The release of a new tool that shows up to 100 Internet Explorer zero day flaws by a Google researcher has sparked a war of words over responsible disclosure.
Michal Zalewski, a security researcher, employed by Google, has released a debugging tool called cross_fuzz from his blog which allows researchers to expose up to 100 flaws in Microsoft’s browser. Zalewski sent the tool to Microsoft in July, warning them that he would be releasing it in January, and published after seeing evidence of investigations into the bugs from China.
I have reasons to believe that the evidently exploitable vulnerability discoveable by cross_fuzz, and outlined in msie_crash.txt, is *independently* known to third parties in China,” he wrote in a Full Disclosure mailing.
“The pattern is very strongly indicative of an independent discovery of the same vulnerability in MSIE using unrelated tools, eventually leading the discoverer to my site; other explanations for this pair of consecutive searches seem extremely unlikely.”
Zalewski said that the debugger, known as a fuzzing tool, also identified flaws in Opera and Firefox but that the majority of flaws in those browsers had been fixed.
However Microsoft has disputed Zalewski’s version of events, saying that the tools used to find the flaws were not one and the same.
"A particular version of the tool was first reported to us in July 2010. At the time, neither Microsoft or the Google security researcher identified any issues. On December 21st, a new version of the tool was reported to us along with information about a potentially exploitable crash found by the new version, " said Jerry Bryant, group manager of response communications at Microsoft in a statement.
"We immediately worked to reproduce the issue with the updated and original tool and are currently investigating it further to determine if it is actually exploitable. At this point, we're not aware of any exploits or attacks for the reported issue and are continuing to investigate and monitor the threat environment for any changes."
Microsoft has sought to woo the security research community over the last year with new forms of disclosure that allow companies time to fix holes in code before any announcement. This latest disclosure will leave the company scrambling to fix a huge amount of patches.