[Editor's Note: The original version of this story was published before receiving proper vetting, and many of you rightly chastised us for it. We apologize and present the following coverage, which more completely examines the issue.]
Microsoft is at odds with a researcher employed by Google who published a zero-day Internet Explorer vulnerability on New Year's Day. The vulnerability was discovered using cross_fuzz, a browser fuzzing tool created by Google researcher Michal Zalewski, who says he gave Microsoft more than six months of warning before going public with the flaw. That hasn't stopped Microsoft from sharply disagreeing, however, with the company arguing that Zalewski has now put thousands of IE users at risk.
According to Zalewski's published timeline of events, he first told Microsoft about the vulnerability in July of last year and provided the company with copies of cross_fuzz for independent verification. Zalewski informed the company that he planned to release the tool in January, and Microsoft acknowledged the report at that time—confirmed on Tuesday by Microsoft spokesperson Jerry Bryant.
Microsoft said it was unable to reproduce any problems using the cross_fuzz tool upon being informed of the issue in July, despite Zalewski's insistence that he saw "multiple crashes and GDI corruption issues" in IE. The company claims it was only notified on December 21 of a new version of cross_fuzz that could cause a potentially exploitable crash.
Microsoft immediately issued Security Advisory (2488013), confirming that the vulnerability impacted all supported versions of IE. Microsoft explained that the vulnerability exists due to the creation of uninitialized memory during a CSS function within the browser, making it possible for the memory to be leveraged by an attacker with a specially crafted webpage.
"We immediately worked to reproduce the issue with the updated and original tool and are currently investigating it further to determine if it is actually exploitable," Bryant told Ars.
This is when the stories diverge, however. Zalewski says he heard virtually nothing from Microsoft until mid-December, at which point others were able to reproduce the problem, including by means of the original cross_fuzz version used last July. According to Zalewski, Microsoft was suddenly concerned about the potential PR fallout and claimed the IE problems only surfaced after he had updated his code. Zalewski said he confirmed that the problem was unchanged by running both the new and old versions of the fuzzer and told Microsoft again that he planned to release the tool in January.
"Response from [Microsoft Security Research Center] confirms that these crashes are reproducible with the July 29 fuzzer; unclear why they were unable to replicate them earlier, or follow up on the case," Zalewski wrote on December 29. As promised, he released the fuzzer on January 1.
Now, Microsoft is accusing Zalewski of increasing the risk to IE users—the company says attackers may find a way to exploit the flaw before a patch can be tested and distributed. Zalewski insists that Microsoft knew about the flaw and his plan to release in January for more than six months, however, and did nothing until it was almost too late.
Whichever way this he-said, she-said fight ends up, Microsoft says it's actively monitoring the situation and plans to issue a patch soon.
reader comments
92