Microsoft Spurned Researchers Release 0-Day

nk497 notes the news that a group of researchers calling themselves the Microsoft-Spurned Researcher Collective (the name is a play on Microsoft's Security Response Center) have come together to protest Microsoft's perceived heavy-handedness towards researchers who disclose security flaws. Pushed into action by the reception to the flaw disclosed by Tavis Ormandy, the group has released full details and exploit code for a previously unknown Windows local privilege escalation vulnerability. The advisory for the vulnerability, which affects Windows Vista and Windows Server 2008, contains the following manifesto: "Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."

Re:Not to side with Microsoft, but...

[Mitsoid]

Unfortunately I'm with the security people on this.

Disclosure of vulnerabilities is the only way to get them fixed. On top of that, how does a "security researcher" validate their claims of finding bugs if they don't release them?

If a researcher gives a week/2 week notice, then releases their information -- as far as I'm concerned their clear -- They gave notice, then published their findings for the community / other researchers. yes it's used by hackers too, but if we hide *everything* we learn less. If someone notices a problem in Microsoft's {insert function here} code, perhaps {Another company} with similar code has the same vulnerability, and would benefit from the knowledge?

Re:Not to side with Microsoft, but...

[GNUALMAFUERTE]

We don't want them fixed. Nobody with any kind of real knowledge uses anything from microsoft. Don't come to me with that whole "they use it at my company". That means you have a shitty job, and you aren't really that good at what you do. If you are administrating windows servers, or any kind of windows-based service, you are on the shitty tier of IT recruitment.

Finding vulnerabilities in windows isn't really my area, or anywhere near it, but if it where, and I was seating on a 0-day, I would release it alongside both source and object of the PoC so the script kiddies can start using it right away.