Microsoft upset over Google researcher's tool release

Microsoft is again at odds with a Google security researcher over what the software giant believes was the premature release of vulnerability information.

Well-known bug hunter Michal Zalewski, who uses the online alias "lcamtuf", last week released a web browser fuzzing tool that identified about 100 vulnerabilities in various browsers.

One of those – a potentially exploitable zero-day vulnerability in Microsoft's Internet Explorer (IE) browser – may have been discovered by hackers in China, he said.

The tool, called “cross_fuzz,” also found flaws affecting Firefox, Opera, Chrome, Safari and other browsers that use the open-source web browser engine WebKit.

“I have reasons to believe that the evidently exploitable vulnerability discoverable by cross_fuzz ... is independently known to third parties in China,” Zalewski said of the IE flaw.

A developer working to address cross_fuzz crashes in WebKit “accidentally leaked” the address of the fuzzer prior to its release, he said. As a result, Google then indexed the cross_fuzz directory.

In late December, Zalewski came across search queries from an IP address in China that matched keywords mentioned in one of the indexed cross_fuzz files. The search queries were looking for information about two IE functions unique to the vulnerability in question, Zalewski said. At the time, there was no other information online about the flaw.

“The person had no apparent knowledge of cross_fuzz itself, poked around the directory for a while, and downloaded all the accessible files,” Zalewski wrote. "The pattern is very strongly indicative of an independent discovery of the same fault condition in [IE].”

In a statement sent to SCMagazineUS.com, a Microsoft spokesman said the company is aware of the “potentially exploitable crash” and is still working to determine if the flaw is exploitable.

“At this point, we're not aware of any exploits or attacks for the reported issue and are continuing to investigate and monitor the threat environment for any changes,” Jerry Bryant, group manager of response communications for trustworthy computing at Microsoft, wrote in the statement.

The fuzzing tool was published by Zalewski despite Microsoft's request that the release be postponed.

“Since they have not provided a compelling explanation as to why these issues could not have been investigated earlier, I refused,” Zalewski wrote in a blog post.

Zalewski originally submitted a report to Microsoft about the cross_fuzz tool in July, noting multiple crashes and corruption issues, according to a timeline of his communications with the software giant. The researcher then reached out to Microsoft several more times before notifying the company on December 20 that he planned to release the tool in early January.

In its statement, Microsoft acknowledged receiving Zalewski's initial report in July, but denied that the tool identified any problems in IE at the time. Microsoft said it was provided a different version of the tool on December 21, along with information about the potentially exploitable crash, which was found by this updated version. 

“We will continue to investigate this issue and take appropriate action to help protect customers,” Microsoft said.

Meanwhile, Zalewski also notified the WebKit Open Source project, Mozilla and Opera about the flaws in July, and many have since been fixed. However, several hard-to-patch issues remain unresolved in Firefox, Opera and WebKit.

This is not the first time Microsoft and Google have disagreed over the disclosure of an unpatched vulnerability.

In June 2010, Google security engineer Tavis Ormandy published details about an unpatched Windows kernel vulnerability after giving Microsoft just five days' notice about the flaw. Ormandy's actions attracted a wave of criticism from members of the security community, but the researcher said he went public with the information in the best interest of security. 

Not long after, Microsoft unveiled a new initiative around vulnerability reporting, known as coordinated disclosure.

This article originally appeared at scmagazineus.com