Microsoft Spurned Researchers Release 0-Day 246
nk497 notes the news that a group of researchers calling themselves the Microsoft-Spurned Researcher Collective (the name is a play on Microsoft's Security Response Center) have come together to protest Microsoft's perceived heavy-handedness towards researchers who disclose security flaws. Pushed into action by the reception to the flaw disclosed by Tavis Ormandy, the group has released full details and exploit code for a previously unknown Windows local privilege escalation vulnerability. The advisory for the vulnerability, which affects Windows Vista and Windows Server 2008, contains the following manifesto: "Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."
All these internet "radicals" (Score:5, Funny)
No wonder the government wants an off switch...
Re:So... (Score:1, Funny)
Read it again, matt. that's exactly the point that he was making.
vetting? (Score:4, Funny)
If you wish to responsibly disclose a vulnerability through full disclosure or want to join our team, fire off an email to: msrc- disclosure () hushmail com We do have a vetting process by the way, for any Microsoft employees trying to join
I wonder how they are going to determine *that*......
Re:vetting? (Score:3, Funny)
They test your pee for Mountain Dew.
A long time ago... (Score:1, Funny)
Such unprofessional things were not done, at least not openly. For over 1000 months, the professionals were the guardians of peace and justice in the old businesses. Before the dark times. Before the internet.
Re:vetting? (Score:2, Funny)
FTA: ;-)
We do have a vetting process by the way, for any Microsoft
employees trying to join
I wonder how they are going to determine *that*......
I found the below code from their website...
IF RIGHT(strEmail,14) = "@microsoft.com" THEN
boolPassedVetting = False
ELSE
boolPassedVetting = True
END
And now, in the true spirit of things...
NOTIFICATION OF 0-DAY VULNERABILITY:
If a user gives an email address under 13 characters in length, then the command will fail, dumping the user to a shell and giving them complete admin access (as the script was running as root of course)
Re:So... (Score:3, Funny)
So the WHO is the proprietary vendor of the human immune system with exclusive access to the source code? Or in other words the UN is God?
Surely you can come up with a worse analogy. How about one involving cars?
Re:So... (Score:4, Funny)
It's more like someone finding out that if you plug in a 2nd generation iPod into a 1996 Civic LS with the upgraded stereo then it will cause a short and your car will explode into a fiery mess. Sure, some yahoo could run around plugging iPods into Civics, but generally I'd be happy to know of the potential danger.
Re:So... (Score:1, Funny)
No, the WHO is the proper authority to go to with the information, and is the proper authority to figure out the extent of the problem, what, if anything, can be done about it, and how and when to release information/fixes.
Ok, so it clearly doesn't represent Microsoft in the analogy.