The release by a Google researcher of a new tool that shows up to 100 Internet Explorer zero-day flaws has sparked a war of words over responsible disclosure.
Michal Zalewski, a security researcher employed by Google, has released a debugging tool called cross_fuzz which allows researchers to expose up to 100 flaws in Microsoft’s browser.
Zalewski sent the tool to Microsoft in July warning that he will release it in January, after seeing evidence of investigations into the bugs from China.
"I have reasons to believe that the evidently exploitable vulnerability discoverable by cross_fuzz, and outlined in msie_crash.txt, is *independently* known to third parties in China," he wrote in a Full Disclosure mailing.
"The pattern is very strongly indicative of an independent discovery of the same vulnerability in Internet Explorer using unrelated tools, eventually leading the discoverer to my site; other explanations for this pair of consecutive searches seem extremely unlikely."
Zalewski said that the debugger, known as a fuzzing tool, also identified flaws in Opera and Firefox but that the majority of flaws in those browsers had been fixed.
However, Microsoft has disputed Zalewski's version of events, saying that the tools used to find the flaws are not the same.
"A particular version of the tool was first reported to us in July 2010. At the time, neither Microsoft or the Google security researcher identified any issues," said Jerry Bryant, group manager of response communications at Microsoft, in a statement.
"On 21 December a new version of the tool was reported to us along with information about a potentially exploitable crash found by the new version.
"We immediately worked to reproduce the issue with the updated and original tool and are currently investigating it further to determine if it is actually exploitable.
"At this point, we're not aware of any exploits or attacks for the reported issue and are continuing to investigate and monitor the threat environment for any changes."
This latest disclosure will leave the company scrambling to fix a huge number of problems.
Freshly launched 11nm Qualcomm silicon will come with Adreno 612 GPU
Are pinning down the exact rate of expansion of the Hubble constant
RISC OS 5 to form the basis of RISC OS Open after Castle Technology sells to RISC OS Developments
A smartphone maker fiddling its benchmarking scores? That's unusual, isn't it?