Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Spurned Researchers Release 0-Day

Posted by kdawson on from the that's-sure-to-help dept.

nk497 notes the news that a group of researchers calling themselves the Microsoft-Spurned Researcher Collective (the name is a play on Microsoft's Security Response Center) have come together to protest Microsoft's perceived heavy-handedness towards researchers who disclose security flaws. Pushed into action by the reception to the flaw disclosed by Tavis Ormandy, the group has released full details and exploit code for a previously unknown Windows local privilege escalation vulnerability. The advisory for the vulnerability, which affects Windows Vista and Windows Server 2008, contains the following manifesto: "Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."

27 of 246 comments (clear)

  1. So... by fuzzyfuzzyfungus · · Score: 4, Insightful

    Perhaps being a little more... Diplomatic would be a good idea when dealing with the(sometimes rather ego-driven) people who know how to hack your box...

    1. Re:So... by Crudely_Indecent · · Score: 5, Insightful

      People who really want to do damage wouldn't release the code publicly. They would keep it quiet so they can do maximum damage. The point of releasing this information is to prompt the vendor to fix it......and probably gain more street cred.

      --


      "Lame" - Galaxar
    2. Re:So... by MightyYar · · Score: 5, Insightful

      Why would anyone BOTHER to go looking for vulnerabilities in the largest operating system in the world for ALTRUISTIC reasons?

      Can you come up with a logical reason for jigsaw puzzles?

      Puzzles are fun. This is a particularly geeky and difficult sort of puzzle - it shouldn't surprise you in the least that people do it as a hobby. It also shouldn't surprise you that people who are treated poorly might seek revenge.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    3. Re:So... by Dripdry · · Score: 5, Insightful

      It's probably a combination of ego/fun/being tired of MS being a bunch of dickweeds regarding security. What's wrong with one having pride in one's profession, and doing something about it when you see that it's going down the tubes?

      --
      -
    4. Re:So... by Jah-Wren+Ryel · · Score: 3, Insightful

      The point of releasing this information is to prompt the vendor to fix it......and probably gain more street cred.

      Except that in this case it sounds like the entire point of this MSRC organization is to hide the identity of the guy who found the exploit in the first place. By using the MSRC umbrella to release the info it shields the individual from retaliation. So some street cred goes to the MSRC in general but that's not particularly useful for the guys doing the actual work.

      --
      When information is power, privacy is freedom.
    5. Re:So... by Lord+Ender · · Score: 5, Insightful

      The security industry works by reputation. Having published research (ex: "CVE 8675309 discovered by Joe Haxo of Secu-Tech Consulting") bolsters your reputation.

      Security researchers want vendors to disclose and patch the vulnerabilities, recognizing the researchers by name.

      If the vendors ignore the researchers, the researchers have no obligation toward the vendors. Hence, 0-day publication. If you let vendors sit on your research forever, someone may beat you to the punch and publish anyway.

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    6. Re:So... by bberens · · Score: 3, Funny

      This is Slashdot, you're required to use a car analogy.
      It's more like someone finding out that if you plug in a 2nd generation iPod into a 1996 Civic LS with the upgraded stereo then it will cause a short and your car will explode into a fiery mess. Sure, some yahoo could run around plugging iPods into Civics, but generally I'd be happy to know of the potential danger.

      --
      Check out my lame java blog at www.javachopshop.com
  2. All these internet "radicals" by countertrolling · · Score: 5, Funny

    No wonder the government wants an off switch...

    --
    For justice, we must go to Don Corleone
  3. Not to side with Microsoft, but... by dawilcox · · Score: 5, Interesting

    It seems that people are upset with Microsoft because 1) they have software vulnerabilities in their OS and 2) they do too little too late to fix these vulnerabilities before hackers start exploiting them.
    This group cannot control one of these points (that Microsoft builds vulnerabilities into their OS). However, they can control the second point, by giving Microsoft advance notice and time to fix the vulnerabilities well before disclosing the vulnerabilities to the public.
    It seems a bit hypocritical to me to accuse Microsoft of doing too little, too late to fix vulnerabilities, and then release unfixed vulnerabilities to the public.

    1. Re:Not to side with Microsoft, but... by Spad · · Score: 4, Insightful

      I think that their point, regardless of its validity, is that when people go to Microsoft and say "I've found this vulnerability, here's the detail and PoC, please fix it", they often sit on it for weeks, months or sometimes years before they take any action.

      Now, I appreciate that MS can't turn on a dime like some smaller companies and they have a shitload of regression testing and QA to do, but in the cases where highly critical bugs have been known about for years and persisted into *new* versions of OSs and Applications, you can understand why people get upset.

    2. Re:Not to side with Microsoft, but... by kimvette · · Score: 4, Interesting

      It seems that people are upset with Microsoft because 1) they have software vulnerabilities in their OS and 2) they do too little too late to fix these vulnerabilities before hackers start exploiting them.

      You forgot 3) but they don't neglect fixing holes in the activation process, even if they end up creating false alerts and block activation of legitimate IDs.

      --
      The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
    3. Re:Not to side with Microsoft, but... by Aladrin · · Score: 5, Insightful

      They can. But when this has been done in the past, no matter the time limit given, Microsoft has publicly chastised them for it. The result is this news article.

      --
      "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
    4. Re:Not to side with Microsoft, but... by Dan+Ost · · Score: 3, Insightful

      Not being able to fix the problem is very different from not being able to do anything to mitigate your exposure to the problem.

      Sometimes the problem is part of an unused component that can be turned off.
      Sometimes the problem can be protected by simple firewall rule changes.
      Sometimes the problem has a simple work-around.

      All of these things help protect the user even though none of them actually fix the problem.

      If the user doesn't know the problem exists, then they can't make any attempt to protect themselves.

      --

      *sigh* back to work...
  4. Dumbdumbdumbdumbdumb by Saint+Stephen · · Score: 4, Insightful

    MS has to test stuff to make sure the fix doesn't make things worse. Decisions get made, people don't like the outcome. But recklessly announcing security holes is just dumb, and isn't helping anyone.

    fail.

    1. Re:Dumbdumbdumbdumbdumb by Itninja · · Score: 4, Insightful

      Large US corporations care more about avoiding highly publicized lawsuits than 'doing the right thing'. By calling MS out by announcing to the world their Windows flaws, it forces MS to either publicly refuse to fix the issue or put some of the ample resources on fixing it. Refusing to fix it will certainly spawn lawsuits (or even government action). That's sure good for everyone...

      --
      I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
    2. Re:Dumbdumbdumbdumbdumb by Guil+Rarey · · Score: 5, Insightful

      MS has to test stuff to make sure the fix doesn't make things worse. Decisions get made, people don't like the outcome. But recklessly announcing security holes is just dumb, and isn't helping anyone.

      fail.

      Excuse me. Corporations release crap products that cause problems and then refuse to man up and take responsibility for fixing them. Not exactly news, no.

        But when corporations behave with the ethical and moral standards of petulant spoiled children - like Microsoft consistently, persistently does - then they have earned exactly what they get, including pretty much any and all guerilla tactics to smack them into behaving.

      --
      Do not taunt Happy Fun Ball
    3. Re:Dumbdumbdumbdumbdumb by cynyr · · Score: 4, Informative

      But lets say something needs port 11234 open in both directions to work*, a sys admin that knows about the flaw(before the fix is out) can make some attempts to limit his exposure to the flaw. Without that info in the wild he things he's safe and all is well while he gets back doored.... Some of these flaws have way to limit or remove exposure to them while the vendor is producing a fix. You may be able to disable a feature, firewall off the machines that need o run it, block all connection attempts on a port with a payload that matches "foobar". Making sure people know that helps lessen the problem while the fix is getting out. Also it does apply pressure on the vendor to fix it fast as all of the people with support contracts are bugging them for a fix for "the foobar bug" There have been few bugs that can't be band-aided recently discovered, so the harm is really only to the people that don't follow security in the first place(home users that put their birthday pin and mothers maiden name into any form they see on the internet.).

      *Bad example i know as all ports not known to be doing something useful should be blocked in both directions, but you get the idea.

      --
      All of the above was encrypted with a Quad ROT-13 method. Unauthorized decryption is in violation of the DMCA.
    4. Re:Dumbdumbdumbdumbdumb by Rakishi · · Score: 4, Insightful

      There's QA of a bugfix and then there's sitting on it for months or years. Apparently Microsoft likes to do the later often enough to annoy people.

      People have apparently tried to give Microsoft some time between to fix bugs before making them public. Microsoft promptly attacked them for being hacked, cyberterrorists and all that jazz.

      In other words, Microsoft thought they could strong arm people and those people decided to show Microsoft that being an asshole has repercussions.

    5. Re:Dumbdumbdumbdumbdumb by starfishsystems · · Score: 4, Insightful

      I have to agree.

      Back in the days when Bill Gates answered his own emails, I sent him a note asking why Microsoft persistently failed to implement industry norms for secure system design (privilege containment for example.)

      His answer? "Customers aren't asking for those features."

      From this I concluded that he, and likewise Microsoft, had no interest in taking responsibility for product security, except when it could be monetized around a pain point.

      I don't see evidence that Microsoft has significantly changed since then. To my mind, its position is ethically the same as selling heroin to children, while defending the practice by saying that the children "aren't asking not to become addicted."

      Now, if someone wants to come along and put up posters explaining exactly how heroin is addictive, I can see how the dealers might object. Why, it could interfere with their business! They might ask for time to make their product less addictive, but it's an open question as to whether their intentions are sincere or just a stalling tactic. (Remember the tobacco industry?)

      Meanwhile, I can see no ethical reason why society has any obligation to wait for them. That goes equally for heroin, tobacco, and Microsoft.

      --
      Parity: What to do when the weekend comes.
    6. Re:Dumbdumbdumbdumbdumb by winwar · · Score: 3, Insightful

      "Microsoft already puts ample resources on fixing it."

      That is simply absurd. If that were the case they would have few security flaws. This is not a short term problem-windows has been around for a long time. Microsoft has just chosen to put security below features. They are just not honest enough to admit that they do not want to commit the needed resources.

  5. vetting? by LordPhantom · · Score: 3, Funny

    FTA: Current MSRC Members (alphabetical order!): XX XXXXXX XXXX XXXXXXXX XXXXX XXX XXXXXXX XXXXXXX XXXXXX XXXXXXXXX XXXXX XXXXXXXX

    If you wish to responsibly disclose a vulnerability through full disclosure or want to join our team, fire off an email to: msrc- disclosure () hushmail com We do have a vetting process by the way, for any Microsoft employees trying to join ;-)

    I wonder how they are going to determine *that*......

  6. Re:Oh, great.... by h4rr4r · · Score: 4, Insightful

    They tried that, it did not work so now they do this.

    What should they do when "responsible" disclosure gets you either a prompt STFU, the just ignore the problem or worstcase a lawsuit?

  7. The bad guys knows about them already. by miffo.swe · · Score: 4, Insightful

    The real bad guys most certainly knows about these security issues long before they becomes common knowledge. Responsible would be Microsoft patching their stuff as soon as they learn about an exploit instead of waiting for the known ones to be spread in the wild.

    Responsible disclosure is just Microsofts way of trying to get people to shut up about their crappy security. If Microsoft was the least interested in security they would care more about real security than UAC (put the blame on the user) and playing statistics by making more secure products, hiding patches and grouping patches etc.

    --
    HTTP/1.1 400
  8. Parser Error (missing hyphen) by Tetsujin · · Score: 3, Informative

    Microsoft Spurned Researchers Release 0-Day

    I get about as far as "Microsoft Spurned Researchers" and then the rest of it doesn't make any sense. Like you need a conjunction or something after "Researchers"...

    Or, you know, hyphenate "Microsoft-Spurned" so the damn headline makes sense.

    --
    Bow-ties are cool.
  9. To Add to this by abulafia · · Score: 5, Insightful

    It seems like the lesson has to be relearned periodically.

    This same debate reappears like sunspots. Full Disclosure v. Responsible Disclosure. Black/Gray/White hats.

    The funny part here is that Microsoft itself seems to have forgotten how the script goes.

    1. Researcher finds exploit.
    2. Researcher notified vendor.
    3. Vendor stalls for far longer than is reasonable.
    4. Researcher becomes frustrated, because
      1. In the mean time, systems are vulnerable,
      2. Making your name with your discoveries is very important career-wise for some types of researchers, and if a blackhat finds it before the vendor stops stalling, they lose that cred.
      3. Researcher feels played by vendor, who at least seems (and usually is) lying and stalling. So,
    6. Researcher starts releasing exploits either without contacting, or after giving non-negotiable windows of time.
    7. Maybe some less responsible types do some damage.
    8. Everyone wrings their hands over what to do, what to do. Slashdot posts occur. Some hack makes quota their article quota for the month at Computerworld.
    9. Repeat.

    MS, Sun, Oracle, Cisco, HP, they've all been through this cycle. You'd think they'd figure out that mission critical software requires a responsive, competent security response team. And they do figure it out. It just seems that the lesson has to be relearned every so often - prying the PRarnicles off the hull, so to speak.

    --
    I forget what 8 was for.
  10. Irrevokeable Authenticated Delayed Publication by John+Hasler · · Score: 4, Interesting

    We need an irrevokeable authenticated delayed publication mechanism: some way to put a GPG-signed document into a pipeline such that it will be published at the end of X days no matter what anyone (including the author) does. Researchers could then send their discoveries to vendors with the notation "This vulnerability will come out of the IADP system in sixty days". Browbeating them for more time would be pointless and their priority of discovery would be secure.

    There are no doubt many other uses for such a system as well.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  11. Re:woohhooo I have an opinion by Ihmhi · · Score: 3, Insightful

    what prevents a security flaw from getting fixed? $$$
    What causes security flaws to be released ? $$$

    Assuming that is mostly accurate, I would then postulate that microsoft protects their profits at the expense of an acceptable amount of security flaws (among a bunch of other stuff)

    A new patch released by my company leaves our servers traveling at 60 Internets per second. A 0-day exploit is published. The computer crashes and burns with everyone trapped inside. Now, should we patch the exploit?? Take the number of unpatched systems in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of patching the exploit, we don't patch it.

    - Tyler Durden

    Floor Manager, Microsoft's Security Response Center

    --
    Random Thoughts From A Diseased Mind (Not For Dummies)