How do you know if you’re securely surfing the Web? Unfortunately, there’s no way to be a hundred percent sure with so many bad actors out there spreading malware and banging on network and software defenses in hopes of exploiting a security hole. One approach taken by security researchers is to identify security issues as quickly as possible in hopes that the release of the information will lead to a speedy resolution or fix of the problem. But not everyone agrees such a disclosure policy is wise, especially when it makes vulnerabilities public that weren’t otherwise widely known, if at all. eSecurity Planet reports on a controversy between Google and Microsoft involving a new tool that identifies browser vulnerabilities.
A Google researcher released a fuzzing tool for finding security vulnerabilities in Internet Explorer (IE) on New Year’s Day, claiming that he first notified Microsoft of the tool’s existence in July. Additionally, the fuzzer, called cross_fuzz, identified what appears to be a newly-found zero-day security bug.
Microsoft’s (NASDAQ: MSFT) lack of response to his contact last summer, until just days before the actual release of the fuzzer, was a deciding factor in Google (NASDAQ: GOOG) security researcher Michal Zalewski’s decision to make the tool available publicly, Zalewski said in a post to his personal blog and to the Full Disclosure security e-mail list Saturday.
