Microsoft asked Zalewski to delay cross_fuzz's release, but he declined, in part because of his fear the IE vulnerability was already being explored by Chinese hackers, but also because the company's security experts had not responded to information he provided.
"Since [Microsoft has] not provided an explanation as to why these issues could not be investigated earlier, I refused [the request to hold the release]," Zalewski said in a Jan. 1 post to the Full Disclosure mailing list.
In a detailed timeline of his communiqus to Microsoft, Zalewski said he had first reported his findings and provided an earlier version of cross_fuzz in July. According to Zalewski, Microsoft did not reply until he told them on Dec. 20 that he was planning on revealing the fuzzing tool in early January.
On Dec. 21, Microsoft told Zalewski that its security response center had begun composing a reply last summer, but never sent it after failing to reproduce his findings.
"I have a conference call with MSRC [Microsoft Security Response Center]," Zalewski said in the timeline's note for Dec. 28. "The team expresses concern over PR impact, suggests that the changes made to my fuzzer code between July and December might have uncovered additional issues, which would explain why they were unable to reproduce them earlier."
A day later, Microsoft admitted it was now able to reproduce the fuzzer-found flaws using the July code.
"The IE team did exhaustively run the fuzzers but were unable to find the same crashes that you and Dave [of Microsoft] are now able to identify," Microsoft told Zalewski on Dec. 29. "I can't really say as to why we are able to hit some of these conditions now rather than before but please know that this was not intentional."
Microsoft's account omitted most of the details Zalewski provided, including the fact that it was able last month to reproduce the vulnerability using the fuzzer it had five months earlier.
"[In July], neither Microsoft or the Google security researcher identified any issues," said Jerry Bryant, an MSRC spokesman, in a statement Sunday. "On December 21, a new version of the tool was reported to us along with information about a potentially exploitable crash found by the new version. We immediately worked to reproduce the issue with the updated and original tool and are currently investigating it further to determine if it is actually exploitable."
Microsoft and Google security researchers have crossed swords in the past. Last summer, Google's Tavis Ormandy released exploit code for a bug in Windows' Help and Support Center after he said Microsoft refused to set a patch deadline.
Fuzzing is a common research practice used to locate vulnerabilities and find flaws in code. A fuzzer automates the technique by inputting data into applications or operating system components to see if -- and where -- crashes occur.
The vulnerability that Zalewski reported and Microsoft said it was investigating is apparently unrelated to the unpatched IE bug the latter confirmed on Dec. 22.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His email address is firstname.lastname@example.org.
Read more about security in Computerworld's Security Topic Center.