Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Spurned Researchers Release 0-Day

Posted by kdawson on from the that's-sure-to-help dept.

nk497 notes the news that a group of researchers calling themselves the Microsoft-Spurned Researcher Collective (the name is a play on Microsoft's Security Response Center) have come together to protest Microsoft's perceived heavy-handedness towards researchers who disclose security flaws. Pushed into action by the reception to the flaw disclosed by Tavis Ormandy, the group has released full details and exploit code for a previously unknown Windows local privilege escalation vulnerability. The advisory for the vulnerability, which affects Windows Vista and Windows Server 2008, contains the following manifesto: "Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."

15 of 246 comments (clear)

  1. So... by fuzzyfuzzyfungus · · Score: 4, Insightful

    Perhaps being a little more... Diplomatic would be a good idea when dealing with the(sometimes rather ego-driven) people who know how to hack your box...

    1. Re:So... by Crudely_Indecent · · Score: 5, Insightful

      People who really want to do damage wouldn't release the code publicly. They would keep it quiet so they can do maximum damage. The point of releasing this information is to prompt the vendor to fix it......and probably gain more street cred.

      --


      "Lame" - Galaxar
    2. Re:So... by MightyYar · · Score: 5, Insightful

      Why would anyone BOTHER to go looking for vulnerabilities in the largest operating system in the world for ALTRUISTIC reasons?

      Can you come up with a logical reason for jigsaw puzzles?

      Puzzles are fun. This is a particularly geeky and difficult sort of puzzle - it shouldn't surprise you in the least that people do it as a hobby. It also shouldn't surprise you that people who are treated poorly might seek revenge.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    3. Re:So... by Dripdry · · Score: 5, Insightful

      It's probably a combination of ego/fun/being tired of MS being a bunch of dickweeds regarding security. What's wrong with one having pride in one's profession, and doing something about it when you see that it's going down the tubes?

      --
      -
    4. Re:So... by Lord+Ender · · Score: 5, Insightful

      The security industry works by reputation. Having published research (ex: "CVE 8675309 discovered by Joe Haxo of Secu-Tech Consulting") bolsters your reputation.

      Security researchers want vendors to disclose and patch the vulnerabilities, recognizing the researchers by name.

      If the vendors ignore the researchers, the researchers have no obligation toward the vendors. Hence, 0-day publication. If you let vendors sit on your research forever, someone may beat you to the punch and publish anyway.

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  2. Dumbdumbdumbdumbdumb by Saint+Stephen · · Score: 4, Insightful

    MS has to test stuff to make sure the fix doesn't make things worse. Decisions get made, people don't like the outcome. But recklessly announcing security holes is just dumb, and isn't helping anyone.

    fail.

    1. Re:Dumbdumbdumbdumbdumb by Itninja · · Score: 4, Insightful

      Large US corporations care more about avoiding highly publicized lawsuits than 'doing the right thing'. By calling MS out by announcing to the world their Windows flaws, it forces MS to either publicly refuse to fix the issue or put some of the ample resources on fixing it. Refusing to fix it will certainly spawn lawsuits (or even government action). That's sure good for everyone...

      --
      I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
    2. Re:Dumbdumbdumbdumbdumb by Guil+Rarey · · Score: 5, Insightful

      MS has to test stuff to make sure the fix doesn't make things worse. Decisions get made, people don't like the outcome. But recklessly announcing security holes is just dumb, and isn't helping anyone.

      fail.

      Excuse me. Corporations release crap products that cause problems and then refuse to man up and take responsibility for fixing them. Not exactly news, no.

        But when corporations behave with the ethical and moral standards of petulant spoiled children - like Microsoft consistently, persistently does - then they have earned exactly what they get, including pretty much any and all guerilla tactics to smack them into behaving.

      --
      Do not taunt Happy Fun Ball
    3. Re:Dumbdumbdumbdumbdumb by Rakishi · · Score: 4, Insightful

      There's QA of a bugfix and then there's sitting on it for months or years. Apparently Microsoft likes to do the later often enough to annoy people.

      People have apparently tried to give Microsoft some time between to fix bugs before making them public. Microsoft promptly attacked them for being hacked, cyberterrorists and all that jazz.

      In other words, Microsoft thought they could strong arm people and those people decided to show Microsoft that being an asshole has repercussions.

    4. Re:Dumbdumbdumbdumbdumb by starfishsystems · · Score: 4, Insightful

      I have to agree.

      Back in the days when Bill Gates answered his own emails, I sent him a note asking why Microsoft persistently failed to implement industry norms for secure system design (privilege containment for example.)

      His answer? "Customers aren't asking for those features."

      From this I concluded that he, and likewise Microsoft, had no interest in taking responsibility for product security, except when it could be monetized around a pain point.

      I don't see evidence that Microsoft has significantly changed since then. To my mind, its position is ethically the same as selling heroin to children, while defending the practice by saying that the children "aren't asking not to become addicted."

      Now, if someone wants to come along and put up posters explaining exactly how heroin is addictive, I can see how the dealers might object. Why, it could interfere with their business! They might ask for time to make their product less addictive, but it's an open question as to whether their intentions are sincere or just a stalling tactic. (Remember the tobacco industry?)

      Meanwhile, I can see no ethical reason why society has any obligation to wait for them. That goes equally for heroin, tobacco, and Microsoft.

      --
      Parity: What to do when the weekend comes.
  3. Re:Not to side with Microsoft, but... by Spad · · Score: 4, Insightful

    I think that their point, regardless of its validity, is that when people go to Microsoft and say "I've found this vulnerability, here's the detail and PoC, please fix it", they often sit on it for weeks, months or sometimes years before they take any action.

    Now, I appreciate that MS can't turn on a dime like some smaller companies and they have a shitload of regression testing and QA to do, but in the cases where highly critical bugs have been known about for years and persisted into *new* versions of OSs and Applications, you can understand why people get upset.

  4. Re:Oh, great.... by h4rr4r · · Score: 4, Insightful

    They tried that, it did not work so now they do this.

    What should they do when "responsible" disclosure gets you either a prompt STFU, the just ignore the problem or worstcase a lawsuit?

  5. Re:Not to side with Microsoft, but... by Aladrin · · Score: 5, Insightful

    They can. But when this has been done in the past, no matter the time limit given, Microsoft has publicly chastised them for it. The result is this news article.

    --
    "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
  6. The bad guys knows about them already. by miffo.swe · · Score: 4, Insightful

    The real bad guys most certainly knows about these security issues long before they becomes common knowledge. Responsible would be Microsoft patching their stuff as soon as they learn about an exploit instead of waiting for the known ones to be spread in the wild.

    Responsible disclosure is just Microsofts way of trying to get people to shut up about their crappy security. If Microsoft was the least interested in security they would care more about real security than UAC (put the blame on the user) and playing statistics by making more secure products, hiding patches and grouping patches etc.

    --
    HTTP/1.1 400
  7. To Add to this by abulafia · · Score: 5, Insightful

    It seems like the lesson has to be relearned periodically.

    This same debate reappears like sunspots. Full Disclosure v. Responsible Disclosure. Black/Gray/White hats.

    The funny part here is that Microsoft itself seems to have forgotten how the script goes.

    1. Researcher finds exploit.
    2. Researcher notified vendor.
    3. Vendor stalls for far longer than is reasonable.
    4. Researcher becomes frustrated, because
      1. In the mean time, systems are vulnerable,
      2. Making your name with your discoveries is very important career-wise for some types of researchers, and if a blackhat finds it before the vendor stops stalling, they lose that cred.
      3. Researcher feels played by vendor, who at least seems (and usually is) lying and stalling. So,
    6. Researcher starts releasing exploits either without contacting, or after giving non-negotiable windows of time.
    7. Maybe some less responsible types do some damage.
    8. Everyone wrings their hands over what to do, what to do. Slashdot posts occur. Some hack makes quota their article quota for the month at Computerworld.
    9. Repeat.

    MS, Sun, Oracle, Cisco, HP, they've all been through this cycle. You'd think they'd figure out that mission critical software requires a responsive, competent security response team. And they do figure it out. It just seems that the lesson has to be relearned every so often - prying the PRarnicles off the hull, so to speak.

    --
    I forget what 8 was for.