Microsoft, Googler tussle over bug timeline
Spar over Google security engineer's 'fuzzer' release, IE vulnerability
Computerworld - Microsoft and a Google security engineer are sparring over a bug the researcher reported to Microsoft last July.
On Saturday, Michal Zalewski, a vulnerability researcher who works on Google's security team, publicly released a new "fuzzing" tool called "cross_fuzz" that he had used to find more than 100 bugs in the five major browsers: Chrome, Firefox, Internet Explorer (IE), Opera and Safari. He also published a crash dump of one of the IE bugs he believed could be exploited.
Zalewski said he released cross_fuzzer and the crash dump because Chinese hackers were already investigating the vulnerability, and because Microsoft had not responded for months to his bug report. To support his decision, Zalewski published a timeline of his discussions with Microsoft about the fuzzing tool and the IE bug.
He first contacted Microsoft last July, when he told the company's security team he had found "multiple crashes and GDI [graphics device interface] corruptions," and provided Microsoft with two early versions of cross_fuzz for them to use to verify the problems.
According to Zalewski, he had no contact with Microsoft between Aug. 5 and Dec. 20, when he told them he would release the fuzzer in early January. When Microsoft asked that he delay its release, he declined.
On Monday, Microsoft chastised Zalewski.
"Working with software vendors to address potential vulnerabilities in their products before details are made public reduces the overall risk to customers," said Jerry Bryant, a spokesman for the Microsoft Security Research Center, or MSRC, in an e-mail late Monday. "In this case, risk has now been amplified."
Bryant also disputed Zalewski's contention that the July versions of cross_fuzz had not found an exploitable bug in IE, but that only a later edition, which Zalewski sent Dec. 21, identified the problem.
"In July 2010, Zalewski reported two versions of the cross_fuzz tool to Microsoft," Bryant said. "Neither Zalewski or Microsoft found any vulnerabilities in Internet Explorer at the time, with either version of the tool."
On Tuesday, Zalewski responded.
"The current PR messaging from Microsoft implies that substantial differences existed between July and December fuzzer variants, and that the July 29 [fuzzer] could not reproduce the vulnerability," Zalewski said in an update to his timeline.
"This is inconsistent with my record [of events]," he added.
By Zalewski's account, the MRSC admitted on Dec. 29 that when it reran the July versions, it did find the flaw. In the timeline, Zalewski quoted a message he said came from Microsoft.
"The IE team did exhaustively run the fuzzers but were unable to find the same crashes that you and Dave [of Microsoft] are now able to identify," the message stated. "I can't really say as to why we are able to hit some of these conditions now rather than before but please know that this was not intentional."
- Fight Malware, Malfeasance and Malingering Every year brings more extreme sets of threats than the last. The good news is that there are a range of mitigation options....
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts