Microsoft Spurned Researchers Release 0-Day 246
nk497 notes the news that a group of researchers calling themselves the Microsoft-Spurned Researcher Collective (the name is a play on Microsoft's Security Response Center) have come together to protest Microsoft's perceived heavy-handedness towards researchers who disclose security flaws. Pushed into action by the reception to the flaw disclosed by Tavis Ormandy, the group has released full details and exploit code for a previously unknown Windows local privilege escalation vulnerability. The advisory for the vulnerability, which affects Windows Vista and Windows Server 2008, contains the following manifesto: "Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."
Re:The thing is (Score:3, Informative)
They tried that. "Responisble" disclosure often results in nothing happening or worst case a lawsuit. It is cheaper for MS to ignore problems than fix them.
Re:Dumbdumbdumbdumbdumb (Score:5, Informative)
*Bad example i know as all ports not known to be doing something useful should be blocked in both directions, but you get the idea.
Re:Dumbdumbdumbdumbdumb (Score:3, Informative)
Large US corporations care more about avoiding highly publicized lawsuits than 'doing the right thing'. By calling MS out by announcing to the world their Windows flaws, it forces MS to either publicly refuse to fix the issue or put some of the ample resources on fixing it.
Microsoft already puts ample resources on fixing it. Jesus Christ, haven't any security researchers read "No Silver Bullet?" There's no reason to believe that Microsoft can do anything to speed up this process in the short term-- putting a freakin' ad in the paper reading, "wanted: 46 random people on the street to fix security holes" isn't going to help!
Look, Windows is a HUGE product. Last I heard, it takes something like 12-15 hours JUST TO BUILD. God knows how long the regression testing takes.
Parser Error (missing hyphen) (Score:4, Informative)
Microsoft Spurned Researchers Release 0-Day
I get about as far as "Microsoft Spurned Researchers" and then the rest of it doesn't make any sense. Like you need a conjunction or something after "Researchers"...
Or, you know, hyphenate "Microsoft-Spurned" so the damn headline makes sense.
Re:Not to side with Microsoft, but... (Score:3, Informative)
I've found holes in a couple of products, not produced by Microsoft though. It is REALLY frustrating to mention a hole to a vendor and then being ignored at first, then have your motives questioned, and then see the company ignore the issue for ages.
Today I would most likely not mention a security bug to anyone unless it's in free software. If I had previously established that the vendor was responsive to non-security bug reports or I have access to paid support, I'd probably give it a shot, but other than that it's best to just shut up. It won't seriously affect me anyway, I don't depend on non-free software.