Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • IT Management

    Microsoft, Google Researcher Tangle on Security Disclosure

    Written by

    Brian Prince
    Published January 3, 2011
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      It seems Microsoft’s security team is tangling with another Google researcher regarding the issue of responsible disclosure.

      Google security engineer Michal Zalewski recently reported finding bugs with his new browser fuzzing tool, cross_fuzz. The vulnerabilities spanned a number of browsers, including Internet Explorer, Mozilla Firefox and Opera. A vulnerability in Internet Explorer, however, has caused a dust-up and sparked criticism from Microsoft that Zalewski has “amplified” risk to users.

      “Security is an industrywide issue and Microsoft is committed to working with researchers and/or the companies who employ them, when they discover potential vulnerabilities and this case is no exception,” said Jerry Bryant, group manager of response communications for Trustworthy Computing at Microsoft, in a statement. “Working with software vendors to address potential vulnerabilities in their products before details are made public, reduces the overall risk to customers. In this case, risk has now been amplified.”

      Last year, Google employee Tavis Ormandy had a well-publicized spat with Microsoft regarding the disclosure of a vulnerability in the Windows Help and Support Center feature delivered in supported editions of Windows XP and Windows Server 2003. His decision to publish proof-of-concept attack code on the Web created controversy as the bug quickly came under attack.

      In this case, Zalewski wrote, while “working on addressing cross_fuzz crashes in WebKit prior to this announcement, one of the developers accidentally leaked the address of the fuzzer in one of the uploaded crash traces.” As a result, the fuzzer directory was indexed by Google. On Dec. 30, Zalewski received search queries from an IP address in China that matched keywords in one of the indexed cross_fuzz files.

      “These search queries are looking for information on two MSHTML.DLL functions – BreakAASpecial and BreakCircularMemoryReferences – that are unique to the stack signature of this vulnerability, and had absolutely no other mentions on the Internet at that time,” the researcher wrote.

      In a message to the Full Disclosure mailing list, Zalewski wrote that though Microsoft asked him to delay the tool’s release, the discovery of the IE vulnerability by a third party made it important for him to push forward. He notified Microsoft of the issue in July, but contends he received little contact from the company until he followed up with them again in December with his announcement of the tool.

      “Following that contact attempt, they were able to quickly reproduce multiple exploitable crashes, and asked for the release of this tool to be postponed indefinitely,” he wrote. “Since they have not provided an explanation as to why these issues could not be investigated earlier, I refused.”

      Microsoft’s account differs from Zalewski’s; Bryant stated that in July “neither Microsoft [nor] the Google security researcher identified any issues.”

      “On Dec. 21, a new version of the tool was reported to us along with information about a potentially exploitable crash found by the new version,” according to Bryant. “We immediately worked to reproduce the issue with the updated and original tool and are currently investigating it further to determine if it is actually exploitable.”

      Bryant added that using the Dec. 21 variant of the tool, Microsoft verified the vulnerability and requested Zalewski hold “the public release of this version and information on the vulnerability until we could investigate further. We specifically told Zalewski we were fine with him publishing the two versions of the tool reported in July.”

      “At this point, we’re not aware of any exploits or attacks for the reported issue and are continuing to investigate and monitor the threat environment for any changes,” he said.

      Zalewski claims that Microsoft confirmed Dec. 29 the crashes were reproducible with the version of the fuzzer it received July 29, and could not explain why it was unable to before. He also contends that the person who accessed the cross_fuzz directory seemed to have no apparent knowledge of the tool itself, and downloaded all the accessible files.

      “The pattern is very strongly indicative of an independent discovery of the same fault condition in MSIE [Microsoft Internet Explorer] by unrelated means; other explanations for this pair of consecutive searches seem extremely unlikely,” he wrote.

      *This story was updated with additional information and commentary.

      Brian Prince
      Brian Prince

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×