On Saturday, Michal Zalewski, a vulnerability researcher who works on Google's security team, publicly released a new "fuzzing" tool called "cross_fuzz" that he had used to find more than 100 bugs in the five major browsers: Chrome, Firefox, Internet Explorer (IE), Opera and Safari. He also published a crash dump of one of the IE bugs he believed could be exploited.
[ InfoWorld's Robert Lemos asks: Is Microsoft becoming a security slacker? | The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. ]
Zalewski said he released cross_fuzzer and the crash dump because Chinese hackers were already investigating the vulnerability, and because Microsoft had not responded for months to his bug report. To support his decision, Zalewski published a timeline of his discussions with Microsoft about the fuzzing tool and the IE bug.
He first contacted Microsoft last July, when he told the company's security team he had found "multiple crashes and GDI [graphics device interface] corruptions," and provided Microsoft with two early versions of cross_fuzz for them to use to verify the problems.
According to Zalewski, he had no contact with Microsoft between Aug. 5 and Dec. 20, when he told them he would release the fuzzer in early January. When Microsoft asked that he delay its release, he declined.
On Monday, Microsoft chastised Zalewski.
"Working with software vendors to address potential vulnerabilities in their products before details are made public reduces the overall risk to customers," said Jerry Bryant, a spokesman for the Microsoft Security Research Center, or MSRC, in an e-mail late Monday. "In this case, risk has now been amplified."
Bryant also disputed Zalewski's contention that the July versions of cross_fuzz had not found an exploitable bug in IE, but that only a later edition, which Zalewski sent Dec. 21, identified the problem.
"In July 2010, Zalewski reported two versions of the cross_fuzz tool to Microsoft," Bryant said. "Neither Zalewski or Microsoft found any vulnerabilities in Internet Explorer at the time, with either version of the tool."
On Tuesday, Zalewski responded.
"The current PR messaging from Microsoft implies that substantial differences existed between July and December fuzzer variants, and that the July 29 [fuzzer] could not reproduce the vulnerability," Zalewski said in an update to his timeline.
"This is inconsistent with my record [of events]," he added.
By Zalewski's account, the MRSC admitted on Dec. 29 that when it reran the July versions, it did find the flaw. In the timeline, Zalewski quoted a message he said came from Microsoft.