Microsoft Spurned Researchers Release 0-Day

nk497 notes the news that a group of researchers calling themselves the Microsoft-Spurned Researcher Collective (the name is a play on Microsoft's Security Response Center) have come together to protest Microsoft's perceived heavy-handedness towards researchers who disclose security flaws. Pushed into action by the reception to the flaw disclosed by Tavis Ormandy, the group has released full details and exploit code for a previously unknown Windows local privilege escalation vulnerability. The advisory for the vulnerability, which affects Windows Vista and Windows Server 2008, contains the following manifesto: "Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."

So...

[fuzzyfuzzyfungus]

Perhaps being a little more... Diplomatic would be a good idea when dealing with the(sometimes rather ego-driven) people who know how to hack your box...

Re:So...

[Crudely_Indecent]

People who really want to do damage wouldn't release the code publicly. They would keep it quiet so they can do maximum damage. The point of releasing this information is to prompt the vendor to fix it......and probably gain more street cred.

Re:So...

[Jah-Wren Ryel]

The point of releasing this information is to prompt the vendor to fix it......and probably gain more street cred.

Except that in this case it sounds like the entire point of this MSRC organization is to hide the identity of the guy who found the exploit in the first place. By using the MSRC umbrella to release the info it shields the individual from retaliation. So some street cred goes to the MSRC in general but that's not particularly useful for the guys doing the actual work.

Re:

[Zerth]

On the other hand, anyone claiming a MSRC exploit on their CV, after the furor has died down, can list the MSRC as a reference to confirm it.

Re:

[couchslug]

"The point of releasing this information is to prompt the vendor to fix it......"

The safest way expose security flaws without being deemed a cracker or vandal is to anonymously release exploits....to crackers and vandals.

Re:

[Bryansix]

It is when you are dealing with Microsoft. They develop secure software for the most part now but they way they respond to notices of vulnerabilities is incomprehensibly prideful and moronic.

Re:

[harryjohnston]

What in particular about Microsoft's response to vulnerability notices do you object to? They can be a bit slow to respond sometimes - they're pretty busy - but they've never seemed either prideful or moronic to me. (Well, OK, once; but on that occasion even I had to admit it was a borderline case.)

Re:

[gandhi_2]

s/Microsoft/Just About All Major Software Companies/

Re:So...

[MightyYar]

Why would anyone BOTHER to go looking for vulnerabilities in the largest operating system in the world for ALTRUISTIC reasons?

Can you come up with a logical reason for jigsaw puzzles?

Puzzles are fun. This is a particularly geeky and difficult sort of puzzle - it shouldn't surprise you in the least that people do it as a hobby. It also shouldn't surprise you that people who are treated poorly might seek revenge.

Re:

[sonnejw0]

Yeah, but you don't go around telling the creator of the jigsaw puzzle that you put it together in a way they haven't described and that this might result in damages, but not if they just listen to what you have to say.

Re:

[spazdor]

The creator of the jigsaw puzzle probably hasn't made all that many public claims about the puzzle's robustness or fitness to a particular task.

Re:

[AHuxley]

Exactly, MS pushes a new found level of security skills and its usefulness beyond the gaming, home finance and word processing realm.
People are going to ask very real questions before trusting a consumer OS with anything to do with real world functionality.
The end users handed over a lot of hard earned cash for an OS and should expect it to work as described and not be wide open to anyone with time and math skills.
The more information that exists in the bright open marketplace about a product the better

Re:So...

[Dripdry]

It's probably a combination of ego/fun/being tired of MS being a bunch of dickweeds regarding security. What's wrong with one having pride in one's profession, and doing something about it when you see that it's going down the tubes?

Re:So...

[Lord Ender]

The security industry works by reputation. Having published research (ex: "CVE 8675309 discovered by Joe Haxo of Secu-Tech Consulting") bolsters your reputation.

Security researchers want vendors to disclose and patch the vulnerabilities, recognizing the researchers by name.

If the vendors ignore the researchers, the researchers have no obligation toward the vendors. Hence, 0-day publication. If you let vendors sit on your research forever, someone may beat you to the punch and publish anyway.

Re:

[Bert64]

A lot of commercial vendors treat independent researchers with contempt (how dare they find holes in our products) or as slaves (they should do the work our quality control dept should, for free)...
White hat researchers are doing these vendors a favor and often get treated extremely badly in return. If you scare off the white hat researchers, then there will be more vulnerabilities for the black hat ones to find and exploit, and they won't publicise it they will just sell it to the highest bidder.

Personally

Re:

[drsmithy]

A lot of commercial vendors treat independent researchers with contempt (how dare they find holes in our products) or as slaves (they should do the work our quality control dept should, for free)...

Of course, the folks who find a problem and then say "you have a week to fix this and then we release it into the wild" don't win their side any favours, either...

Re:

[victorhooi]

heya,

Err, when you're depending on afore-said vendors to provide mission-critical systems, and they sold you their systems on the basis of being more secure...yeah, you do have that right to demand that.

And for the record, it was 60 days, which is plenty of time.

Google already had their hand burnt with Microsoft's buggy and security-hopeless software in the China hacking debacle, I'm assuming they didn't particularly want to get shafted and publicly humiliated again for using buggy Microsoft software.

Cheers

Re:

[m.ducharme]

But presumably they maintain the Windows boxen of their families....

Re:

[John Hasler]

So the WHO is the proprietary vendor of the human immune system with exclusive access to the source code? Or in other words the UN is God?

Surely you can come up with a worse analogy. How about one involving cars?

Re:So...

[bberens]

This is Slashdot, you're required to use a car analogy.
It's more like someone finding out that if you plug in a 2nd generation iPod into a 1996 Civic LS with the upgraded stereo then it will cause a short and your car will explode into a fiery mess. Sure, some yahoo could run around plugging iPods into Civics, but generally I'd be happy to know of the potential danger.

Re:

[arose]

Imagine if organized crime had thrown way more resources then this one doctor at the problem and to protect yourself you'd have to wear a patch on the eye opposite to your dominant hand until a proper fix would be released (which can be created in less then day and throughly tested within weeks).

Is he or is he not an asshole when he blogs about how to patch your eye?

All these internet "radicals"

[countertrolling]

No wonder the government wants an off switch...

Not to side with Microsoft, but...

[dawilcox]

It seems that people are upset with Microsoft because 1) they have software vulnerabilities in their OS and 2) they do too little too late to fix these vulnerabilities before hackers start exploiting them.
This group cannot control one of these points (that Microsoft builds vulnerabilities into their OS). However, they can control the second point, by giving Microsoft advance notice and time to fix the vulnerabilities well before disclosing the vulnerabilities to the public.
It seems a bit hypocritical to me to accuse Microsoft of doing too little, too late to fix vulnerabilities, and then release unfixed vulnerabilities to the public.

Re:Not to side with Microsoft, but...

[Spad]

I think that their point, regardless of its validity, is that when people go to Microsoft and say "I've found this vulnerability, here's the detail and PoC, please fix it", they often sit on it for weeks, months or sometimes years before they take any action.

Now, I appreciate that MS can't turn on a dime like some smaller companies and they have a shitload of regression testing and QA to do, but in the cases where highly critical bugs have been known about for years and persisted into *new* versions of OSs and Applications, you can understand why people get upset.

Re:

[Mitsoid]

Unfortunately I'm with the security people on this.

Disclosure of vulnerabilities is the only way to get them fixed. On top of that, how does a "security researcher" validate their claims of finding bugs if they don't release them?

If a researcher gives a week/2 week notice, then releases their information -- as far as I'm concerned their clear -- They gave notice, then published their findings for the community / other researchers. yes it's used by hackers too, but if we hide *everything* we learn less

Re:

[Fulcrum of Evil]

Nowadays, if you give notice, the company will probably spend that time getting a gag order. Best to raise the flag, drop the blade, and watch the rolling head.

Re:

[99BottlesOfBeerInMyF]

Unfortunately I'm with the security people on this. Disclosure of vulnerabilities is the only way to get them fixed. On top of that, how does a "security researcher" validate their claims of finding bugs if they don't release them?

This all depends upon the company. Microsoft has no one but themselves to blame when researchers don't bother notifying them or giving them a reasonable window to fix it. Other vendors have been much better about fixing things in a timely manner. Apple (for example) goes so far as to provide credit for vulnerability discovery in all their security fixes and has been fairly responsive to the cases I knew about firsthand.

Re:

[Gadget_Guy]

Disclosure of vulnerabilities is the only way to get them fixed.

Surely the thousands of other fixed bugs proves that this is statement wrong.

On top of that, how does a "security researcher" validate their claims of finding bugs if they don't release them?

Because software companies want to encourage people to report security bugs to them so they can get fixed before being exploited. It is in Microsoft's interest to acknowledge the security professionals who report the bugs [microsoft.com]. They also acknowledge the third parties who assist in solving bugs too.

If a researcher gives a week/2 week notice, then releases their information -- as far as I'm concerned their clear

But what if Microsoft are currently spending their time fixing a major security hole that is currently being exploited. Isn't it reasonable f

Re:

[afabbro]

I think that their point, regardless of its validity, is that when people go to Microsoft and say "I've found this vulnerability, here's the detail and PoC, please fix it", they often sit on it for weeks, months or sometimes years before they take any action.

...thereby delaying the security researcher's ability to cash in on his "I first discovered the BLAH.X vulnerability which Microsoft issued a HotFix for" credentials. That's what they're really angry about.

Holehunters are mostly about trying to look cool and make money. Sorry, but it's true - their work has value and perhaps stroking their egos is the price you pay for having people hack at your stuff for free, but their motivations are (1) ego, (2) looking cool as a hacker, (3) cashing in, ..., (999) imp

Re:

[amorsen]

I've found holes in a couple of products, not produced by Microsoft though. It is REALLY frustrating to mention a hole to a vendor and then being ignored at first, then have your motives questioned, and then see the company ignore the issue for ages.

Today I would most likely not mention a security bug to anyone unless it's in free software. If I had previously established that the vendor was responsive to non-security bug reports or I have access to paid support, I'd probably give it a shot, but other than

Re:

[UnknowingFool]

I liked this part: "free from retaliation against us or any inferred employer." I think it was because MS gave Google grief over the whole incident. From my impression, it was a Google employee that released it the vulnerability not Google. Google may or may not have a hand in it at all but MS acted as if they personally directed it.

Re:Not to side with Microsoft, but...

[Aladrin]

They can. But when this has been done in the past, no matter the time limit given, Microsoft has publicly chastised them for it. The result is this news article.

To Add to this

[abulafia]

It seems like the lesson has to be relearned periodically.

This same debate reappears like sunspots. Full Disclosure v. Responsible Disclosure. Black/Gray/White hats.

The funny part here is that Microsoft itself seems to have forgotten how the script goes.

1. Researcher finds exploit.
2. Researcher notified vendor.
3. Vendor stalls for far longer than is reasonable.
4. Researcher becomes frustrated, because
5. 1. In the mean time, systems are vulnerable,
   2. Making your name with your discoveries is very important career-wise for some types of researchers, and if a blackhat finds it before the vendor stops stalling, they lose that cred.
   3. Researcher feels played by vendor, who at least seems (and usually is) lying and stalling. So,
6. Researcher starts releasing exploits either without contacting, or after giving non-negotiable windows of time.
7. Maybe some less responsible types do some damage.
8. Everyone wrings their hands over what to do, what to do. Slashdot posts occur. Some hack makes quota their article quota for the month at Computerworld.
9. Repeat.

MS, Sun, Oracle, Cisco, HP, they've all been through this cycle. You'd think they'd figure out that mission critical software requires a responsive, competent security response team. And they do figure it out. It just seems that the lesson has to be relearned every so often - prying the PRarnicles off the hull, so to speak.

Re:

[nschubach]

Doesn't extortion require some sort of demand for payment?

Re:

[Bryansix]

It's times like these I wish I could litterally roll my eyes on the Internet.

Re:Not to side with Microsoft, but...

[kimvette]

It seems that people are upset with Microsoft because 1) they have software vulnerabilities in their OS and 2) they do too little too late to fix these vulnerabilities before hackers start exploiting them.

You forgot 3) but they don't neglect fixing holes in the activation process, even if they end up creating false alerts and block activation of legitimate IDs.

Re:

[Kaboom13]

This is incredibly naive. The current methods works well, for a very specific reason. MS's real customers are businesses. The home user is an afterthought, so we might as well ignore them. Large businesses have lots of custom applications and integration and scripting. Most of this work was done in a very, very shitty way. The result is things like hard coded paths, relying on unsupported, deprecated, or undocumented functionality of libraries, all sorts of stupid, impossible to maintain bullshit. M

Re:

[Americano]

You don't play hardball with someone with nothing to lose.

Nor is it particularly wise to play fast and loose with a company with billions of dollars to burn and a corporate legal team that makes prison-yard thugs look like old ladies in muumuus.

Neither response makes me more secure, so why should I be thanking Microsoft, or their jilted lovers?

Re:

[John Hasler]

> Neither response makes me more secure...

How does being notified of vulnerabilities in the software you are running not make you more secure? If "security researchers" have a responsibility to tell anyone about security bugs they find it is the users who the bugs put at risk.

Re:Not to side with Microsoft, but...

[Dan Ost]

Not being able to fix the problem is very different from not being able to do anything to mitigate your exposure to the problem.

Sometimes the problem is part of an unused component that can be turned off.
Sometimes the problem can be protected by simple firewall rule changes.
Sometimes the problem has a simple work-around.

All of these things help protect the user even though none of them actually fix the problem.

If the user doesn't know the problem exists, then they can't make any attempt to protect themselves.

Re:

[jgagnon]

All too often the problem is that they HAVE notified Microsoft and even months later Microsoft hasn't done anything to fix the problem. How long do you wait around and watch inaction before you become a "complete jerk" and report the issue to the public? Keep in mind that the hackers likely already know about the issue long before the public does. A company keeping their head in the sand over an issue does not mean others cannot see the problem.

Re:

[jgagnon]

Sorry, I was getting a little jumpy there. Agreed, full disclosure from both sides serves everyone best. Chances are very good that the hackers already know about the issue long before the public does anyway. I would bet even some researchers feed the hacker network as well as people from Microsoft and other companies. Likely neither would admit as such, though.

Dumbdumbdumbdumbdumb

[Saint Stephen]

MS has to test stuff to make sure the fix doesn't make things worse. Decisions get made, people don't like the outcome. But recklessly announcing security holes is just dumb, and isn't helping anyone.

fail.

Re:Dumbdumbdumbdumbdumb

[Itninja]

Large US corporations care more about avoiding highly publicized lawsuits than 'doing the right thing'. By calling MS out by announcing to the world their Windows flaws, it forces MS to either publicly refuse to fix the issue or put some of the ample resources on fixing it. Refusing to fix it will certainly spawn lawsuits (or even government action). That's sure good for everyone...

Re:

[Saint Stephen]

Limited worldview, stupid assumptions. It's just childish to assume that MS delays action on a patch because "it hurts their feelings". It's far smarter to realize they have to manage the process in a controlled way.

Now, beauracracy means things get done slower than some people wish - that's a fair gripe. But a far smarter way to handle it would be to announce there's X issues that Microsoft is Y days behind on patching rather than detailing what the issues are, correct?

That way you'd get your point acro

Re:Dumbdumbdumbdumbdumb

[cynyr]

But lets say something needs port 11234 open in both directions to work*, a sys admin that knows about the flaw(before the fix is out) can make some attempts to limit his exposure to the flaw. Without that info in the wild he things he's safe and all is well while he gets back doored.... Some of these flaws have way to limit or remove exposure to them while the vendor is producing a fix. You may be able to disable a feature, firewall off the machines that need o run it, block all connection attempts on a port with a payload that matches "foobar". Making sure people know that helps lessen the problem while the fix is getting out. Also it does apply pressure on the vendor to fix it fast as all of the people with support contracts are bugging them for a fix for "the foobar bug" There have been few bugs that can't be band-aided recently discovered, so the harm is really only to the people that don't follow security in the first place(home users that put their birthday pin and mothers maiden name into any form they see on the internet.).

*Bad example i know as all ports not known to be doing something useful should be blocked in both directions, but you get the idea.

Re:

[VGPowerlord]

But lets say something needs port 11234 open in both directions to work*, a sys admin that knows about the flaw(before the fix is out) can make some attempts to limit his exposure to the flaw. Without that info in the wild he things he's safe and all is well while he gets back doored.... Some of these flaws have way to limit or remove exposure to them while the vendor is producing a fix. You may be able to disable a feature, firewall off the machines that need o run it, block all connection attempts on a po

Re:

[Itninja]

But a far smarter way to handle it would be to announce there's X issues that Microsoft is Y days behind on patching rather than detailing what the issues are, correct?

Totally agree. But MS has known about serious security holes sometimes for years (coming out with new OS versions in the meantime) and done nothing. When the new OS is out, the problem still is there....

Re:

[rtfa-troll]

Actually, MS is making a choice: Either endanger everyone or inconvenience some MS customers. They can put out patches earlier, with less emphasis on testing and more emphasis on disabling features. The problem is that if they did that, soome customers might go over to other systems from other companies which don't have these vulnerabilities. They choose instead to wait until the full testing cycle is up and until the next convenient patch tuesday. They endanger the rest of us for their profit.

Re:

[Blakey Rat]

Large US corporations care more about avoiding highly publicized lawsuits than 'doing the right thing'. By calling MS out by announcing to the world their Windows flaws, it forces MS to either publicly refuse to fix the issue or put some of the ample resources on fixing it.

Microsoft already puts ample resources on fixing it. Jesus Christ, haven't any security researchers read "No Silver Bullet?" There's no reason to believe that Microsoft can do anything to speed up this process in the short term-- putting

Re:

[nschubach]

Look, Windows is a HUGE product. Last I heard, it takes something like 12-15 hours JUST TO BUILD. God knows how long the regression testing takes.

Maybe they need to split it up into small parts or something that can be compiled in a shorter period of time in order to be able to fix and test these individual pieces. Let's call these parts libraries and/or modules and maybe if they just change the ones that are impacted by the exploit it might not take hours to compile...

Re:Dumbdumbdumbdumbdumb

[winwar]

"Microsoft already puts ample resources on fixing it."

That is simply absurd. If that were the case they would have few security flaws. This is not a short term problem-windows has been around for a long time. Microsoft has just chosen to put security below features. They are just not honest enough to admit that they do not want to commit the needed resources.

Re:

[drsmithy]

That is simply absurd. If that were the case they would have few security flaws.

Do you have some numbers showing Windows has more flaws than other similar systems ?

Re:

[richlv]

Look, Windows is a HUGE product. Last I heard, it takes something like 12-15 hours JUST TO BUILD.

bah. surely half of the gentoo users will respond to you in a week, and make fun of that build time.

Re:Dumbdumbdumbdumbdumb

[Guil Rarey]

MS has to test stuff to make sure the fix doesn't make things worse. Decisions get made, people don't like the outcome. But recklessly announcing security holes is just dumb, and isn't helping anyone.

fail.

Excuse me. Corporations release crap products that cause problems and then refuse to man up and take responsibility for fixing them. Not exactly news, no.

  But when corporations behave with the ethical and moral standards of petulant spoiled children - like Microsoft consistently, persistently does - then they have earned exactly what they get, including pretty much any and all guerilla tactics to smack them into behaving.

Re:Dumbdumbdumbdumbdumb

[starfishsystems]

I have to agree.

Back in the days when Bill Gates answered his own emails, I sent him a note asking why Microsoft persistently failed to implement industry norms for secure system design (privilege containment for example.)

His answer? "Customers aren't asking for those features."

From this I concluded that he, and likewise Microsoft, had no interest in taking responsibility for product security, except when it could be monetized around a pain point.

I don't see evidence that Microsoft has significantly changed since then. To my mind, its position is ethically the same as selling heroin to children, while defending the practice by saying that the children "aren't asking not to become addicted."

Now, if someone wants to come along and put up posters explaining exactly how heroin is addictive, I can see how the dealers might object. Why, it could interfere with their business! They might ask for time to make their product less addictive, but it's an open question as to whether their intentions are sincere or just a stalling tactic. (Remember the tobacco industry?)

Meanwhile, I can see no ethical reason why society has any obligation to wait for them. That goes equally for heroin, tobacco, and Microsoft.

Re:Dumbdumbdumbdumbdumb

[Rakishi]

There's QA of a bugfix and then there's sitting on it for months or years. Apparently Microsoft likes to do the later often enough to annoy people.

People have apparently tried to give Microsoft some time between to fix bugs before making them public. Microsoft promptly attacked them for being hacked, cyberterrorists and all that jazz.

In other words, Microsoft thought they could strong arm people and those people decided to show Microsoft that being an asshole has repercussions.

Re:

[gad_zuki!]

Dont bother, this is slashdot where all corporations are evil and releasing zero days and never paying for movies or music is the norm.

Re:

[Bryansix]

Sorry but your argument is so full of holes I don't know where to begin. How about the false parallells? How about lumping in two subjects that have nothing to do with each other? How about lumping all Slashdot commenters together? I for one usually disagree with the group think around here. However in this case it happens to be right ( a broken clock is right two times a day).

Microsoft IS being irresponsible here and they HAVE been given a chance to play nice. You don't know the back story but this has

vetting?

[LordPhantom]

FTA: Current MSRC Members (alphabetical order!): XX XXXXXX XXXX XXXXXXXX XXXXX XXX XXXXXXX XXXXXXX XXXXXX XXXXXXXXX XXXXX XXXXXXXX

If you wish to responsibly disclose a vulnerability through full disclosure or want to join our team, fire off an email to: msrc- disclosure () hushmail com We do have a vetting process by the way, for any Microsoft employees trying to join ;-)

I wonder how they are going to determine *that*......

Re:

[BlueBoxSW.com]

They test your pee for Mountain Dew.

Re:

[Nadaka]

At this point, I think I could pass that test at 100%.

Re:

[Anonymous Coward]

FTA:
We do have a vetting process by the way, for any Microsoft
employees trying to join ;-)

I wonder how they are going to determine *that*......

I found the below code from their website...

IF RIGHT(strEmail,14) = "@microsoft.com" THEN
boolPassedVetting = False
ELSE
boolPassedVetting = True
END

And now, in the true spirit of things...

NOTIFICATION OF 0-DAY VULNERABILITY:
If a user gives an email address under 13 characters in length, then the command will fail, dumping the user to a shell and giving them complete admin access (as the script was running as root of course)

Re:

[Demonantis]

Why should they vet. Everyone should keep each other at arms length. It is not like they have to meet in person or are trying to keep what they are doing secret or anything. This just makes it sound like some club house of children with secret passwords. Makes me wonder if they are attached to their ideals and how much of it is playing secret agents.

Re:

[Blakey Rat]

Why would they care if a Microsoft employee joins the list? I mean, their policy is to disclose ASAP anyway-- what do they think is going to happen?

Oh, great....

[bobdehnhardt]

Just what we need: a one-stop shop for 0-day exploit code. Way to improve security, guys! Right on! Stick it to The Man! And by that, I mean the man (or woman) in the next cubical, or next door, or down the street, or....

I am all for responsible disclosure of vulnerabilities - secrecy does not equal security, and "let's not talk about it and hope nobody notices" is never an appropriate response to vulnerabilities. But responsible disclosure includes working with the vendor, giving them the full data and an opportunity to correct prior to full public disclosure.

If MS is giving researchers the cold shoulder or worse in response to vulnerabilities that are responsibly disclosed to them, that's shame on Microsoft. But to my view, jumping to public disclosure is not the appropriate response.

Re:Oh, great....

[h4rr4r]

They tried that, it did not work so now they do this.

What should they do when "responsible" disclosure gets you either a prompt STFU, the just ignore the problem or worstcase a lawsuit?

Re:

[Locke2005]

The generally accepted practice is to disclose the vulnerability to the publisher first, and give them 30 days to issue a fix. If there is no fix available after the waiting period, THEN you disclose it to the general public. Although I'm sure the length of the waiting period can be a source of much debate, I don't believe making vulnerabilities public before giving the publisher a chance to fix the problem is in the best interest of computer users.

Re:

[h4rr4r]

If the vendor does not promptly fix issues perhaps moving to a vendor that does is a better move.

Re:

[Fallen Kell]

I don't believe making vulnerabilities public before giving the publisher a chance to fix the problem is in the best interest of computer users.

I would actually debate that with you. Knowing full well that exploits will be promptly publicly published (no pun intended), will force the large software makers to spend a little more time/effort keeping these kinds of exploits from being in their code to begin with. In many cases, a simple vetting process would detect many of these issues at the design stage. The more the computer users suffer the consequences of buggy code being released, the larger their up-roar against the maker of the software demand

The thing is

[trifish]

Use responsible disclosure and not only Microsoft, but above all the users of Windows will like you.

Expose them to an unpatched vulnerability and they will love you, uh, less.

Re:

[h4rr4r]

They tried that. "Responisble" disclosure often results in nothing happening or worst case a lawsuit. It is cheaper for MS to ignore problems than fix them.

Re:

[abigsmurf]

They didn't try that.

They said they'd give MS 30 days to fix a vulnerability. They then proceeded to release an exploit within 5 days.

Not even the majority of linux distributions can have that kind of turn around (at least the distributions that actually test patches before rolling them out).

All these hackers (yes that's what they are) care about is stroking their own ego and giving the impression that by somehow exposing this code to millions of script kiddies (look at the explosion of exploits th

Re:

[Stumbles]

They tried that and was ignored. Besides it probably doesn't matter because if these "good guys" found it, it is not unreasonable to think the bad guys already know about it. In fact the more I think about this, it is the "bad guys" who are being more responsible than the "good guys" because the bad guys KEEP THEIR MOUTH about vulnerabilities.

Malicious Intent

[pwileyii]

Based on what I've read, this was done intentionally and with malicious intent on the behalf of the researchers in retaliation for the negative attitude Microsoft showed toward Tavis Ormany. In Tavis' case, I think Microsoft simply had some negative words to say, but in this case, Microsoft can claim that these security researchers intended to damage them based on the their threats "that they will continue to do so in response to how Microsoft treated Tavis Ormany."

It is clear to me that the researchers are

Re:

[Fulcrum of Evil]

The tone is hostile, so what? MS is behaving in a hostile fashion, so this is warranted. It's not like MS hasn't got a pattern of behavior in this area. Again, read the backstory before calling researchers whiny children.

The bad guys knows about them already.

[miffo.swe]

The real bad guys most certainly knows about these security issues long before they becomes common knowledge. Responsible would be Microsoft patching their stuff as soon as they learn about an exploit instead of waiting for the known ones to be spread in the wild.

Responsible disclosure is just Microsofts way of trying to get people to shut up about their crappy security. If Microsoft was the least interested in security they would care more about real security than UAC (put the blame on the user) and playing statistics by making more secure products, hiding patches and grouping patches etc.

Re:

[IamTheRealMike]

No they don't. Most bad guys aren't skilled enough to find new exploits. They typically prefer to reverse engineer the patches and then exploit people who don't update. Most exploit packs are exploiting flaws that are old and well known. So this "MSRC" or whatever will definitely make things worse, and they're arguing from the worst kind of academic viewpoint if they claim it won't.

Re:

[John Hasler]

> Most bad guys aren't skilled enough to find new exploits.

Probably true that _most_ aren't. However, it's a certainty that _some_ are. And some is all it takes.

Parser Error (missing hyphen)

[Tetsujin]

Microsoft Spurned Researchers Release 0-Day

I get about as far as "Microsoft Spurned Researchers" and then the rest of it doesn't make any sense. Like you need a conjunction or something after "Researchers"...

Or, you know, hyphenate "Microsoft-Spurned" so the damn headline makes sense.

Irrevokeable Authenticated Delayed Publication

[John Hasler]

We need an irrevokeable authenticated delayed publication mechanism: some way to put a GPG-signed document into a pipeline such that it will be published at the end of X days no matter what anyone (including the author) does. Researchers could then send their discoveries to vendors with the notation "This vulnerability will come out of the IADP system in sixty days". Browbeating them for more time would be pointless and their priority of discovery would be secure.

There are no doubt many other uses for such a system as well.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[TheMeuge]

Analogy:

I have found a common cold virus that can be used as a biological weapon with minimal manipulation. It's highly transmissible and lethal. I contacted the CDC and they told me they weren't interested in developing treatments for it. As a consequence, I have no option but to publicly disclose the methods used in preparing and purifying this reagent (below).

Re:

[MaskedSlacker]

Shitty analogy, so stop spamming it.

Your analogy would only work if the production of the bioweapon could be accomplished by any 13 year old with enough free time. Then yeah, you would have a fucking obligation to warn people--because it's a given that someone else will figure it out anyway.

Re:

[John Hasler]

> I contacted every government authority and they all wanted to keep it top
> secret...
> ...
> The ease of discovery and manufacture of this biological terror makes it
> evident that our enemies may make an identical discovery very soon.

You just said you contacted every government authority: our enemies already know,

yes, it is childish

[circletimessquare]

and the attitude of microsoft is parental and dismissive, cold, aloof, and arrogant

and so the attitudes match each other perfectly

the question is: what would you do if you attempted to do the responsible thing and were rebuffed and in fact punished for the effort?

if there is no reward for responsible behavior, don't act surprised when irresponsible behavior prevails

Re:

[Americano]

if there is no reward for responsible behavior, don't act surprised when irresponsible behavior prevails

I'm glad this isn't the standard for our legal systems, else violent crime would rapidly spell an end to the species.

Re:

[Galactic Dominator]

Yes, as all those years humans survived despite not even possessing a legal code are surely a flawed study.

Re:

[MaskedSlacker]

BF Skinner is laughing at you from Hell.

Re:

[toppings]

Or, how about the reward is that you acted responsibly, doing what you thought was the right thing. Can't that be enough?

"The only reward of virtue is virtue." - Ralph Waldo Emerson

Re:

[ashridah]

Interesting idea, but it's worth pointing out that time is a significant factor, and is not directly inter-changable with money. It's more of an inversely proportional relationship. More money equals less and less time taken.

Sometimes you're really, REALLY, just out of time, and absolutely have to ship, and then where do you draw the line? You can't find and fix every single bug ever in a finite time frame (I hope I don't need to discuss the halting problem with the Slashdot crowd, here).

That said, acting t

Re:

[ashridah]

Except that that pressure has already taken place, the game already changed, but not that anyone here would believe that. That's why XP SP2/3 happened. And radical changes in Vista, and even further radical changes in Win7, such that many exploits that get released flat out don't work on Vista/Win7.

All of this doesn't negate the time-factor. Beating someone for already agreeing with you, saying "hey, this shit takes time and effort, stop beating us, we'll get to it" and then continuing to beat them strikes

Re:woohhooo I have an opinion

[Ihmhi]

what prevents a security flaw from getting fixed? $$$
What causes security flaws to be released ? $$$

Assuming that is mostly accurate, I would then postulate that microsoft protects their profits at the expense of an acceptable amount of security flaws (among a bunch of other stuff)

A new patch released by my company leaves our servers traveling at 60 Internets per second. A 0-day exploit is published. The computer crashes and burns with everyone trapped inside. Now, should we patch the exploit?? Take the number of unpatched systems in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of patching the exploit, we don't patch it.

- Tyler Durden

Floor Manager, Microsoft's Security Response Center

Re:

[h4rr4r]

Then use a vendor that fixes issues.

With this public you can now take some actions to protect yourself as opposed to before when you had no idea you were vulnerable.

Re:

[couchslug]

"Hope their grandmothers get hacked because they love shouting out vulnerabilities."

My grandmother loves shouting out vulnerabilities, you insensitive clod!

Re:

[John Hasler]

> Microsoft should count themselves lucky I have no haxor skills and the
> people that do give them any notice in the first place.

Many of them don't, of course. They don't notify anyone. They just go to work subverting your computer.

Re:

[Daniel Dvorkin]

Your post would make a lot more sense if there were any evidence that Microsoft is interested in any kind of disclosure at all, responsible or otherwise. But there's not. Pretty clearly, what they want is no disclosure, so they can patch whatever holes they get around to and let the others just sit there. The only time they admit to anything is when they're forced to do so.

Re:

[John Hasler]

> Contact Microsoft get them to sign NDA...

Mod parent +5 Funny!

Re:

[rtfa-troll]

Is Computer Science so much easier than engineering that you can just shift manpower to cover the latest issue?

It's good to see that you have come here to learn and know good questions to ask. Yes, computer science is completely different from engineering; in some ways easier, in others harder. One of the key differences is that, because of the internet, if someone releases a defective product, all installations of that product can be almost instantly reached by attackers. Another is that it's possible to repair all installations without having to send someone to fix them. Another is that most proprietary softwar

Re:

[Bryansix]

When is the last time you heard about a Google Security exploit? (cue crickets) chirp chirp (end crickets)

Seriously the only thing close to a security vulnerability was not running in SSL mode which already had a simple fix in the users settings to force SSL. I'm sure there have been vulnerabilities but they fixed them before the public ever got wind. That's how its supposed to work by the way.