The release by a Google researcher of a new tool that shows up to 100 Internet Explorer zero-day flaws has sparked a war of words over responsible disclosure.
Michal Zalewski, a security researcher employed by Google, has released a debugging tool called cross_fuzz which allows researchers to expose up to 100 flaws in Microsoft’s browser.
Zalewski sent the tool to Microsoft in July warning that he will release it in January, after seeing evidence of investigations into the bugs from China.
"I have reasons to believe that the evidently exploitable vulnerability discoverable by cross_fuzz, and outlined in msie_crash.txt, is *independently* known to third parties in China," he wrote in a Full Disclosure mailing.
"The pattern is very strongly indicative of an independent discovery of the same vulnerability in Internet Explorer using unrelated tools, eventually leading the discoverer to my site; other explanations for this pair of consecutive searches seem extremely unlikely."
Zalewski said that the debugger, known as a fuzzing tool, also identified flaws in Opera and Firefox but that the majority of flaws in those browsers had been fixed.
However, Microsoft has disputed Zalewski's version of events, saying that the tools used to find the flaws are not the same.
"A particular version of the tool was first reported to us in July 2010. At the time, neither Microsoft or the Google security researcher identified any issues," said Jerry Bryant, group manager of response communications at Microsoft, in a statement.
"On 21 December a new version of the tool was reported to us along with information about a potentially exploitable crash found by the new version.
"We immediately worked to reproduce the issue with the updated and original tool and are currently investigating it further to determine if it is actually exploitable.
"At this point, we're not aware of any exploits or attacks for the reported issue and are continuing to investigate and monitor the threat environment for any changes."
This latest disclosure will leave the company scrambling to fix a huge number of problems.
Privilege escalation bug already being exploited in the wild
NASA's Voyager 2 probe set to reveal secrets of space beyond the heliosphere as it goes interstellar
The probe is now more than 18 billion kilometres from Earth, with equipment enabling it to reveal some of the secrets of interstellar space
Four glaciers located west of massive Totten glacier have lost almost three metres of ice in height since 2008
Ceres, located in the asteroid belt, has a carbonaceous-rich upper crust, SwRI study claims