Slashdot Mirror
Microsoft Spurned Researchers Release 0-Day
nk497 notes the news that a group of researchers calling themselves the Microsoft-Spurned Researcher Collective (the name is a play on Microsoft's Security Response Center) have come together to protest Microsoft's perceived heavy-handedness towards researchers who disclose security flaws. Pushed into action by the reception to the flaw disclosed by Tavis Ormandy, the group has released full details and exploit code for a previously unknown Windows local privilege escalation vulnerability. The advisory for the vulnerability, which affects Windows Vista and Windows Server 2008, contains the following manifesto: "Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."
Perhaps being a little more... Diplomatic would be a good idea when dealing with the(sometimes rather ego-driven) people who know how to hack your box...
No wonder the government wants an off switch...
For justice, we must go to Don Corleone
It seems that people are upset with Microsoft because 1) they have software vulnerabilities in their OS and 2) they do too little too late to fix these vulnerabilities before hackers start exploiting them.
This group cannot control one of these points (that Microsoft builds vulnerabilities into their OS). However, they can control the second point, by giving Microsoft advance notice and time to fix the vulnerabilities well before disclosing the vulnerabilities to the public.
It seems a bit hypocritical to me to accuse Microsoft of doing too little, too late to fix vulnerabilities, and then release unfixed vulnerabilities to the public.
MS has to test stuff to make sure the fix doesn't make things worse. Decisions get made, people don't like the outcome. But recklessly announcing security holes is just dumb, and isn't helping anyone.
fail.
FTA: Current MSRC Members (alphabetical order!): XX XXXXXX XXXX XXXXXXXX XXXXX XXX XXXXXXX XXXXXXX XXXXXX XXXXXXXXX XXXXX XXXXXXXX
;-)
If you wish to responsibly disclose a vulnerability through full disclosure or want to join our team, fire off an email to: msrc- disclosure () hushmail com We do have a vetting process by the way, for any Microsoft employees trying to join
I wonder how they are going to determine *that*......
Just what we need: a one-stop shop for 0-day exploit code. Way to improve security, guys! Right on! Stick it to The Man! And by that, I mean the man (or woman) in the next cubical, or next door, or down the street, or....
I am all for responsible disclosure of vulnerabilities - secrecy does not equal security, and "let's not talk about it and hope nobody notices" is never an appropriate response to vulnerabilities. But responsible disclosure includes working with the vendor, giving them the full data and an opportunity to correct prior to full public disclosure.
If MS is giving researchers the cold shoulder or worse in response to vulnerabilities that are responsibly disclosed to them, that's shame on Microsoft. But to my view, jumping to public disclosure is not the appropriate response.
The first thing that came to my mind was: "What a group of immature jerks."
Such unprofessional things were not done, at least not openly. For over 1000 months, the professionals were the guardians of peace and justice in the old businesses. Before the dark times. Before the internet.
Use responsible disclosure and not only Microsoft, but above all the users of Windows will like you.
Expose them to an unpatched vulnerability and they will love you, uh, less.
and the attitude of microsoft is parental and dismissive, cold, aloof, and arrogant
and so the attitudes match each other perfectly
the question is: what would you do if you attempted to do the responsible thing and were rebuffed and in fact punished for the effort?
if there is no reward for responsible behavior, don't act surprised when irresponsible behavior prevails
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Its one of my favorite post. Thanks for nice information.
Based on what I've read, this was done intentionally and with malicious intent on the behalf of the researchers in retaliation for the negative attitude Microsoft showed toward Tavis Ormany. In Tavis' case, I think Microsoft simply had some negative words to say, but in this case, Microsoft can claim that these security researchers intended to damage them based on the their threats "that they will continue to do so in response to how Microsoft treated Tavis Ormany."
It is clear to me that the researchers are either a) little kids or b) acting like little kids and I hope Microsoft and the rest of the security community comes down hard on them to prevent further retaliation tactics that hurt users more then the companies they are attempting to damage.
The real bad guys most certainly knows about these security issues long before they becomes common knowledge. Responsible would be Microsoft patching their stuff as soon as they learn about an exploit instead of waiting for the known ones to be spread in the wild.
Responsible disclosure is just Microsofts way of trying to get people to shut up about their crappy security. If Microsoft was the least interested in security they would care more about real security than UAC (put the blame on the user) and playing statistics by making more secure products, hiding patches and grouping patches etc.
HTTP/1.1 400
Microsoft Spurned Researchers Release 0-Day
I get about as far as "Microsoft Spurned Researchers" and then the rest of it doesn't make any sense. Like you need a conjunction or something after "Researchers"...
Or, you know, hyphenate "Microsoft-Spurned" so the damn headline makes sense.
Bow-ties are cool.
It seems like the lesson has to be relearned periodically.
This same debate reappears like sunspots. Full Disclosure v. Responsible Disclosure. Black/Gray/White hats.
The funny part here is that Microsoft itself seems to have forgotten how the script goes.
MS, Sun, Oracle, Cisco, HP, they've all been through this cycle. You'd think they'd figure out that mission critical software requires a responsive, competent security response team. And they do figure it out. It just seems that the lesson has to be relearned every so often - prying the PRarnicles off the hull, so to speak.
I forget what 8 was for.
We need an irrevokeable authenticated delayed publication mechanism: some way to put a GPG-signed document into a pipeline such that it will be published at the end of X days no matter what anyone (including the author) does. Researchers could then send their discoveries to vendors with the notation "This vulnerability will come out of the IADP system in sixty days". Browbeating them for more time would be pointless and their priority of discovery would be secure.
There are no doubt many other uses for such a system as well.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Interesting idea, but it's worth pointing out that time is a significant factor, and is not directly inter-changable with money. It's more of an inversely proportional relationship. More money equals less and less time taken.
Sometimes you're really, REALLY, just out of time, and absolutely have to ship, and then where do you draw the line? You can't find and fix every single bug ever in a finite time frame (I hope I don't need to discuss the halting problem with the Slashdot crowd, here).
That said, acting the way these researches are is never going to improve the situation for either side in this argument. While it may feel good to the self-righteous slashdot crowd, that's cold comfort to the teams who were planning how to juggle security/features going forward, and had the rug ripped out from under them and now have to rush out a fix with less testing than is normally done. (This is precisely what a HotFix is, an under-tested patch that doesn't meet the full-standard for "we support this 100%"). For a company that prides itself on back-compat, and selling to companies that do their own staged-rollout, a month or two's delay before the release is minor. And some bugs are just less important.
I wouldn't be surprised if the bugs that had been 'sat on for a year' are some of the more obscure special case bugs, and aren't part of the common configuration, and that there's some grandstanding going on, which ignored prioritization completely, just because it was these researcher's claim to fame.
Then use a vendor that fixes issues.
With this public you can now take some actions to protect yourself as opposed to before when you had no idea you were vulnerable.
1. You could auto release 0day; never contact the fella like Microsoft to see if they'll fix it. You are left with lots of known insecure machines. 2. You could give microsoft all the info and tell them to fix it and never release info to public. Microsoft never fixes these. You are left with a public who is insecure and doesnt know. Best Practice is both. Contact Microsoft get them to sign NDA that expires in ~1 month(or whatever is plenty of time to fix the bug relative to severity). Give them all the info they need to fix it. Tell them that X date full disclosure so fix it or be in bad PR situation of explaining why they didnt fix it in that time period given. MS really really is going to fix it then.
This is a hot-button issue where side A tries to convince side B they're wrong, and side B tries to convince side A of same.
There are benefits and drawbacks of full disclosure. There are benefits and drawbacks of responsible disclosure. There will never be a consensus.
I'm not trying to say it's not worth trying, but when doing a Google search for "full disclosure" and "responsible disclosure" on slashdot.org comes up with:
All on the first page . . . all from 2010 . . . All as threads with this debate going on . . .
Hasn't the deceased equine been flogged enough?
I believe there are times when full disclosure is better, especially when a company has shown a track record of not following through. I believe there are times when responsible disclosure is better. I don't think it's an absolute and this is not the only criteria I use when trying to decide which one applies to a scenario. But when the debate keeps going on over and over and over and over again . . . perhaps there should be a "Full Disclosure vs Responsible Disclosure" classification for Slashdot.
I wouldn't even notify Microsoft... I'd just release it and laugh a hearty pirate laugh. Microsoft should count themselves lucky I have no haxor skills and the people that do give them any notice in the first place.
I can attest to the fact that we are by and large utterly incompetent when handling reports of hacks. as an example we had never seen them in our products before and only recently became aware of several nasty buffer overflows in our flagship product. the 'hat' that found the problems was based out of quebec and didnt speak english, our corporate office having first been informed of the issue immediately declared their intent to prosecute the perceived hacker. we had a generous 5 days to respond as well before he disclosed
11 days into the fiasco we still had no team, we had no direction and we were scrambling to find the firmware and software our products used that was vulnerable to notify our customers, most of them DoD and government entities. we strung this poor schmuck along for 15 days total before we began publishing the exploit. we even initially toyed with the idea of withholding his name in the report but thank god all agreed that would be not only rude, but very dangerous since he was still in possession of a few flaws we had not found.
we sent an NDA, we sent legal agreements, we came back very empty handed
Good people go to bed earlier.
"Hope their grandmothers get hacked because they love shouting out vulnerabilities."
My grandmother loves shouting out vulnerabilities, you insensitive clod!
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
what prevents a security flaw from getting fixed? $$$
What causes security flaws to be released ? $$$
Assuming that is mostly accurate, I would then postulate that microsoft protects their profits at the expense of an acceptable amount of security flaws (among a bunch of other stuff)
A new patch released by my company leaves our servers traveling at 60 Internets per second. A 0-day exploit is published. The computer crashes and burns with everyone trapped inside. Now, should we patch the exploit?? Take the number of unpatched systems in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of patching the exploit, we don't patch it.
- Tyler Durden
Floor Manager, Microsoft's Security Response Center
Random Thoughts From A Diseased Mind (Not For Dummies)
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/GQXtgS2QIkI/Prince-Says-Internet-Is-Over There. Now there's nothing to worry about. Feel better?
After exhaustive research and excrutiating analysis, I've determined that Bubba is, in fact, everywhere.
Except that that pressure has already taken place, the game already changed, but not that anyone here would believe that. That's why XP SP2/3 happened. And radical changes in Vista, and even further radical changes in Win7, such that many exploits that get released flat out don't work on Vista/Win7.
All of this doesn't negate the time-factor. Beating someone for already agreeing with you, saying "hey, this shit takes time and effort, stop beating us, we'll get to it" and then continuing to beat them strikes me as pointless, and i'm not surprised that people who acting in this pointlessly vindictive way are being ignored or blamed for active exploits.
Is Computer Science so much easier than engineering that you can just shift manpower to cover the latest issue?
It's good to see that you have come here to learn and know good questions to ask. Yes, computer science is completely different from engineering; in some ways easier, in others harder. One of the key differences is that, because of the internet, if someone releases a defective product, all installations of that product can be almost instantly reached by attackers. Another is that it's possible to repair all installations without having to send someone to fix them. Another is that most proprietary software is not user serviceable where most engineering projects give full serviceability to the customer. Yet another is that failures in one application cascade to the whole system by letting the attacker in. Finally, another thing is that simple computers with MS Windows are used in a very wide range of applications from home gaming to ensuring food delivery to Nuclear power plant control.
Imagine if a fault in your water pump design allowed people to poison all the families of all the people who owned the pump by remote control without even having to leave home. I think you would take faults a bit more seriously then.
I hope you get the chance to learn a bit of respect for people who know more about a topic than you do.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
When is the last time you heard about a Google Security exploit? (cue crickets) chirp chirp (end crickets)
Seriously the only thing close to a security vulnerability was not running in SSL mode which already had a simple fix in the users settings to force SSL. I'm sure there have been vulnerabilities but they fixed them before the public ever got wind. That's how its supposed to work by the way.
I would love for someone to tell me the security code to someone's house, or several houses. I am all for telling company x that they have a flawed product and then saying that I will go public with it in a reasonable amount of time in order to let company x fix the flaw. However, I am reading about all the glory associated with finding a flaw and that waiting to publish might let some other "security" researcher publish the flaw before me; why is cred the overriding motivation? I just don't get why you would tell a criminal what your friends house code is before he can fix the problem...that is what is going on here.
So ... what exactly is an "inferred employer" when it's at home? :-)
As I understand it, Tavis is indeed employed by Google. I'm hard pressed to see how Microsoft can be blamed for mentioning this fact.
Suppose a MS employee were to "fully disclose" a vulnerability in Firefox. Does anybody suppose that Microsoft would escape mention, even if (s)he was acting in a private capacity at the time?
Those of us who read Slashdot or other technical news sites may be able to, yes.
The average public ... not so much.
Can someone add a hyphen between the first two words, please? The headline is difficult to parse without it.
These security holes have been there for years.. who knows how many people actually know about them.. Security through obscurity is no way to protect the system. Holes should be patched ASAP. I've found several holes myself, in both browsers and websites, and I've always sent it to the companies first. Many jump right on it and a fix is out in days (Google was one of these)... Others, sat on it for months and ignored me... until I published the exploit, which they then quickly patched it. The fact is, publishing an exploit will quicken the patch time for the slow companies.
-- these are only opinions and they might not be mine.
The term 0-day is used correctly in the /. summary! Who would have thought!
Um, it's actually not used at all in the /. summary...
nk497 notes the news that a group of researchers calling themselves the Microsoft-Spurned Researcher Collective (the name is a play on Microsoft's Security Response Center) have come together to protest Microsoft's perceived heavy-handedness towards researchers who disclose security flaws. Pushed into action by the reception to the flaw disclosed by Tavis Ormandy, the group has released full details and exploit code for a previously unknown Windows local privilege escalation vulnerability. The advisory for the vulnerability, which affects Windows Vista and Windows Server 2008, contains the following manifesto: "Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."
Please don't read my sig.