Forgot your password?
typodupeerror
Security Microsoft Windows IT

Microsoft Spurned Researchers Release 0-Day 246

Posted by kdawson
from the that's-sure-to-help dept.
nk497 notes the news that a group of researchers calling themselves the Microsoft-Spurned Researcher Collective (the name is a play on Microsoft's Security Response Center) have come together to protest Microsoft's perceived heavy-handedness towards researchers who disclose security flaws. Pushed into action by the reception to the flaw disclosed by Tavis Ormandy, the group has released full details and exploit code for a previously unknown Windows local privilege escalation vulnerability. The advisory for the vulnerability, which affects Windows Vista and Windows Server 2008, contains the following manifesto: "Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."
This discussion has been archived. No new comments can be posted.

Microsoft Spurned Researchers Release 0-Day

Comments Filter:
  • So... (Score:5, Insightful)

    by fuzzyfuzzyfungus (1223518) on Tuesday July 06, 2010 @02:22PM (#32814486) Journal
    Perhaps being a little more... Diplomatic would be a good idea when dealing with the(sometimes rather ego-driven) people who know how to hack your box...
  • by countertrolling (1585477) on Tuesday July 06, 2010 @02:25PM (#32814546) Journal

    No wonder the government wants an off switch...

  • by dawilcox (1409483) on Tuesday July 06, 2010 @02:27PM (#32814578)
    It seems that people are upset with Microsoft because 1) they have software vulnerabilities in their OS and 2) they do too little too late to fix these vulnerabilities before hackers start exploiting them.
    This group cannot control one of these points (that Microsoft builds vulnerabilities into their OS). However, they can control the second point, by giving Microsoft advance notice and time to fix the vulnerabilities well before disclosing the vulnerabilities to the public.
    It seems a bit hypocritical to me to accuse Microsoft of doing too little, too late to fix vulnerabilities, and then release unfixed vulnerabilities to the public.
    • by Spad (470073) <slashdot @ s p a d . c o.uk> on Tuesday July 06, 2010 @02:30PM (#32814632) Homepage

      I think that their point, regardless of its validity, is that when people go to Microsoft and say "I've found this vulnerability, here's the detail and PoC, please fix it", they often sit on it for weeks, months or sometimes years before they take any action.

      Now, I appreciate that MS can't turn on a dime like some smaller companies and they have a shitload of regression testing and QA to do, but in the cases where highly critical bugs have been known about for years and persisted into *new* versions of OSs and Applications, you can understand why people get upset.

      • Re: (Score:2, Troll)

        by Mitsoid (837831)
        Unfortunately I'm with the security people on this.

        Disclosure of vulnerabilities is the only way to get them fixed. On top of that, how does a "security researcher" validate their claims of finding bugs if they don't release them?

        If a researcher gives a week/2 week notice, then releases their information -- as far as I'm concerned their clear -- They gave notice, then published their findings for the community / other researchers. yes it's used by hackers too, but if we hide *everything* we learn less
        • Re: (Score:3, Interesting)

          Nowadays, if you give notice, the company will probably spend that time getting a gag order. Best to raise the flag, drop the blade, and watch the rolling head.
        • Unfortunately I'm with the security people on this. Disclosure of vulnerabilities is the only way to get them fixed. On top of that, how does a "security researcher" validate their claims of finding bugs if they don't release them?

          This all depends upon the company. Microsoft has no one but themselves to blame when researchers don't bother notifying them or giving them a reasonable window to fix it. Other vendors have been much better about fixing things in a timely manner. Apple (for example) goes so far as to provide credit for vulnerability discovery in all their security fixes and has been fairly responsive to the cases I knew about firsthand.

        • Re: (Score:3, Insightful)

          by Gadget_Guy (627405) *

          Disclosure of vulnerabilities is the only way to get them fixed.

          Surely the thousands of other fixed bugs proves that this is statement wrong.

          On top of that, how does a "security researcher" validate their claims of finding bugs if they don't release them?

          Because software companies want to encourage people to report security bugs to them so they can get fixed before being exploited. It is in Microsoft's interest to acknowledge the security professionals who report the bugs [microsoft.com]. They also acknowledge the third parties who assist in solving bugs too.

          If a researcher gives a week/2 week notice, then releases their information -- as far as I'm concerned their clear

          But what if Microsoft are currently spending their time fixing a major security hole that is currently being exploited. Isn't it reasonable f

      • by afabbro (33948)

        I think that their point, regardless of its validity, is that when people go to Microsoft and say "I've found this vulnerability, here's the detail and PoC, please fix it", they often sit on it for weeks, months or sometimes years before they take any action.

        ...thereby delaying the security researcher's ability to cash in on his "I first discovered the BLAH.X vulnerability which Microsoft issued a HotFix for" credentials. That's what they're really angry about.

        Holehunters are mostly about trying to look cool and make money. Sorry, but it's true - their work has value and perhaps stroking their egos is the price you pay for having people hack at your stuff for free, but their motivations are (1) ego, (2) looking cool as a hacker, (3) cashing in, ..., (999) imp

        • Re: (Score:3, Informative)

          by amorsen (7485)

          I've found holes in a couple of products, not produced by Microsoft though. It is REALLY frustrating to mention a hole to a vendor and then being ignored at first, then have your motives questioned, and then see the company ignore the issue for ages.

          Today I would most likely not mention a security bug to anyone unless it's in free software. If I had previously established that the vendor was responsive to non-security bug reports or I have access to paid support, I'd probably give it a shot, but other than

      • I liked this part: "free from retaliation against us or any inferred employer." I think it was because MS gave Google grief over the whole incident. From my impression, it was a Google employee that released it the vulnerability not Google. Google may or may not have a hand in it at all but MS acted as if they personally directed it.
    • by kimvette (919543) on Tuesday July 06, 2010 @02:37PM (#32814728) Homepage Journal

      It seems that people are upset with Microsoft because 1) they have software vulnerabilities in their OS and 2) they do too little too late to fix these vulnerabilities before hackers start exploiting them.

      You forgot 3) but they don't neglect fixing holes in the activation process, even if they end up creating false alerts and block activation of legitimate IDs.

  • by Saint Stephen (19450) on Tuesday July 06, 2010 @02:28PM (#32814596) Homepage Journal

    MS has to test stuff to make sure the fix doesn't make things worse. Decisions get made, people don't like the outcome. But recklessly announcing security holes is just dumb, and isn't helping anyone.

    fail.

    • by Itninja (937614) on Tuesday July 06, 2010 @02:37PM (#32814734) Homepage
      Large US corporations care more about avoiding highly publicized lawsuits than 'doing the right thing'. By calling MS out by announcing to the world their Windows flaws, it forces MS to either publicly refuse to fix the issue or put some of the ample resources on fixing it. Refusing to fix it will certainly spawn lawsuits (or even government action). That's sure good for everyone...
      • Re: (Score:3, Interesting)

        by Saint Stephen (19450)

        Limited worldview, stupid assumptions. It's just childish to assume that MS delays action on a patch because "it hurts their feelings". It's far smarter to realize they have to manage the process in a controlled way.

        Now, beauracracy means things get done slower than some people wish - that's a fair gripe. But a far smarter way to handle it would be to announce there's X issues that Microsoft is Y days behind on patching rather than detailing what the issues are, correct?

        That way you'd get your point acro

        • by cynyr (703126) on Tuesday July 06, 2010 @02:52PM (#32814978)
          But lets say something needs port 11234 open in both directions to work*, a sys admin that knows about the flaw(before the fix is out) can make some attempts to limit his exposure to the flaw. Without that info in the wild he things he's safe and all is well while he gets back doored.... Some of these flaws have way to limit or remove exposure to them while the vendor is producing a fix. You may be able to disable a feature, firewall off the machines that need o run it, block all connection attempts on a port with a payload that matches "foobar". Making sure people know that helps lessen the problem while the fix is getting out. Also it does apply pressure on the vendor to fix it fast as all of the people with support contracts are bugging them for a fix for "the foobar bug" There have been few bugs that can't be band-aided recently discovered, so the harm is really only to the people that don't follow security in the first place(home users that put their birthday pin and mothers maiden name into any form they see on the internet.).

          *Bad example i know as all ports not known to be doing something useful should be blocked in both directions, but you get the idea.
          • But lets say something needs port 11234 open in both directions to work*, a sys admin that knows about the flaw(before the fix is out) can make some attempts to limit his exposure to the flaw. Without that info in the wild he things he's safe and all is well while he gets back doored.... Some of these flaws have way to limit or remove exposure to them while the vendor is producing a fix. You may be able to disable a feature, firewall off the machines that need o run it, block all connection attempts on a po

        • by Itninja (937614)

          But a far smarter way to handle it would be to announce there's X issues that Microsoft is Y days behind on patching rather than detailing what the issues are, correct?

          Totally agree. But MS has known about serious security holes sometimes for years (coming out with new OS versions in the meantime) and done nothing. When the new OS is out, the problem still is there....

        • Actually, MS is making a choice: Either endanger everyone or inconvenience some MS customers. They can put out patches earlier, with less emphasis on testing and more emphasis on disabling features. The problem is that if they did that, soome customers might go over to other systems from other companies which don't have these vulnerabilities. They choose instead to wait until the full testing cycle is up and until the next convenient patch tuesday. They endanger the rest of us for their profit.
      • Re: (Score:3, Informative)

        by Blakey Rat (99501)

        Large US corporations care more about avoiding highly publicized lawsuits than 'doing the right thing'. By calling MS out by announcing to the world their Windows flaws, it forces MS to either publicly refuse to fix the issue or put some of the ample resources on fixing it.

        Microsoft already puts ample resources on fixing it. Jesus Christ, haven't any security researchers read "No Silver Bullet?" There's no reason to believe that Microsoft can do anything to speed up this process in the short term-- putting

        • by nschubach (922175)

          Look, Windows is a HUGE product. Last I heard, it takes something like 12-15 hours JUST TO BUILD. God knows how long the regression testing takes.

          Maybe they need to split it up into small parts or something that can be compiled in a shorter period of time in order to be able to fix and test these individual pieces. Let's call these parts libraries and/or modules and maybe if they just change the ones that are impacted by the exploit it might not take hours to compile...

        • by winwar (114053) on Tuesday July 06, 2010 @05:53PM (#32818100)

          "Microsoft already puts ample resources on fixing it."

          That is simply absurd. If that were the case they would have few security flaws. This is not a short term problem-windows has been around for a long time. Microsoft has just chosen to put security below features. They are just not honest enough to admit that they do not want to commit the needed resources.

          • by drsmithy (35869)

            That is simply absurd. If that were the case they would have few security flaws.

            Do you have some numbers showing Windows has more flaws than other similar systems ?

        • by richlv (778496)

          Look, Windows is a HUGE product. Last I heard, it takes something like 12-15 hours JUST TO BUILD.

          bah. surely half of the gentoo users will respond to you in a week, and make fun of that build time.

    • by Guil Rarey (306566) on Tuesday July 06, 2010 @02:51PM (#32814974)

      MS has to test stuff to make sure the fix doesn't make things worse. Decisions get made, people don't like the outcome. But recklessly announcing security holes is just dumb, and isn't helping anyone.

      fail.

      Excuse me. Corporations release crap products that cause problems and then refuse to man up and take responsibility for fixing them. Not exactly news, no.

        But when corporations behave with the ethical and moral standards of petulant spoiled children - like Microsoft consistently, persistently does - then they have earned exactly what they get, including pretty much any and all guerilla tactics to smack them into behaving.

      • by starfishsystems (834319) on Tuesday July 06, 2010 @04:39PM (#32817004) Homepage
        I have to agree.

        Back in the days when Bill Gates answered his own emails, I sent him a note asking why Microsoft persistently failed to implement industry norms for secure system design (privilege containment for example.)

        His answer? "Customers aren't asking for those features."

        From this I concluded that he, and likewise Microsoft, had no interest in taking responsibility for product security, except when it could be monetized around a pain point.

        I don't see evidence that Microsoft has significantly changed since then. To my mind, its position is ethically the same as selling heroin to children, while defending the practice by saying that the children "aren't asking not to become addicted."

        Now, if someone wants to come along and put up posters explaining exactly how heroin is addictive, I can see how the dealers might object. Why, it could interfere with their business! They might ask for time to make their product less addictive, but it's an open question as to whether their intentions are sincere or just a stalling tactic. (Remember the tobacco industry?)

        Meanwhile, I can see no ethical reason why society has any obligation to wait for them. That goes equally for heroin, tobacco, and Microsoft.
    • by Rakishi (759894) on Tuesday July 06, 2010 @03:10PM (#32815310)

      There's QA of a bugfix and then there's sitting on it for months or years. Apparently Microsoft likes to do the later often enough to annoy people.

      People have apparently tried to give Microsoft some time between to fix bugs before making them public. Microsoft promptly attacked them for being hacked, cyberterrorists and all that jazz.

      In other words, Microsoft thought they could strong arm people and those people decided to show Microsoft that being an asshole has repercussions.

    • by gad_zuki! (70830)

      Dont bother, this is slashdot where all corporations are evil and releasing zero days and never paying for movies or music is the norm.

      • by Bryansix (761547)
        Sorry but your argument is so full of holes I don't know where to begin. How about the false parallells? How about lumping in two subjects that have nothing to do with each other? How about lumping all Slashdot commenters together? I for one usually disagree with the group think around here. However in this case it happens to be right ( a broken clock is right two times a day).

        Microsoft IS being irresponsible here and they HAVE been given a chance to play nice. You don't know the back story but this has
  • vetting? (Score:4, Funny)

    by LordPhantom (763327) on Tuesday July 06, 2010 @02:28PM (#32814598)
    FTA: Current MSRC Members (alphabetical order!): XX XXXXXX XXXX XXXXXXXX XXXXX XXX XXXXXXX XXXXXXX XXXXXX XXXXXXXXX XXXXX XXXXXXXX

    If you wish to responsibly disclose a vulnerability through full disclosure or want to join our team, fire off an email to: msrc- disclosure () hushmail com We do have a vetting process by the way, for any Microsoft employees trying to join ;-)


    I wonder how they are going to determine *that*......
    • Re: (Score:3, Funny)

      by BlueBoxSW.com (745855)

      They test your pee for Mountain Dew.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      FTA:
      We do have a vetting process by the way, for any Microsoft
      employees trying to join ;-)

      I wonder how they are going to determine *that*......

      I found the below code from their website...

      IF RIGHT(strEmail,14) = "@microsoft.com" THEN
      boolPassedVetting = False
      ELSE
      boolPassedVetting = True
      END

      And now, in the true spirit of things...

      NOTIFICATION OF 0-DAY VULNERABILITY:
      If a user gives an email address under 13 characters in length, then the command will fail, dumping the user to a shell and giving them complete admin access (as the script was running as root of course)

    • Why should they vet. Everyone should keep each other at arms length. It is not like they have to meet in person or are trying to keep what they are doing secret or anything. This just makes it sound like some club house of children with secret passwords. Makes me wonder if they are attached to their ideals and how much of it is playing secret agents.
    • by Blakey Rat (99501)

      Why would they care if a Microsoft employee joins the list? I mean, their policy is to disclose ASAP anyway-- what do they think is going to happen?

  • Oh, great.... (Score:3, Interesting)

    by bobdehnhardt (18286) on Tuesday July 06, 2010 @02:34PM (#32814692)

    Just what we need: a one-stop shop for 0-day exploit code. Way to improve security, guys! Right on! Stick it to The Man! And by that, I mean the man (or woman) in the next cubical, or next door, or down the street, or....

    I am all for responsible disclosure of vulnerabilities - secrecy does not equal security, and "let's not talk about it and hope nobody notices" is never an appropriate response to vulnerabilities. But responsible disclosure includes working with the vendor, giving them the full data and an opportunity to correct prior to full public disclosure.

    If MS is giving researchers the cold shoulder or worse in response to vulnerabilities that are responsibly disclosed to them, that's shame on Microsoft. But to my view, jumping to public disclosure is not the appropriate response.

    • Re:Oh, great.... (Score:5, Insightful)

      by h4rr4r (612664) on Tuesday July 06, 2010 @02:44PM (#32814858)

      They tried that, it did not work so now they do this.

      What should they do when "responsible" disclosure gets you either a prompt STFU, the just ignore the problem or worstcase a lawsuit?

    • Re: (Score:3, Insightful)

      by Locke2005 (849178)
      The generally accepted practice is to disclose the vulnerability to the publisher first, and give them 30 days to issue a fix. If there is no fix available after the waiting period, THEN you disclose it to the general public. Although I'm sure the length of the waiting period can be a source of much debate, I don't believe making vulnerabilities public before giving the publisher a chance to fix the problem is in the best interest of computer users.
      • by h4rr4r (612664)

        If the vendor does not promptly fix issues perhaps moving to a vendor that does is a better move.

      • I don't believe making vulnerabilities public before giving the publisher a chance to fix the problem is in the best interest of computer users.

        I would actually debate that with you. Knowing full well that exploits will be promptly publicly published (no pun intended), will force the large software makers to spend a little more time/effort keeping these kinds of exploits from being in their code to begin with. In many cases, a simple vetting process would detect many of these issues at the design stage. The more the computer users suffer the consequences of buggy code being released, the larger their up-roar against the maker of the software demand

  • The thing is (Score:2, Insightful)

    by trifish (826353)

    Use responsible disclosure and not only Microsoft, but above all the users of Windows will like you.

    Expose them to an unpatched vulnerability and they will love you, uh, less.

    • Re: (Score:3, Informative)

      by h4rr4r (612664)

      They tried that. "Responisble" disclosure often results in nothing happening or worst case a lawsuit. It is cheaper for MS to ignore problems than fix them.

      • Re: (Score:2, Insightful)

        by abigsmurf (919188)
        They didn't try that.

        They said they'd give MS 30 days to fix a vulnerability. They then proceeded to release an exploit within 5 days.

        Not even the majority of linux distributions can have that kind of turn around (at least the distributions that actually test patches before rolling them out).

        All these hackers (yes that's what they are) care about is stroking their own ego and giving the impression that by somehow exposing this code to millions of script kiddies (look at the explosion of exploits th
    • by Stumbles (602007)
      They tried that and was ignored. Besides it probably doesn't matter because if these "good guys" found it, it is not unreasonable to think the bad guys already know about it. In fact the more I think about this, it is the "bad guys" who are being more responsible than the "good guys" because the bad guys KEEP THEIR MOUTH about vulnerabilities.
  • Based on what I've read, this was done intentionally and with malicious intent on the behalf of the researchers in retaliation for the negative attitude Microsoft showed toward Tavis Ormany. In Tavis' case, I think Microsoft simply had some negative words to say, but in this case, Microsoft can claim that these security researchers intended to damage them based on the their threats "that they will continue to do so in response to how Microsoft treated Tavis Ormany."

    It is clear to me that the researchers are

  • The real bad guys most certainly knows about these security issues long before they becomes common knowledge. Responsible would be Microsoft patching their stuff as soon as they learn about an exploit instead of waiting for the known ones to be spread in the wild.

    Responsible disclosure is just Microsofts way of trying to get people to shut up about their crappy security. If Microsoft was the least interested in security they would care more about real security than UAC (put the blame on the user) and playing statistics by making more secure products, hiding patches and grouping patches etc.

    • No they don't. Most bad guys aren't skilled enough to find new exploits. They typically prefer to reverse engineer the patches and then exploit people who don't update. Most exploit packs are exploiting flaws that are old and well known. So this "MSRC" or whatever will definitely make things worse, and they're arguing from the worst kind of academic viewpoint if they claim it won't.
      • > Most bad guys aren't skilled enough to find new exploits.

        Probably true that _most_ aren't. However, it's a certainty that _some_ are. And some is all it takes.

  • by Tetsujin (103070) on Tuesday July 06, 2010 @03:41PM (#32815916) Homepage Journal

    Microsoft Spurned Researchers Release 0-Day

    I get about as far as "Microsoft Spurned Researchers" and then the rest of it doesn't make any sense. Like you need a conjunction or something after "Researchers"...

    Or, you know, hyphenate "Microsoft-Spurned" so the damn headline makes sense.

  • by John Hasler (414242) on Tuesday July 06, 2010 @03:46PM (#32816020) Homepage

    We need an irrevokeable authenticated delayed publication mechanism: some way to put a GPG-signed document into a pipeline such that it will be published at the end of X days no matter what anyone (including the author) does. Researchers could then send their discoveries to vendors with the notation "This vulnerability will come out of the IADP system in sixty days". Browbeating them for more time would be pointless and their priority of discovery would be secure.

    There are no doubt many other uses for such a system as well.

  • I can attest to the fact that we are by and large utterly incompetent when handling reports of hacks. as an example we had never seen them in our products before and only recently became aware of several nasty buffer overflows in our flagship product. the 'hat' that found the problems was based out of quebec and didnt speak english, our corporate office having first been informed of the issue immediately declared their intent to prosecute the perceived hacker. we had a generous 5 days to respond as well

[Crash programs] fail because they are based on the theory that, with nine women pregnant, you can get a baby a month. -- Wernher von Braun

Working...