Microsoft, Googler tussle over bug timeline
Spar over Google security engineer's 'fuzzer' release, IE vulnerability
Computerworld - Microsoft and a Google security engineer are sparring over a bug the researcher reported to Microsoft last July.
On Saturday, Michal Zalewski, a vulnerability researcher who works on Google's security team, publicly released a new "fuzzing" tool called "cross_fuzz" that he had used to find more than 100 bugs in the five major browsers: Chrome, Firefox, Internet Explorer (IE), Opera and Safari. He also published a crash dump of one of the IE bugs he believed could be exploited.
Zalewski said he released cross_fuzzer and the crash dump because Chinese hackers were already investigating the vulnerability, and because Microsoft had not responded for months to his bug report. To support his decision, Zalewski published a timeline of his discussions with Microsoft about the fuzzing tool and the IE bug.
He first contacted Microsoft last July, when he told the company's security team he had found "multiple crashes and GDI [graphics device interface] corruptions," and provided Microsoft with two early versions of cross_fuzz for them to use to verify the problems.
According to Zalewski, he had no contact with Microsoft between Aug. 5 and Dec. 20, when he told them he would release the fuzzer in early January. When Microsoft asked that he delay its release, he declined.
On Monday, Microsoft chastised Zalewski.
"Working with software vendors to address potential vulnerabilities in their products before details are made public reduces the overall risk to customers," said Jerry Bryant, a spokesman for the Microsoft Security Research Center, or MSRC, in an e-mail late Monday. "In this case, risk has now been amplified."
Bryant also disputed Zalewski's contention that the July versions of cross_fuzz had not found an exploitable bug in IE, but that only a later edition, which Zalewski sent Dec. 21, identified the problem.
"In July 2010, Zalewski reported two versions of the cross_fuzz tool to Microsoft," Bryant said. "Neither Zalewski or Microsoft found any vulnerabilities in Internet Explorer at the time, with either version of the tool."
On Tuesday, Zalewski responded.
"The current PR messaging from Microsoft implies that substantial differences existed between July and December fuzzer variants, and that the July 29 [fuzzer] could not reproduce the vulnerability," Zalewski said in an update to his timeline.
"This is inconsistent with my record [of events]," he added.
By Zalewski's account, the MRSC admitted on Dec. 29 that when it reran the July versions, it did find the flaw. In the timeline, Zalewski quoted a message he said came from Microsoft.
"The IE team did exhaustively run the fuzzers but were unable to find the same crashes that you and Dave [of Microsoft] are now able to identify," the message stated. "I can't really say as to why we are able to hit some of these conditions now rather than before but please know that this was not intentional."
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Neustar 2014 DDoS Attacks and Impact Report For the third consecutive year, Neustar surveyed hundreds of companies on distributed denial of service (DDoS) attacks. The survey reveals evidence that the...
- Acxiom Case Study This case study, which focuses on Acxiom, explores how the company was able to secure employee data, reduce migration costs and boost productivity...
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- Building Tomorrow's Infrastructure Listen to this podcast to discover how Crider Foods worked with PC Connection to update their IT infrastructure, while maintaining compliance and control. All Malware and Vulnerabilities White Papers | Webcasts