Slashdot Mirror
Microsoft Spurned Researchers Release 0-Day
nk497 notes the news that a group of researchers calling themselves the Microsoft-Spurned Researcher Collective (the name is a play on Microsoft's Security Response Center) have come together to protest Microsoft's perceived heavy-handedness towards researchers who disclose security flaws. Pushed into action by the reception to the flaw disclosed by Tavis Ormandy, the group has released full details and exploit code for a previously unknown Windows local privilege escalation vulnerability. The advisory for the vulnerability, which affects Windows Vista and Windows Server 2008, contains the following manifesto: "Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."
They tried that. "Responisble" disclosure often results in nothing happening or worst case a lawsuit. It is cheaper for MS to ignore problems than fix them.
But lets say something needs port 11234 open in both directions to work*, a sys admin that knows about the flaw(before the fix is out) can make some attempts to limit his exposure to the flaw. Without that info in the wild he things he's safe and all is well while he gets back doored.... Some of these flaws have way to limit or remove exposure to them while the vendor is producing a fix. You may be able to disable a feature, firewall off the machines that need o run it, block all connection attempts on a port with a payload that matches "foobar". Making sure people know that helps lessen the problem while the fix is getting out. Also it does apply pressure on the vendor to fix it fast as all of the people with support contracts are bugging them for a fix for "the foobar bug" There have been few bugs that can't be band-aided recently discovered, so the harm is really only to the people that don't follow security in the first place(home users that put their birthday pin and mothers maiden name into any form they see on the internet.).
*Bad example i know as all ports not known to be doing something useful should be blocked in both directions, but you get the idea.
All of the above was encrypted with a Quad ROT-13 method. Unauthorized decryption is in violation of the DMCA.
Large US corporations care more about avoiding highly publicized lawsuits than 'doing the right thing'. By calling MS out by announcing to the world their Windows flaws, it forces MS to either publicly refuse to fix the issue or put some of the ample resources on fixing it.
Microsoft already puts ample resources on fixing it. Jesus Christ, haven't any security researchers read "No Silver Bullet?" There's no reason to believe that Microsoft can do anything to speed up this process in the short term-- putting a freakin' ad in the paper reading, "wanted: 46 random people on the street to fix security holes" isn't going to help!
Look, Windows is a HUGE product. Last I heard, it takes something like 12-15 hours JUST TO BUILD. God knows how long the regression testing takes.
Comment of the year
Microsoft Spurned Researchers Release 0-Day
I get about as far as "Microsoft Spurned Researchers" and then the rest of it doesn't make any sense. Like you need a conjunction or something after "Researchers"...
Or, you know, hyphenate "Microsoft-Spurned" so the damn headline makes sense.
Bow-ties are cool.
I've found holes in a couple of products, not produced by Microsoft though. It is REALLY frustrating to mention a hole to a vendor and then being ignored at first, then have your motives questioned, and then see the company ignore the issue for ages.
Today I would most likely not mention a security bug to anyone unless it's in free software. If I had previously established that the vendor was responsive to non-security bug reports or I have access to paid support, I'd probably give it a shot, but other than that it's best to just shut up. It won't seriously affect me anyway, I don't depend on non-free software.
Finally! A year of moderation! Ready for 2019?