A Google researcher released a fuzzing tool for finding security vulnerabilities in Internet Explorer (IE) on New Year's Day, claiming that he first notified Microsoft of the tool's existence in July. Additionally, the fuzzer, called cross_fuzz, identified what appears to be a newly-found zero-day security bug.

Microsoft's (NASDAQ: MSFT) lack of response to his contact last summer, until just days before the actual release of the fuzzer, was a deciding factor in Google (NASDAQ: GOOG) security researcher Michal Zalewski's decision to make the tool available publicly, Zalewski said in a post to his personal blog and to the Full Disclosure security e-mail list Saturday.

"I am happy to announce the availability of cross_fuzz – an amazingly effective but notoriously annoying cross-document DOM [Document Object Model] binding fuzzer that helped identify about one hundred bugs in all browsers on the market – many of said bugs exploitable," Zalewski said in his New Year's blog post.


A fuzzer is a security debugging tool designed to send random or purposely incorrect input to a program -- for instance, IE -- in thousands of combinations until it can cause the program to crash. A researcher can then sometimes sort through the information that has been gathered and find previously unknown security flaws that can be exploited.

Microsoft officials have a somewhat different take on the situation.

"At the time [in July], neither Microsoft or the Google security researcher identified any issues. On December 21, a new version of the tool was reported to us along with information about a potentially exploitable crash found by the new version," Jerry Bryant, group manager for response communications in the Trustworthy Computing group at Microsoft, said in an e-mail to InternetNews.com.

This is not the first time that Google researchers have disclosed information regarding weaknesses in Microsoft products when the software giant would have preferred to keep the details secret.

Another researcher on the Google security team, Tavis Ormandy, disclosed a 17-year-old zero-day hole in Windows almost a year ago. In that case, too, Ormandy claimed to have notified Microsoft six months prior to his public disclosure.

Additionally, last June, Ormandy disclosed a security hole in Windows XP's Help and Support Center, which Microsoft claimed led to more than 10,000 zero-day attacks in the wild.

Part of the clash between the two companies is based on the pair's competition for browsers, search engines, and e-mail and productivity applications in the cloud, but it also has something to do with opposing views about responsible bug disclosure.

"We believe that it’s important for the security community to work together to solve issues and protect customers, as well as for vendors to move swiftly to fix serious vulnerabilities that have been reported to them," a Google spokesperson said in an e-mail to InternetNews.com.

"Michal's disclosure falls within our stated recommendations for vulnerability disclosure," the spokesperson added.

Last summer, Microsoft tried to reframe the debate, changing the name of its policy from "responsible disclosure" to what it now calls "coordinated vulnerability disclosure.

Google, on the other hand, is an advocate of so-called "full disclosure," which holds that useful information should be provided to users as soon as practicable.

"Working with software vendors to address potential vulnerabilities in their products before details are made public, reduces the overall risk to customers. In this case, risk has now been amplified," Bryant said.

Meanwhile, Microsoft's security mavens are examining the zero-day and "will take appropriate action to help protect customers," he added.

Stuart J. Johnston is a contributing writer at InternetNews.com, the news service of Internet.com, the network for technology professionals. Follow him on Twitter @stuartj1000.

Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.