responded for months to his bug report. To support his decision, Zalewski published a timeline of his discussions with Microsoft about the fuzzing tool and the IE bug.

He first contacted Microsoft last July, when he told the company's security team he had found "multiple crashes and GDI [graphics device interface] corruptions," and provided Microsoft with two early versions of cross_fuzz for them to use to verify the problems.

According to Zalewski, he had no contact with Microsoft between Aug. 5 and Dec. 20, when he told them he would release the fuzzer in early January. When Microsoft asked that he delay its release, he declined.

On Monday, Microsoft chastised Zalewski.

"Working with software vendors to address potential vulnerabilities in their products before details are made public reduces the overall risk to customers," said Jerry Bryant, a spokesman for the Microsoft Security Research Center, or MSRC, in an e-mail late Monday. "In this case, risk has now been amplified."

Bryant also disputed Zalewski's contention that the July versions of cross_fuzz had not found an exploitable bug in IE, but that only a later edition, which Zalewski sent Dec. 21, identified the problem.

"In July 2010, Zalewski reported two versions of the cross_fuzz tool to Microsoft," Bryant said. "Neither Zalewski or Microsoft found any vulnerabilities in Internet Explorer at the time, with either version of the tool."

On Tuesday, Zalewski responded.

"The current PR messaging from Microsoft implies that substantial differences existed between July and December fuzzer variants, and that the July 29 [fuzzer] could not reproduce the vulnerability," Zalewski said in an update to his timeline.

"This is inconsistent with my record [of events]," he added.

By Zalewski's account, the MRSC admitted on Dec. 29 that when it reran the July versions, it did find the flaw. In the timeline, Zalewski quoted a message he said came from Microsoft.

"The IE team did exhaustively run the fuzzers but were unable to find the same crashes that you and Dave [of Microsoft] are now able to identify," the message stated. "I can't really say as to why we are able to hit some of these conditions now rather than before but please know that this was not intentional."

By comparison, Mozilla kept Zalewski in the loop as it worked on the Firefox bugs he reported.

The pertinent thread on Bugzilla, Mozilla's bug and code change database, includes 44 messages between Zalewski and Mozilla developers from July 23 to Jan 1. Zalewski provided several crash dumps to illustrate vulnerabilities his fuzzer had uncovered, and Mozilla's engineers posed questions.

Zalewski asked Mozilla to keep the Bugzilla thread under wraps until other browser makers had had a chance to patch their products' bugs.

"[For what it's worth], the blurb does not make you look bad in comparison," he told Mozilla on Dec. 29, referring to the patch status summary he intended to publish in a few days. "Microsoft will probably come off poorly, all other browsers are roughly in the same shape."

Microsoft and security researchers regularly skirmish as the former pushes what it calls "coordinated vulnerability disclosure" (CVD) -- a term it coined last summer -- while the latter often complain that the company drags its feet before patching flaws they report.

Under Microsoft's definition of CVD, it wants researchers to stay quiet until a patch is released.

When it announced CVD, it acknowledged the new nomenclature was essentially just a name change from "responsible disclosure," the policy it had supported for years, but the company also emphasized it wanted to keep open the lines of communication between itself and researchers, even when the latter broadcasted their findings without reporting a bug or waiting on a patch.

Microsoft and Google also have a history when it comes to reporting bugs.

Last summer, Google security engineer Tavis Ormandy released exploit code for a bug in Windows' Help and Support Center after he said Microsoft refused to set a patch deadline. In September, Chris Evans, another Google security researcher, published attack code for an IE vulnerability after he said he had not been able to persuade Microsoft to fix the flaw.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

FREE Computerworld Insider Guide: IT Certification Study Tips
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies