I have reasons to believe that the evidently exploitable vulnerability
discoveable by cross_fuzz, and outlined in msie_crash.txt, is 
*independently* known to third parties in China.

While working on addressing cross_fuzz crashes in WebKit prior to this
announcement, one of the developers accidentally leaked the address of
the fuzzer in one of the uploaded crash traces. As a result, the fuzzer
directory, including msie_crash.txt, has been indexed by GoogleBot.

I have confirmed that following this accident, no other unexpected
parties discovered or downloaded the tool. That said, on December 30, I
received the following search queries from an IP address in China -
which matched keywords mentioned in one of the indexed cross_fuzz 
files:

125.77.xxx.x - - [30/Dec/2010:11:11:31 +0100]
  GET /cross_fuzz/msie_crash.txt HTTP/1.1
  Referer: http://www.google.com.hk/search?q=mshtml+breakaaspecial&hl=zh-CN&newwindow=1&safe=strict&client=pub-1549238212314499&prog=aff&channel=8696049412&sa=2
  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; CIBA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; GreenBrowser)

125.77.xxx.x - - [30/Dec/2010:11:39:15 +0100]
  GET /cross_fuzz/msie_crash.txt HTTP/1.1
  Referer: http://www.google.com.hk/search?client=pub-1549238212314499&prog=aff&channel=8696049412&q=breakcircularmemoryreferences
  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; CIBA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; GreenBrowser)

These search queries are looking for information on two MSHTML.DLL
functions - BreakAASpecial and BreakCircularMemoryReferences - that
are unique to the stack signature of this vulnerability, are very
unlikely to appear in any other context, and had *absolutely* no other
mentions on the Internet at that time.

Crucially, the person had no apparent knowledge of cross_fuzz itself,
poked around the directory for a while, and downloaded all the accessible
files; suggesting this not being an agent one of the notified vendors, but
also being a security-minded visitor.

The pattern is very strongly indicative of an independent discovery of
the same vulnerability in MSIE using unrelated tools, eventually leading
the discoverer to my site; other explanations for this pair of consecutive 
searches seem extremely unlikely.