Google and Microsoft Clash Over IE Fuzzer Release

Tuesday, January 04, 2011



Did a Google staff researcher jump the gun by releasing a tool that identifies dozens of exploitable bugs in Internet Explorer before critical patches were available, or did Microsoft drop the ball back in July by not addressing the problems when first presented to them?

A cyber-drama is playing out surrounding Michal Zalewski's release of his Internet Explorer fuzzing tool dubbed "cross_fuzz".

The tool has been used to identify multiple vulnerabilities in the Microsoft browser, and could be used to aid in the creation of malicious exploits.

"I am happy to announce the availability of cross_fuzz – an amazingly effective but notoriously annoying cross-document DOM [Document Object Model] binding fuzzer that helped identify about one hundred bugs in all browsers on the market – many of said bugs exploitable," Zalewski wrote in his blog.

Zalewski claims to have presented the tool to Microsoft early last summer,and that he received no response from them until just days before the tool was set to be released.

Microsoft counters that the version of the tool presented back in July did not reveal any vulnerabilities, and that a second version presented late in December did in fact elicit a response from the company - a request to not release the tool.

"At the time [in July], neither Microsoft or the Google security researcher identified any issues. On December 21, a new version of the tool was reported to us along with information about a potentially exploitable crash found by the new version," said Microsoft's Jerry Bryant.

Google has on at least one prior occasion released information on a Microsoft vulnerability prior to the release of a patch, and similarly claimed to have notified Microsoft of the bug months before.

The two companies compete for customers in several areas including search engines, browsers and email applications, which could account for the difference in opinions on what exactly qualifies as a notification, and whose responsibility it is to follow through on protecting consumers.

"We believe that it’s important for the security community to work together to solve issues and protect customers, as well as for vendors to move swiftly to fix serious vulnerabilities that have been reported to them. Michal's disclosure falls within our stated recommendations for vulnerability disclosure," said a Google spokesperson.


Possibly Related Articles:
Google Microsoft Browser Security Vulnerabilities Tools Headlines Internet Explorer cross_fuzz
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.