Rogue Security Researchers vs Microsoft Karma Is Brutal
What happens when a giant software company ticks off a group of security researchers? Microsoft is finding out. A group of rogue security researchers calling itself MSRC (Microsoft-Spurned Researcher Collective) announced it will publicize any Windows vulnerabilities it finds, as opposed to quietly reporting them to Microsoft for the company to patch. MSRC anonymous security researchers are not to be confused with the Microsoft MCTS Training Security Response Center, also MSRC, the group within Microsoft responsible for investigating vulnerabilities. Yesterday, another MS exploit was released.
Their declaration against Microsoft was posted on the Full Disclosure security mailing list.
Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer.
"We at MSRC would like to help you, the users, work around this issue, but PatchGuard will not allow us ;-("
484diggsdigg
MSRC added the workaround as: "Microsoft can workaround these advisories by locating the following registry key: HKCU\Microsoft\Windows\CurrentVersion\Security and changing the "OurJob" boolean value to FALSE."
The term PatchGaurd refers to Kernel Patch Protection (KPP), a feature of x64 editions of Microsoft Windows that prevents patching the kernel. It was first introduced in 2005 with the x64 editions of Windows XP and Windows Server 2003 Service Pack 1, according to Wikipedia.
Microsoft replied that it is investigating that bug, but that the risk to users was minimal. Secunia, a Danish vulnerability tracking firm agreed with Microsoft, stating that the bug would only affect fully patched versions of Windows Vista Business SP1 and Windows Server 2008 Enterprise SP1 and SP2.
On Monday, Secunia published an advisory that outlined a "moderately critical" bug in Windows 2000 and Windows XP that could be used to hijack PCs.
On Tuesday, however, the Microsoft-Spurned Researcher Collective hit MS a bit harder. MusntLive released a "serious Microsoft MS SQL advisory" along with a note to "Free Travis!" According to the disclosure, this exploitable MS SQL data execution prevention violation is, "Up for sale to highest bidder (serious replies only) 6 0-day PoC's in MS SQL."
Microsoft declined to comment when I emailed them for quote regarding the new full-disclosure.
What escalated the tension between Microsoft and security researchers who, in their free time and for free, find security vulnerabilities in MS products and report them in confidentiality to MS, was the case of Tavis Ormandy.
Ormandy found a security vulnerability in Windows XP's Help and Support Center and then he gave Microsoft five days heads-up, while communicating with MS about a patch, before publishing the proof-of-concept code that demonstrates how to exploit it. Ormandy was a Swiss Google employee, but working for Google had nothing to do with it. Microsoft-Spurned Researcher Collective seems very displeased that Ormandy's employer was mentioned. It hit the fan in security circles, the right or wrong of public disclosure and responsible or irresponsible disclosure of security exploits. Microsoft reported that it has tracked more than 10,000 separate attacks that used the Windows XP zero-day exploit.
Sophos Senior Security Advisor Chester Wisniewski said on his firm's blog last week, "While these attacks are very serious, it strikes me as some classic PR on Microsoft's part to release a statistic like this while trying to blame Google for Tavis's 'irresponsible disclosure.' Has Microsoft commented on the hundreds of thousands of Windows PCs infected with the ZBot Trojan? How about malicious PDFs? It seems that Microsoft is putting on the full court press to make a point about how they want vulnerability disclosures to be handled."
Disclosing vulnerabilities into the wild is a hotbed of contention. The ethical gray area is justified by some if they feel that the discovered flaw needs to be patched sooner instead of later. Some security and IT professionals back Microsoft and "responsible disclosure," stating that any vendor needs 60 days minimum to examine the vulnerabilities before coming up with a patch. Other security professionals believe public pressure from end-users will force Microsoft to close the exploit instead of being tempted to ignore it. Still others consider zero-day disclosures something done only by cyber security vigilantes. The other side of that coin is that freelance security researchers who point out problems to be patched are tired of the private reporting mechanism and apparent games by Microsoft. Perhaps the biggest winners here are the hackers who exploit the disclosed holes using the various Microsoft products.
That means the biggest losers are the enterprises, whose networks fall prey to hackers while the so-called white hats squabble.
Microsoft-Spurned Researcher Collective claims to be recruiting and checks to ensure no Microsoft employees infiltrate their ranks. "If you wish to responsibly disclose a vulnerability through full disclosure or want to join our team, fire off an email to: msrc-disclosure () hushmail com," the statement reads. This war seems to be heating up, with zero-day vulnerabilities being fully disclosed right and left.
Well
By h0h0 rux (not verified) on Wed, 07/07/2010 - 11:10pm.
You know, full disclosure is almost as bad as reporting the problem to the vendor. So your PoC is wild and that introduces the sect of lamer we like to refer to as the "script kiddie".
Let's talk about real security:
- Support non-disclosure!
- Do not distribute your 0dayz.
- Trust nobody.
- Stay thirsty, friends
Microsoft's Fault...
By DDayDawg (not verified) on Wed, 07/07/2010 - 11:34pm.
If Microsoft would treat these people properly it wouldn't be happening. You have people willing to give of their own free time to help your company find security holes in your software and you treat them like crap?
Of course, this is hardly surprising considering how Microsoft has been run since that clown was put in charge. Why in the hell anyone would trust Ballmer with a company is beyond me. He proves over and over that he is unfit to lead.
you are a moron. This is
By Anon (not verified) on Thu, 07/08/2010 - 12:23pm.
you are a moron. This is the most ignorant act I have ever seen anyone take against a company. and the reason its ignorant is because windows USERS are the ones that are going to get the shit end of the stick here. Microsoft might be a bunch of dicks, but in this case I'm going to have to side with them, as opposed to this group of elitest assholes that would rather fuck over the average every day windows user cause they can't clearly think through their actions. anyone who disagrees with this statement can go shove their elitest dicks in a toaster and set it on high.
Wow
By Jo Dean (not verified) on Thu, 07/08/2010 - 12:46am.
OK, that makes a lot of sense now dude.
Lou
www.web-anonymity.au.tc
Selfish
By JoshuaQ (not verified) on Thu, 07/08/2010 - 1:31am.
Its not Microsoft that suffers, its the consumers who realistically lack choice. A decent product in Windows, a bad one in Apple, and a good one but hard for most consumers to use in Linux? Publishing these outside of Microsoft only makes it easier to exploit.
LOL...
By Anon (not verified) on Thu, 07/08/2010 - 1:35am.
A 0-day exploit does not mean that it is newly discovered, it only means that it has been in the wild for less than a day... If your company is receiving help from anon users than you should embrace it fully. If you do not and prosecute the person for disclosing it to you... do I need to add that your retarded?
re:Lol
By Anon (not verified) on Thu, 07/08/2010 - 8:46pm.
0-day does NOT mean that it is in the wild for less that a day. also the guy ws not prosecuted, he was publicly called a dick for doing the absolute wrong thing - not giving reasonable time for the software vendor to patch their product. Travis and these MSRC clowns are doing this to get their rocks off .period. and MS is the biggest target. look in the CERT Vul reports for php vulns, they are a penny a dozen none get the hype to get their rocks off. all software venders respect resonable disclosure. for ms to investigate the issue across all client and server releases is a time consuming task, let alone an assessement of the impact, creating patches for all flavors of the OSes, and testing.
you really don't want them rushing out patches, it will be a much bigger mess.
"free travis" - get a life, effin clown shoes...
an easily preventable but fair reaction to microsoft's actions
By dindinchoumeishu (not verified) on Thu, 07/08/2010 - 10:43am.
never refuse help that is coming from something or someone greater than you. don't worry people, it's not like microsoft MCITP Certification was using the information disclosed to them to patch their crap OS in any sort of hurry anyways.
enlightening
By Anon (not verified) on Thu, 07/08/2010 - 8:53pm.
"never refuse help that is coming from something or someone greater than you."
so enlightening, must never refuse help from a bunch of clowns seeking to push you down to make themselves look better. that makes sense. i usually call that crap self-righteousness.
now shut up.
smart money says abandon microsoft
By Anon (not verified) on Thu, 07/08/2010 - 3:42pm.
with this kind of in-fighting developing in the microsoft community, cooler heads might conclude that another platform is in order. Neither party is entirely in the right here, and those who observe that the hackers are the big winners and Windows users are the big losers in this skirmish are spot-on. If MS is going to antagonize the security community to the point that they all go blackhat and start auctioning off exploits, that will hurt every person and every company trying to make a living in the windows platform ecosystem.
At the end of the day, someone has to be the bigger man and do the right thing. Doesn't look like either MS or the security researchers are stepping up, so I guess it'll have to be their collective customers.
Read the views of online Certification Experts, which provide the real questions and correct answer and explanation for the students / professionals who are seeking or enhancing their level of expertise. more at certkingdom.com
