The release by a Google researcher of a new tool that shows up to 100 Internet Explorer zero-day flaws has sparked a war of words over responsible disclosure.
Michal Zalewski, a security researcher employed by Google, has released a debugging tool called cross_fuzz which allows researchers to expose up to 100 flaws in Microsoft’s browser.
Zalewski sent the tool to Microsoft in July warning that he will release it in January, after seeing evidence of investigations into the bugs from China.
"I have reasons to believe that the evidently exploitable vulnerability discoverable by cross_fuzz, and outlined in msie_crash.txt, is *independently* known to third parties in China," he wrote in a Full Disclosure mailing.
"The pattern is very strongly indicative of an independent discovery of the same vulnerability in Internet Explorer using unrelated tools, eventually leading the discoverer to my site; other explanations for this pair of consecutive searches seem extremely unlikely."
Zalewski said that the debugger, known as a fuzzing tool, also identified flaws in Opera and Firefox but that the majority of flaws in those browsers had been fixed.
However, Microsoft has disputed Zalewski's version of events, saying that the tools used to find the flaws are not the same.
"A particular version of the tool was first reported to us in July 2010. At the time, neither Microsoft or the Google security researcher identified any issues," said Jerry Bryant, group manager of response communications at Microsoft, in a statement.
"On 21 December a new version of the tool was reported to us along with information about a potentially exploitable crash found by the new version.
"We immediately worked to reproduce the issue with the updated and original tool and are currently investigating it further to determine if it is actually exploitable.
"At this point, we're not aware of any exploits or attacks for the reported issue and are continuing to investigate and monitor the threat environment for any changes."
This latest disclosure will leave the company scrambling to fix a huge number of problems.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago