On Saturday, security expert Michal Zalewski, a Google employee, disclosed that the vulnerability was one of about 100 discovered using cross_fuzz, a free tool he developed in his spare time over the past two years to "fuzz" Web browsers in search of unknown bugs. (Fuzzing refers, in this case, to submitting unexpected HTML and XML to "stress-test" browsers and seeing how they respond.) Zalewski also publicly released the tool on Saturday.
But on Thursday, someone with a Chinese IP address searched Google for a specific IE vulnerability that hadn't yet been publicly disclosed, and found data generated by cross_fuzz that was accidentally exposed to and indexed by Google.
"While working on addressing cross_fuzz crashes in Webkit prior to this announcement, one of the developers accidentally leaked the address of the fuzzer in one of the uploaded crash traces," said Zalewski on his blog. "As a result, the fuzzer directory, including msie_crash.txt, has been indexed by GoogleBot."
The Chinese Google search that turned up the vulnerability data was "no accident," he said, as the person searched for two very specific functions "that are unique to the stack signature of this vulnerability, are very unlikely to appear in any other context, and had absolutely no other mentions on the Internet at that time." In addition, the searcher's behavior seemed to reveal no knowledge of the cross_fuzz tool, meaning that someone had apparently discovered the vulnerability independently.
According to Zalewski, his fuzzing tool has already discovered about 100 bugs across IE, Firefox, Opera, and Webkit-based browsers, all of which he disclosed to the relevant organizations in July. Since then, many of the Webkit vulnerabilities have already been patched, Firefox has addressed a number of the vulnerabilities and added Zalewski's tool into its own fuzzing infrastructure, and Opera fixed many of the identified vulnerabilities in its December release. While some difficult-to-fix vulnerabilities remain in those browsers, efforts to remediate them are underway.
The story is different with Microsoft. Zalewski said he first contacted Microsoft in 2008, warning that his fuzzer was triggering IE browser crashes, but Microsoft said it was unable to reproduce the crashes. After sending a new report to Microsoft in July 2010, and then responding to additional requests for information, Zalewski said Microsoft ultimately requested he that he indefinitely postpone releasing the fuzzer.
Zalewski declined. "Since they have not provided a compelling explanation as to why these issues could not have been investigated earlier, I refused," he said. In addition, the evidence -- via the Google search -- that someone had discovered one of the vulnerabilities independently made an expedited release prudent, he said.