Microsoft, Googler tussle over bug timeline
Spar over Google security engineer's 'fuzzer' release, IE vulnerability
Computerworld - Microsoft and a Google security engineer are sparring over a bug the researcher reported to Microsoft last July.
On Saturday, Michal Zalewski, a vulnerability researcher who works on Google's security team, publicly released a new "fuzzing" tool called "cross_fuzz" that he had used to find more than 100 bugs in the five major browsers: Chrome, Firefox, Internet Explorer (IE), Opera and Safari. He also published a crash dump of one of the IE bugs he believed could be exploited.
Zalewski said he released cross_fuzzer and the crash dump because Chinese hackers were already investigating the vulnerability, and because Microsoft had not responded for months to his bug report. To support his decision, Zalewski published a timeline of his discussions with Microsoft about the fuzzing tool and the IE bug.
He first contacted Microsoft last July, when he told the company's security team he had found "multiple crashes and GDI [graphics device interface] corruptions," and provided Microsoft with two early versions of cross_fuzz for them to use to verify the problems.
According to Zalewski, he had no contact with Microsoft between Aug. 5 and Dec. 20, when he told them he would release the fuzzer in early January. When Microsoft asked that he delay its release, he declined.
On Monday, Microsoft chastised Zalewski.
"Working with software vendors to address potential vulnerabilities in their products before details are made public reduces the overall risk to customers," said Jerry Bryant, a spokesman for the Microsoft Security Research Center, or MSRC, in an e-mail late Monday. "In this case, risk has now been amplified."
Bryant also disputed Zalewski's contention that the July versions of cross_fuzz had not found an exploitable bug in IE, but that only a later edition, which Zalewski sent Dec. 21, identified the problem.
"In July 2010, Zalewski reported two versions of the cross_fuzz tool to Microsoft," Bryant said. "Neither Zalewski or Microsoft found any vulnerabilities in Internet Explorer at the time, with either version of the tool."
On Tuesday, Zalewski responded.
"The current PR messaging from Microsoft implies that substantial differences existed between July and December fuzzer variants, and that the July 29 [fuzzer] could not reproduce the vulnerability," Zalewski said in an update to his timeline.
"This is inconsistent with my record [of events]," he added.
By Zalewski's account, the MRSC admitted on Dec. 29 that when it reran the July versions, it did find the flaw. In the timeline, Zalewski quoted a message he said came from Microsoft.
"The IE team did exhaustively run the fuzzers but were unable to find the same crashes that you and Dave [of Microsoft] are now able to identify," the message stated. "I can't really say as to why we are able to hit some of these conditions now rather than before but please know that this was not intentional."
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Review: Box beats Dropbox - and all the rest - for business Box trumps Dropbox, Engyte, Citrix ShareFile, EMC Syncplicity, and OwnCloud with rich mix of file sync, file sharing, user management, deep reporting and...
- Analyst Report-Mixed All Flash Arrays Delivers Safer Higher Performance What is the impact of an all-flash array with enterprise features and reliability on the mainstream data center? In the mainstream environment, storage...
- Four Myths of High-Productivity App Dev Debunked Debunk the main myths surrounding high-productivity application development and how both platforms have overcome them.
On-Demand Webcast: 7 Reasons to Choose VoIP
Thinking about a new phone system for your business?
Be sure to watch this informative webcast. Steve Strauss, small business columnist for USA...
All Malware and Vulnerabilities White Papers |