Disgruntled security researchers take aim at Microsoft

[nsane.forums]

Displeased with the way Microsoft handled the disclosure of a security flaw last month, a group of anonymous researchers has decided to take a more aggressive stance against the company. The group, calling itself the Microsoft-Spurned Researcher Collective (a mockery of Redmond's Microsoft Security Response Center), will perform anonymous full disclosure of any security flaws that it discovers.

The anonymous group asserts that Microsoft has displayed a pattern of hostility towards security researchers, with last month's flaw being the most recent example. Tavis Ormandy, an employee with Google, discovered a flaw in the way that the Windows Help and Support Center in Windows XP handled input. This flaw could be used to attack users of that operating system. Ormandy informed Microsoft of his findings, but after five days deemed the software giant's response inadequate, and so made a full public disclosure of the problem.

This is at odds with the disclosure policy preferred by Microsoft and many other software vendors—including Google. These companies advocate what they call "responsible disclosure," in which communication of the flaw is kept private until a suitable patch or fix can be made available.

Subsequent to this disclosure, Microsoft claims that more than 10,000 systems have been attacked, with a number of malicious payloads being used.

A blog post from Microsoft expressed dissatisfaction with the full disclosure decision, claiming that it had not given the company enough time to accurately assess and analyze the flaw. Moreover, the post referred to him as a Google employee. Though this is accurate, Ormandy asserts that his bug report was independent of Google, and thus that his employer's name should not have been mentioned.

It is this treatment that appears to have provoked the creation of the researcher "collective." The post announcing the collective's existence also included details of a flaw in Windows Vista and Windows Server 2008. The flaw can be used to perform denial-of-service attacks against Windows machines, by crashing them, and is of a kind that could feasibly be used to allow privilege escalation.

This new flaw is deemed to be low-risk by both Microsoft and others. To exploit the flaw, an attacker must already be able to run malicious code on a system, and the proof-of-concept shows only the ability to crash a machine with a Blue Screen of Death; though inconvenient, this denial of service does not pose the same risks as arbitrary code execution or data disclosure.

The Microsoft-Spurned Researcher Collective welcomes other researchers to join, though Microsoft employees are not welcome: it notes that it has a "vetting process" to weed them out.

View: Original Article