Microsoft Spurned Researchers Release 0-Day 246
nk497 notes the news that a group of researchers calling themselves the Microsoft-Spurned Researcher Collective (the name is a play on Microsoft's Security Response Center) have come together to protest Microsoft's perceived heavy-handedness towards researchers who disclose security flaws. Pushed into action by the reception to the flaw disclosed by Tavis Ormandy, the group has released full details and exploit code for a previously unknown Windows local privilege escalation vulnerability. The advisory for the vulnerability, which affects Windows Vista and Windows Server 2008, contains the following manifesto: "Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."
So... (Score:5, Insightful)
Dumbdumbdumbdumbdumb (Score:4, Insightful)
MS has to test stuff to make sure the fix doesn't make things worse. Decisions get made, people don't like the outcome. But recklessly announcing security holes is just dumb, and isn't helping anyone.
fail.
Re:So... (Score:5, Insightful)
People who really want to do damage wouldn't release the code publicly. They would keep it quiet so they can do maximum damage. The point of releasing this information is to prompt the vendor to fix it......and probably gain more street cred.
Re:Not to side with Microsoft, but... (Score:5, Insightful)
I think that their point, regardless of its validity, is that when people go to Microsoft and say "I've found this vulnerability, here's the detail and PoC, please fix it", they often sit on it for weeks, months or sometimes years before they take any action.
Now, I appreciate that MS can't turn on a dime like some smaller companies and they have a shitload of regression testing and QA to do, but in the cases where highly critical bugs have been known about for years and persisted into *new* versions of OSs and Applications, you can understand why people get upset.
I have plenty of karma to burn (Score:1, Insightful)
The first thing that came to my mind was: "What a group of immature jerks."
Re:So... (Score:5, Insightful)
Why would anyone BOTHER to go looking for vulnerabilities in the largest operating system in the world for ALTRUISTIC reasons?
Can you come up with a logical reason for jigsaw puzzles?
Puzzles are fun. This is a particularly geeky and difficult sort of puzzle - it shouldn't surprise you in the least that people do it as a hobby. It also shouldn't surprise you that people who are treated poorly might seek revenge.
Re:Dumbdumbdumbdumbdumb (Score:5, Insightful)
Re:Oh, great.... (Score:5, Insightful)
They tried that, it did not work so now they do this.
What should they do when "responsible" disclosure gets you either a prompt STFU, the just ignore the problem or worstcase a lawsuit?
The thing is (Score:2, Insightful)
Use responsible disclosure and not only Microsoft, but above all the users of Windows will like you.
Expose them to an unpatched vulnerability and they will love you, uh, less.
Re:Oh, great.... (Score:3, Insightful)
Re:Not to side with Microsoft, but... (Score:5, Insightful)
They can. But when this has been done in the past, no matter the time limit given, Microsoft has publicly chastised them for it. The result is this news article.
Re:Dumbdumbdumbdumbdumb (Score:5, Insightful)
MS has to test stuff to make sure the fix doesn't make things worse. Decisions get made, people don't like the outcome. But recklessly announcing security holes is just dumb, and isn't helping anyone.
fail.
Excuse me. Corporations release crap products that cause problems and then refuse to man up and take responsibility for fixing them. Not exactly news, no.
But when corporations behave with the ethical and moral standards of petulant spoiled children - like Microsoft consistently, persistently does - then they have earned exactly what they get, including pretty much any and all guerilla tactics to smack them into behaving.
Re:So... (Score:5, Insightful)
It's probably a combination of ego/fun/being tired of MS being a bunch of dickweeds regarding security. What's wrong with one having pride in one's profession, and doing something about it when you see that it's going down the tubes?
Re:So... (Score:4, Insightful)
The point of releasing this information is to prompt the vendor to fix it......and probably gain more street cred.
Except that in this case it sounds like the entire point of this MSRC organization is to hide the identity of the guy who found the exploit in the first place. By using the MSRC umbrella to release the info it shields the individual from retaliation. So some street cred goes to the MSRC in general but that's not particularly useful for the guys doing the actual work.
Re:Dumbdumbdumbdumbdumb (Score:5, Insightful)
There's QA of a bugfix and then there's sitting on it for months or years. Apparently Microsoft likes to do the later often enough to annoy people.
People have apparently tried to give Microsoft some time between to fix bugs before making them public. Microsoft promptly attacked them for being hacked, cyberterrorists and all that jazz.
In other words, Microsoft thought they could strong arm people and those people decided to show Microsoft that being an asshole has repercussions.
Re:So... (Score:5, Insightful)
The security industry works by reputation. Having published research (ex: "CVE 8675309 discovered by Joe Haxo of Secu-Tech Consulting") bolsters your reputation.
Security researchers want vendors to disclose and patch the vulnerabilities, recognizing the researchers by name.
If the vendors ignore the researchers, the researchers have no obligation toward the vendors. Hence, 0-day publication. If you let vendors sit on your research forever, someone may beat you to the punch and publish anyway.
The bad guys knows about them already. (Score:4, Insightful)
The real bad guys most certainly knows about these security issues long before they becomes common knowledge. Responsible would be Microsoft patching their stuff as soon as they learn about an exploit instead of waiting for the known ones to be spread in the wild.
Responsible disclosure is just Microsofts way of trying to get people to shut up about their crappy security. If Microsoft was the least interested in security they would care more about real security than UAC (put the blame on the user) and playing statistics by making more secure products, hiding patches and grouping patches etc.
Re:Oh, great.... (Score:1, Insightful)
The name researcher gave them 5 days to fix a vulnerability. Even today, no easy solution for that has been found and the said "security researcher" (paid by Google) really released the exploit publicly. Since then it has been exploited. So you STFU.
Re:Oh, great.... (Score:1, Insightful)
They didn't try anything. They got there feelings hurt cause people are mad at there friend. They did not give MS a chance, they said you were mean so we will destructively release this cause we are mad. And it get used to hurt people I think this group should get there asses sued. Just like the big ego-ed big babies they are. All releasing an exploit does is give the finder cred and that is what they want. If they were good people they would never release an exploit just tell the vendor and that is it. I like how people rationalize it, I gave them 30 days. Well somethings can't be fixed in 30 days or even 30 weeks. People just wanna say I found it look at me..... And that is what makes them crappy people.
To Add to this (Score:5, Insightful)
It seems like the lesson has to be relearned periodically.
This same debate reappears like sunspots. Full Disclosure v. Responsible Disclosure. Black/Gray/White hats.
The funny part here is that Microsoft itself seems to have forgotten how the script goes.
MS, Sun, Oracle, Cisco, HP, they've all been through this cycle. You'd think they'd figure out that mission critical software requires a responsive, competent security response team. And they do figure it out. It just seems that the lesson has to be relearned every so often - prying the PRarnicles off the hull, so to speak.
Re:The thing is (Score:2, Insightful)
They said they'd give MS 30 days to fix a vulnerability. They then proceeded to release an exploit within 5 days.
Not even the majority of linux distributions can have that kind of turn around (at least the distributions that actually test patches before rolling them out).
All these hackers (yes that's what they are) care about is stroking their own ego and giving the impression that by somehow exposing this code to millions of script kiddies (look at the explosion of exploits that happened in the previous example) that they're being noble.
Frankly, they need to grow up and actually think about the people they're putting at risk. Vulnerabilities happen, patches may take a while to come. That's no excuse for this.
Re:Not to side with Microsoft, but... (Score:1, Insightful)
Re:woohhooo I have an opinion (Score:4, Insightful)
what prevents a security flaw from getting fixed? $$$
What causes security flaws to be released ? $$$
Assuming that is mostly accurate, I would then postulate that microsoft protects their profits at the expense of an acceptable amount of security flaws (among a bunch of other stuff)
A new patch released by my company leaves our servers traveling at 60 Internets per second. A 0-day exploit is published. The computer crashes and burns with everyone trapped inside. Now, should we patch the exploit?? Take the number of unpatched systems in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of patching the exploit, we don't patch it.
- Tyler Durden
Floor Manager, Microsoft's Security Response Center
Re:Dumbdumbdumbdumbdumb (Score:5, Insightful)
Back in the days when Bill Gates answered his own emails, I sent him a note asking why Microsoft persistently failed to implement industry norms for secure system design (privilege containment for example.)
His answer? "Customers aren't asking for those features."
From this I concluded that he, and likewise Microsoft, had no interest in taking responsibility for product security, except when it could be monetized around a pain point.
I don't see evidence that Microsoft has significantly changed since then. To my mind, its position is ethically the same as selling heroin to children, while defending the practice by saying that the children "aren't asking not to become addicted."
Now, if someone wants to come along and put up posters explaining exactly how heroin is addictive, I can see how the dealers might object. Why, it could interfere with their business! They might ask for time to make their product less addictive, but it's an open question as to whether their intentions are sincere or just a stalling tactic. (Remember the tobacco industry?)
Meanwhile, I can see no ethical reason why society has any obligation to wait for them. That goes equally for heroin, tobacco, and Microsoft.
Re:yes, it is childish (Score:2, Insightful)
Or, how about the reward is that you acted responsibly, doing what you thought was the right thing. Can't that be enough?
"The only reward of virtue is virtue." - Ralph Waldo Emerson
Re:Dumbdumbdumbdumbdumb (Score:4, Insightful)
"Microsoft already puts ample resources on fixing it."
That is simply absurd. If that were the case they would have few security flaws. This is not a short term problem-windows has been around for a long time. Microsoft has just chosen to put security below features. They are just not honest enough to admit that they do not want to commit the needed resources.
Re:Not to side with Microsoft, but... (Score:3, Insightful)
Disclosure of vulnerabilities is the only way to get them fixed.
Surely the thousands of other fixed bugs proves that this is statement wrong.
On top of that, how does a "security researcher" validate their claims of finding bugs if they don't release them?
Because software companies want to encourage people to report security bugs to them so they can get fixed before being exploited. It is in Microsoft's interest to acknowledge the security professionals who report the bugs [microsoft.com]. They also acknowledge the third parties who assist in solving bugs too.
If a researcher gives a week/2 week notice, then releases their information -- as far as I'm concerned their clear
But what if Microsoft are currently spending their time fixing a major security hole that is currently being exploited. Isn't it reasonable for them to prioritise that over some newly discovered bug that nobody knows about just because some hacker wants their 15 minutes of fame immediately?
If someone notices a problem in Microsoft's {insert function here} code, perhaps {Another company} with similar code has the same vulnerability, and would benefit from the knowledge?
It is far more likely that it will be Microsoft that finds similar code with the same vulnerability in other products which would need to be fixed by the same bug fix. There is a reason why it can take more than a week to find and fix a bug.
Re:So... (Score:3, Insightful)
heya,
Err, when you're depending on afore-said vendors to provide mission-critical systems, and they sold you their systems on the basis of being more secure...yeah, you do have that right to demand that.
And for the record, it was 60 days, which is plenty of time.
Google already had their hand burnt with Microsoft's buggy and security-hopeless software in the China hacking debacle, I'm assuming they didn't particularly want to get shafted and publicly humiliated again for using buggy Microsoft software.
Cheers,
Victor
Re:Not to side with Microsoft, but... (Score:4, Insightful)
Not being able to fix the problem is very different from not being able to do anything to mitigate your exposure to the problem.
Sometimes the problem is part of an unused component that can be turned off.
Sometimes the problem can be protected by simple firewall rule changes.
Sometimes the problem has a simple work-around.
All of these things help protect the user even though none of them actually fix the problem.
If the user doesn't know the problem exists, then they can't make any attempt to protect themselves.