Microsoft, Googler tussle over bug timeline

Spar over Google security engineer's 'fuzzer' release, IE vulnerability

By , Computerworld |  Security, fuzzing, Google

By Zalewski's account, the MRSC admitted on Dec. 29 that when it reran the July versions, it did find the flaw. In the timeline, Zalewski quoted a message he said came from Microsoft.

"The IE team did exhaustively run the fuzzers but were unable to find the same crashes that you and Dave [of Microsoft] are now able to identify," the message stated. "I can't really say as to why we are able to hit some of these conditions now rather than before but please know that this was not intentional."

By comparison, Mozilla kept Zalewski in the loop as it worked on the Firefox bugs he reported.

The pertinent thread on Bugzilla, Mozilla's bug and code change database, includes 44 messages between Zalewski and Mozilla developers from July 23 to Jan 1. Zalewski provided several crash dumps to illustrate vulnerabilities his fuzzer had uncovered, and Mozilla's engineers posed questions.

Zalewski asked Mozilla to keep the Bugzilla thread under wraps until other browser makers had had a chance to patch their products' bugs.

"[For what it's worth], the blurb does not make you look bad in comparison," he told Mozilla on Dec. 29, referring to the patch status summary he intended to publish in a few days. "Microsoft will probably come off poorly, all other browsers are roughly in the same shape."

Microsoft and security researchers regularly skirmish as the former pushes what it calls "coordinated vulnerability disclosure" (CVD) -- a term it coined last summer -- while the latter often complain that the company drags its feet before patching flaws they report.

Under Microsoft's definition of CVD, it wants researchers to stay quiet until a patch is released.

When it announced CVD, it acknowledged the new nomenclature was essentially just a name change from "responsible disclosure," the policy it had supported for years, but the company also emphasized it wanted to keep open the lines of communication between itself and researchers, even when the latter broadcasted their findings without reporting a bug or waiting on a patch.

Microsoft and Google also have a history when it comes to reporting bugs.


Originally published on Computerworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness