Microsoft Spurned Researchers Release 0-Day

← Back to Stories (view on slashdot.org)

Microsoft Spurned Researchers Release 0-Day

Posted by kdawson on Tuesday July 6, 2010 @06:20AM from the that's-sure-to-help dept.

nk497 notes the news that a group of researchers calling themselves the Microsoft-Spurned Researcher Collective (the name is a play on Microsoft's Security Response Center) have come together to protest Microsoft's perceived heavy-handedness towards researchers who disclose security flaws. Pushed into action by the reception to the flaw disclosed by Tavis Ormandy, the group has released full details and exploit code for a previously unknown Windows local privilege escalation vulnerability. The advisory for the vulnerability, which affects Windows Vista and Windows Server 2008, contains the following manifesto: "Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."

20 of 246 comments (clear)

Min score:

Reason:

Sort:

So... by fuzzyfuzzyfungus · 2010-07-06 06:22 · Score: 4, Insightful

Perhaps being a little more... Diplomatic would be a good idea when dealing with the(sometimes rather ego-driven) people who know how to hack your box...
1. Re:So... by Crudely_Indecent · 2010-07-06 06:29 · Score: 5, Insightful
  
  People who really want to do damage wouldn't release the code publicly. They would keep it quiet so they can do maximum damage. The point of releasing this information is to prompt the vendor to fix it......and probably gain more street cred.
  
  --
  
  "Lame" - Galaxar
2. Re:So... by MightyYar · 2010-07-06 06:37 · Score: 5, Insightful
  
  Why would anyone BOTHER to go looking for vulnerabilities in the largest operating system in the world for ALTRUISTIC reasons?
  Can you come up with a logical reason for jigsaw puzzles?
  Puzzles are fun. This is a particularly geeky and difficult sort of puzzle - it shouldn't surprise you in the least that people do it as a hobby. It also shouldn't surprise you that people who are treated poorly might seek revenge.
  
  --
  W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
3. Re:So... by Dripdry · 2010-07-06 06:55 · Score: 5, Insightful
  
  It's probably a combination of ego/fun/being tired of MS being a bunch of dickweeds regarding security. What's wrong with one having pride in one's profession, and doing something about it when you see that it's going down the tubes?
  
  --
  -
4. Re:So... by Lord+Ender · 2010-07-06 07:14 · Score: 5, Insightful
  
  The security industry works by reputation. Having published research (ex: "CVE 8675309 discovered by Joe Haxo of Secu-Tech Consulting") bolsters your reputation.
  Security researchers want vendors to disclose and patch the vulnerabilities, recognizing the researchers by name.
  If the vendors ignore the researchers, the researchers have no obligation toward the vendors. Hence, 0-day publication. If you let vendors sit on your research forever, someone may beat you to the punch and publish anyway.
  
  --
  A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
All these internet "radicals" by countertrolling · 2010-07-06 06:25 · Score: 5, Funny

No wonder the government wants an off switch...

--
For justice, we must go to Don Corleone
Not to side with Microsoft, but... by dawilcox · 2010-07-06 06:27 · Score: 5, Interesting

It seems that people are upset with Microsoft because 1) they have software vulnerabilities in their OS and 2) they do too little too late to fix these vulnerabilities before hackers start exploiting them.
This group cannot control one of these points (that Microsoft builds vulnerabilities into their OS). However, they can control the second point, by giving Microsoft advance notice and time to fix the vulnerabilities well before disclosing the vulnerabilities to the public.
It seems a bit hypocritical to me to accuse Microsoft of doing too little, too late to fix vulnerabilities, and then release unfixed vulnerabilities to the public.
1. Re:Not to side with Microsoft, but... by Spad · 2010-07-06 06:30 · Score: 4, Insightful
  
  I think that their point, regardless of its validity, is that when people go to Microsoft and say "I've found this vulnerability, here's the detail and PoC, please fix it", they often sit on it for weeks, months or sometimes years before they take any action.
  Now, I appreciate that MS can't turn on a dime like some smaller companies and they have a shitload of regression testing and QA to do, but in the cases where highly critical bugs have been known about for years and persisted into *new* versions of OSs and Applications, you can understand why people get upset.
2. Re:Not to side with Microsoft, but... by kimvette · 2010-07-06 06:37 · Score: 4, Interesting
  
  It seems that people are upset with Microsoft because 1) they have software vulnerabilities in their OS and 2) they do too little too late to fix these vulnerabilities before hackers start exploiting them.
  
  You forgot 3) but they don't neglect fixing holes in the activation process, even if they end up creating false alerts and block activation of legitimate IDs.
  
  --
  The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
3. Re:Not to side with Microsoft, but... by Aladrin · 2010-07-06 06:51 · Score: 5, Insightful
  
  They can. But when this has been done in the past, no matter the time limit given, Microsoft has publicly chastised them for it. The result is this news article.
  
  --
  "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
Dumbdumbdumbdumbdumb by Saint+Stephen · 2010-07-06 06:28 · Score: 4, Insightful

MS has to test stuff to make sure the fix doesn't make things worse. Decisions get made, people don't like the outcome. But recklessly announcing security holes is just dumb, and isn't helping anyone.
fail.
1. Re:Dumbdumbdumbdumbdumb by Itninja · 2010-07-06 06:37 · Score: 4, Insightful
  
  Large US corporations care more about avoiding highly publicized lawsuits than 'doing the right thing'. By calling MS out by announcing to the world their Windows flaws, it forces MS to either publicly refuse to fix the issue or put some of the ample resources on fixing it. Refusing to fix it will certainly spawn lawsuits (or even government action). That's sure good for everyone...
  
  --
  I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
2. Re:Dumbdumbdumbdumbdumb by Guil+Rarey · 2010-07-06 06:51 · Score: 5, Insightful
  
  MS has to test stuff to make sure the fix doesn't make things worse. Decisions get made, people don't like the outcome. But recklessly announcing security holes is just dumb, and isn't helping anyone.
  fail.
  Excuse me. Corporations release crap products that cause problems and then refuse to man up and take responsibility for fixing them. Not exactly news, no.
  But when corporations behave with the ethical and moral standards of petulant spoiled children - like Microsoft consistently, persistently does - then they have earned exactly what they get, including pretty much any and all guerilla tactics to smack them into behaving.
  
  --
  Do not taunt Happy Fun Ball
3. Re:Dumbdumbdumbdumbdumb by cynyr · 2010-07-06 06:52 · Score: 4, Informative
  
  But lets say something needs port 11234 open in both directions to work*, a sys admin that knows about the flaw(before the fix is out) can make some attempts to limit his exposure to the flaw. Without that info in the wild he things he's safe and all is well while he gets back doored.... Some of these flaws have way to limit or remove exposure to them while the vendor is producing a fix. You may be able to disable a feature, firewall off the machines that need o run it, block all connection attempts on a port with a payload that matches "foobar". Making sure people know that helps lessen the problem while the fix is getting out. Also it does apply pressure on the vendor to fix it fast as all of the people with support contracts are bugging them for a fix for "the foobar bug" There have been few bugs that can't be band-aided recently discovered, so the harm is really only to the people that don't follow security in the first place(home users that put their birthday pin and mothers maiden name into any form they see on the internet.).
  
  *Bad example i know as all ports not known to be doing something useful should be blocked in both directions, but you get the idea.
  
  --
  All of the above was encrypted with a Quad ROT-13 method. Unauthorized decryption is in violation of the DMCA.
4. Re:Dumbdumbdumbdumbdumb by Rakishi · 2010-07-06 07:10 · Score: 4, Insightful
  
  There's QA of a bugfix and then there's sitting on it for months or years. Apparently Microsoft likes to do the later often enough to annoy people.
  People have apparently tried to give Microsoft some time between to fix bugs before making them public. Microsoft promptly attacked them for being hacked, cyberterrorists and all that jazz.
  In other words, Microsoft thought they could strong arm people and those people decided to show Microsoft that being an asshole has repercussions.
5. Re:Dumbdumbdumbdumbdumb by starfishsystems · 2010-07-06 08:39 · Score: 4, Insightful
  
  I have to agree.
  
  Back in the days when Bill Gates answered his own emails, I sent him a note asking why Microsoft persistently failed to implement industry norms for secure system design (privilege containment for example.)
  
  His answer? "Customers aren't asking for those features."
  
  From this I concluded that he, and likewise Microsoft, had no interest in taking responsibility for product security, except when it could be monetized around a pain point.
  
  I don't see evidence that Microsoft has significantly changed since then. To my mind, its position is ethically the same as selling heroin to children, while defending the practice by saying that the children "aren't asking not to become addicted."
  
  Now, if someone wants to come along and put up posters explaining exactly how heroin is addictive, I can see how the dealers might object. Why, it could interfere with their business! They might ask for time to make their product less addictive, but it's an open question as to whether their intentions are sincere or just a stalling tactic. (Remember the tobacco industry?)
  
  Meanwhile, I can see no ethical reason why society has any obligation to wait for them. That goes equally for heroin, tobacco, and Microsoft.
  
  --
  Parity: What to do when the weekend comes.
Re:Oh, great.... by h4rr4r · 2010-07-06 06:44 · Score: 4, Insightful

They tried that, it did not work so now they do this.
What should they do when "responsible" disclosure gets you either a prompt STFU, the just ignore the problem or worstcase a lawsuit?
The bad guys knows about them already. by miffo.swe · 2010-07-06 07:14 · Score: 4, Insightful

The real bad guys most certainly knows about these security issues long before they becomes common knowledge. Responsible would be Microsoft patching their stuff as soon as they learn about an exploit instead of waiting for the known ones to be spread in the wild.
Responsible disclosure is just Microsofts way of trying to get people to shut up about their crappy security. If Microsoft was the least interested in security they would care more about real security than UAC (put the blame on the user) and playing statistics by making more secure products, hiding patches and grouping patches etc.

--
HTTP/1.1 400
To Add to this by abulafia · 2010-07-06 07:43 · Score: 5, Insightful
It seems like the lesson has to be relearned periodically.
This same debate reappears like sunspots. Full Disclosure v. Responsible Disclosure. Black/Gray/White hats.
The funny part here is that Microsoft itself seems to have forgotten how the script goes.
1. Researcher finds exploit.
2. Researcher notified vendor.
3. Vendor stalls for far longer than is reasonable.
4. Researcher becomes frustrated, because
5. 1. In the mean time, systems are vulnerable,
  2. Making your name with your discoveries is very important career-wise for some types of researchers, and if a blackhat finds it before the vendor stops stalling, they lose that cred.
  3. Researcher feels played by vendor, who at least seems (and usually is) lying and stalling. So,
6. Researcher starts releasing exploits either without contacting, or after giving non-negotiable windows of time.
7. Maybe some less responsible types do some damage.
8. Everyone wrings their hands over what to do, what to do. Slashdot posts occur. Some hack makes quota their article quota for the month at Computerworld.
9. Repeat.
MS, Sun, Oracle, Cisco, HP, they've all been through this cycle. You'd think they'd figure out that mission critical software requires a responsive, competent security response team. And they do figure it out. It just seems that the lesson has to be relearned every so often - prying the PRarnicles off the hull, so to speak.
--
I forget what 8 was for.
Irrevokeable Authenticated Delayed Publication by John+Hasler · 2010-07-06 07:46 · Score: 4, Interesting

We need an irrevokeable authenticated delayed publication mechanism: some way to put a GPG-signed document into a pipeline such that it will be published at the end of X days no matter what anyone (including the author) does. Researchers could then send their discoveries to vendors with the notation "This vulnerability will come out of the IADP system in sixty days". Browbeating them for more time would be pointless and their priority of discovery would be secure.
There are no doubt many other uses for such a system as well.

--
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.