Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Spurned Researchers Release 0-Day

Posted by kdawson on from the that's-sure-to-help dept.

nk497 notes the news that a group of researchers calling themselves the Microsoft-Spurned Researcher Collective (the name is a play on Microsoft's Security Response Center) have come together to protest Microsoft's perceived heavy-handedness towards researchers who disclose security flaws. Pushed into action by the reception to the flaw disclosed by Tavis Ormandy, the group has released full details and exploit code for a previously unknown Windows local privilege escalation vulnerability. The advisory for the vulnerability, which affects Windows Vista and Windows Server 2008, contains the following manifesto: "Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."

9 of 246 comments (clear)

  1. All these internet "radicals" by countertrolling · · Score: 5, Funny

    No wonder the government wants an off switch...

    --
    For justice, we must go to Don Corleone
  2. Not to side with Microsoft, but... by dawilcox · · Score: 5, Interesting

    It seems that people are upset with Microsoft because 1) they have software vulnerabilities in their OS and 2) they do too little too late to fix these vulnerabilities before hackers start exploiting them.
    This group cannot control one of these points (that Microsoft builds vulnerabilities into their OS). However, they can control the second point, by giving Microsoft advance notice and time to fix the vulnerabilities well before disclosing the vulnerabilities to the public.
    It seems a bit hypocritical to me to accuse Microsoft of doing too little, too late to fix vulnerabilities, and then release unfixed vulnerabilities to the public.

    1. Re:Not to side with Microsoft, but... by Aladrin · · Score: 5, Insightful

      They can. But when this has been done in the past, no matter the time limit given, Microsoft has publicly chastised them for it. The result is this news article.

      --
      "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
  3. Re:So... by Crudely_Indecent · · Score: 5, Insightful

    People who really want to do damage wouldn't release the code publicly. They would keep it quiet so they can do maximum damage. The point of releasing this information is to prompt the vendor to fix it......and probably gain more street cred.

    --


    "Lame" - Galaxar
  4. Re:So... by MightyYar · · Score: 5, Insightful

    Why would anyone BOTHER to go looking for vulnerabilities in the largest operating system in the world for ALTRUISTIC reasons?

    Can you come up with a logical reason for jigsaw puzzles?

    Puzzles are fun. This is a particularly geeky and difficult sort of puzzle - it shouldn't surprise you in the least that people do it as a hobby. It also shouldn't surprise you that people who are treated poorly might seek revenge.

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  5. Re:Dumbdumbdumbdumbdumb by Guil+Rarey · · Score: 5, Insightful

    MS has to test stuff to make sure the fix doesn't make things worse. Decisions get made, people don't like the outcome. But recklessly announcing security holes is just dumb, and isn't helping anyone.

    fail.

    Excuse me. Corporations release crap products that cause problems and then refuse to man up and take responsibility for fixing them. Not exactly news, no.

      But when corporations behave with the ethical and moral standards of petulant spoiled children - like Microsoft consistently, persistently does - then they have earned exactly what they get, including pretty much any and all guerilla tactics to smack them into behaving.

    --
    Do not taunt Happy Fun Ball
  6. Re:So... by Dripdry · · Score: 5, Insightful

    It's probably a combination of ego/fun/being tired of MS being a bunch of dickweeds regarding security. What's wrong with one having pride in one's profession, and doing something about it when you see that it's going down the tubes?

    --
    -
  7. Re:So... by Lord+Ender · · Score: 5, Insightful

    The security industry works by reputation. Having published research (ex: "CVE 8675309 discovered by Joe Haxo of Secu-Tech Consulting") bolsters your reputation.

    Security researchers want vendors to disclose and patch the vulnerabilities, recognizing the researchers by name.

    If the vendors ignore the researchers, the researchers have no obligation toward the vendors. Hence, 0-day publication. If you let vendors sit on your research forever, someone may beat you to the punch and publish anyway.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  8. To Add to this by abulafia · · Score: 5, Insightful

    It seems like the lesson has to be relearned periodically.

    This same debate reappears like sunspots. Full Disclosure v. Responsible Disclosure. Black/Gray/White hats.

    The funny part here is that Microsoft itself seems to have forgotten how the script goes.

    1. Researcher finds exploit.
    2. Researcher notified vendor.
    3. Vendor stalls for far longer than is reasonable.
    4. Researcher becomes frustrated, because
      1. In the mean time, systems are vulnerable,
      2. Making your name with your discoveries is very important career-wise for some types of researchers, and if a blackhat finds it before the vendor stops stalling, they lose that cred.
      3. Researcher feels played by vendor, who at least seems (and usually is) lying and stalling. So,
    6. Researcher starts releasing exploits either without contacting, or after giving non-negotiable windows of time.
    7. Maybe some less responsible types do some damage.
    8. Everyone wrings their hands over what to do, what to do. Slashdot posts occur. Some hack makes quota their article quota for the month at Computerworld.
    9. Repeat.

    MS, Sun, Oracle, Cisco, HP, they've all been through this cycle. You'd think they'd figure out that mission critical software requires a responsive, competent security response team. And they do figure it out. It just seems that the lesson has to be relearned every so often - prying the PRarnicles off the hull, so to speak.

    --
    I forget what 8 was for.