Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Spurned Researchers Release 0-Day

kdawson posted more than 4 years ago | from the that's-sure-to-help dept.

Security 246

nk497 notes the news that a group of researchers calling themselves the Microsoft-Spurned Researcher Collective (the name is a play on Microsoft's Security Response Center) have come together to protest Microsoft's perceived heavy-handedness towards researchers who disclose security flaws. Pushed into action by the reception to the flaw disclosed by Tavis Ormandy, the group has released full details and exploit code for a previously unknown Windows local privilege escalation vulnerability. The advisory for the vulnerability, which affects Windows Vista and Windows Server 2008, contains the following manifesto: "Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."

Sorry! There are no comments related to the filter you selected.

So... (4, Insightful)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#32814486)

Perhaps being a little more... Diplomatic would be a good idea when dealing with the(sometimes rather ego-driven) people who know how to hack your box...

Re:So... (-1, Troll)

poetmatt (793785) | more than 4 years ago | (#32814508)

what makes you think that people who discover 0 days couldn't use them to hack microsoft?

your point = moot

Re:So... (1, Funny)

Anonymous Coward | more than 4 years ago | (#32814558)

Read it again, matt. that's exactly the point that he was making.

Re:So... (-1, Troll)

poetmatt (793785) | more than 4 years ago | (#32814864)

wha? my point was that both our points were moot. *WHOOSH*.

Re:So... (5, Insightful)

Crudely_Indecent (739699) | more than 4 years ago | (#32814602)

People who really want to do damage wouldn't release the code publicly. They would keep it quiet so they can do maximum damage. The point of releasing this information is to prompt the vendor to fix it......and probably gain more street cred.

Re:So... (3, Insightful)

Jah-Wren Ryel (80510) | more than 4 years ago | (#32815164)

The point of releasing this information is to prompt the vendor to fix it......and probably gain more street cred.

Except that in this case it sounds like the entire point of this MSRC organization is to hide the identity of the guy who found the exploit in the first place. By using the MSRC umbrella to release the info it shields the individual from retaliation. So some street cred goes to the MSRC in general but that's not particularly useful for the guys doing the actual work.

Re:So... (0)

Anonymous Coward | more than 4 years ago | (#32816108)

My moot = point.

Check, mate, and goal!

Re:So... (1, Flamebait)

sonnejw0 (1114901) | more than 4 years ago | (#32814612)

Motives be damned, as far as Microsoft knows, anyone that discovers a security vulnerability is a potential extortionist and they'll treat you that way.

What is it these people are looking for from Microsoft? Recognition that they found a vulnerability that anyone else could have found? Money or employment, maybe a resume booster? Why would anyone BOTHER to go looking for vulnerabilities in the largest operating system in the world for ALTRUISTIC reasons? It doesn't make sense. Did they expect anything other than being "spurned"? Honestly ...

Re:So... (1, Offtopic)

gandhi_2 (1108023) | more than 4 years ago | (#32814708)

s/Microsoft/Just About All Major Software Companies/

Re:So... (5, Insightful)

MightyYar (622222) | more than 4 years ago | (#32814726)

Why would anyone BOTHER to go looking for vulnerabilities in the largest operating system in the world for ALTRUISTIC reasons?

Can you come up with a logical reason for jigsaw puzzles?

Puzzles are fun. This is a particularly geeky and difficult sort of puzzle - it shouldn't surprise you in the least that people do it as a hobby. It also shouldn't surprise you that people who are treated poorly might seek revenge.

Re:So... (0)

Anonymous Coward | more than 4 years ago | (#32814794)

Are you completely retarded? Because they want them fixed! STO doesn't work so people resort to this.

Re:So... (0)

Anonymous Coward | more than 4 years ago | (#32814902)

Actually...I think for the most part, these guys do altruistic reasons in that they would prefer to have a safe/secure operating system that they paid for. Some of them not so much....

The problem I think is that they keep expecting/hoping (falsely) that some day M$ would stop acting like a dangling turd on steve Balmer's hemorrhoid ridden ass. Just not about to happen...but keep the faith...

Re:So... (1)

dwinks616 (1536791) | more than 4 years ago | (#32815144)

I highly doubt any of these guys use Windows...

Re:So... (1)

m.ducharme (1082683) | more than 4 years ago | (#32816014)

But presumably they maintain the Windows boxen of their families....

Re:So... (5, Insightful)

Dripdry (1062282) | more than 4 years ago | (#32815028)

It's probably a combination of ego/fun/being tired of MS being a bunch of dickweeds regarding security. What's wrong with one having pride in one's profession, and doing something about it when you see that it's going down the tubes?

Re:So... (5, Insightful)

Lord Ender (156273) | more than 4 years ago | (#32815386)

The security industry works by reputation. Having published research (ex: "CVE 8675309 discovered by Joe Haxo of Secu-Tech Consulting") bolsters your reputation.

Security researchers want vendors to disclose and patch the vulnerabilities, recognizing the researchers by name.

If the vendors ignore the researchers, the researchers have no obligation toward the vendors. Hence, 0-day publication. If you let vendors sit on your research forever, someone may beat you to the punch and publish anyway.

Great stuff (0)

Anonymous Coward | more than 4 years ago | (#32814542)

Happy days for us black hats!

Re:Great stuff (0)

Anonymous Coward | more than 4 years ago | (#32814624)

Like you Blackhats can't get this kind of information on your own. No, no. You're just waiting around for information to come from public disclosure. Without that, you guys can't do a single thing. Zero-days don't exist without full public knowledge. Sure.

All these internet "radicals" (5, Funny)

countertrolling (1585477) | more than 4 years ago | (#32814546)

No wonder the government wants an off switch...

Not to side with Microsoft, but... (5, Interesting)

dawilcox (1409483) | more than 4 years ago | (#32814578)

It seems that people are upset with Microsoft because 1) they have software vulnerabilities in their OS and 2) they do too little too late to fix these vulnerabilities before hackers start exploiting them.
This group cannot control one of these points (that Microsoft builds vulnerabilities into their OS). However, they can control the second point, by giving Microsoft advance notice and time to fix the vulnerabilities well before disclosing the vulnerabilities to the public.
It seems a bit hypocritical to me to accuse Microsoft of doing too little, too late to fix vulnerabilities, and then release unfixed vulnerabilities to the public.

Re:Not to side with Microsoft, but... (4, Insightful)

Spad (470073) | more than 4 years ago | (#32814632)

I think that their point, regardless of its validity, is that when people go to Microsoft and say "I've found this vulnerability, here's the detail and PoC, please fix it", they often sit on it for weeks, months or sometimes years before they take any action.

Now, I appreciate that MS can't turn on a dime like some smaller companies and they have a shitload of regression testing and QA to do, but in the cases where highly critical bugs have been known about for years and persisted into *new* versions of OSs and Applications, you can understand why people get upset.

Re:Not to side with Microsoft, but... (1, Interesting)

Anonymous Coward | more than 4 years ago | (#32814790)

So why can't the group release all exploits they found after a specific period of time, say, 3 weeks? So whenever they have the working exploit, they email Microsoft with the exploit, and then tell them they're going to release the exploit in X weeks. That way, not only are they aware of the problem, but they cannot delay the fix forever (well they can, but they probably won't once it's out there.)

Re:Not to side with Microsoft, but... (5, Insightful)

Aladrin (926209) | more than 4 years ago | (#32814960)

They can. But when this has been done in the past, no matter the time limit given, Microsoft has publicly chastised them for it. The result is this news article.

To Add to this (5, Insightful)

abulafia (7826) | more than 4 years ago | (#32815954)

It seems like the lesson has to be relearned periodically.

This same debate reappears like sunspots. Full Disclosure v. Responsible Disclosure. Black/Gray/White hats.

The funny part here is that Microsoft itself seems to have forgotten how the script goes.

  1. Researcher finds exploit.
  2. Researcher notified vendor.
  3. Vendor stalls for far longer than is reasonable.
  4. Researcher becomes frustrated, because
    1. In the mean time, systems are vulnerable,
    2. Making your name with your discoveries is very important career-wise for some types of researchers, and if a blackhat finds it before the vendor stops stalling, they lose that cred.
    3. Researcher feels played by vendor, who at least seems (and usually is) lying and stalling. So,
  5. Researcher starts releasing exploits either without contacting, or after giving non-negotiable windows of time.
  6. Maybe some less responsible types do some damage.
  7. Everyone wrings their hands over what to do, what to do. Slashdot posts occur. Some hack makes quota their article quota for the month at Computerworld.
  8. Repeat.

MS, Sun, Oracle, Cisco, HP, they've all been through this cycle. You'd think they'd figure out that mission critical software requires a responsive, competent security response team. And they do figure it out. It just seems that the lesson has to be relearned every so often - prying the PRarnicles off the hull, so to speak.

Re:Not to side with Microsoft, but... (0)

Anonymous Coward | more than 4 years ago | (#32814970)

"Fix your problem or we'll exploit it in 3 weeks!" Sounds a bit like extortion, eh? Perhaps it is not, but Microsoft sure would advertise it this way, and these people are now "cyberterrorists", even though they're doing the responsible thing.

Re:Not to side with Microsoft, but... (1, Troll)

Mitsoid (837831) | more than 4 years ago | (#32814956)

Unfortunately I'm with the security people on this.

Disclosure of vulnerabilities is the only way to get them fixed. On top of that, how does a "security researcher" validate their claims of finding bugs if they don't release them?

If a researcher gives a week/2 week notice, then releases their information -- as far as I'm concerned their clear -- They gave notice, then published their findings for the community / other researchers. yes it's used by hackers too, but if we hide *everything* we learn less. If someone notices a problem in Microsoft's {insert function here} code, perhaps {Another company} with similar code has the same vulnerability, and would benefit from the knowledge?

Re:Not to side with Microsoft, but... (2, Interesting)

Fulcrum of Evil (560260) | more than 4 years ago | (#32815854)

Nowadays, if you give notice, the company will probably spend that time getting a gag order. Best to raise the flag, drop the blade, and watch the rolling head.

Re:Not to side with Microsoft, but... (0, Troll)

GNUALMAFUERTE (697061) | more than 4 years ago | (#32816032)

We don't want them fixed. Nobody with any kind of real knowledge uses anything from microsoft. Don't come to me with that whole "they use it at my company". That means you have a shitty job, and you aren't really that good at what you do. If you are administrating windows servers, or any kind of windows-based service, you are on the shitty tier of IT recruitment.

Finding vulnerabilities in windows isn't really my area, or anywhere near it, but if it where, and I was seating on a 0-day, I would release it alongside both source and object of the PoC so the script kiddies can start using it right away.

Re:Not to side with Microsoft, but... (1)

afabbro (33948) | more than 4 years ago | (#32815602)

I think that their point, regardless of its validity, is that when people go to Microsoft and say "I've found this vulnerability, here's the detail and PoC, please fix it", they often sit on it for weeks, months or sometimes years before they take any action.

...thereby delaying the security researcher's ability to cash in on his "I first discovered the BLAH.X vulnerability which Microsoft issued a HotFix for" credentials. That's what they're really angry about.

Holehunters are mostly about trying to look cool and make money. Sorry, but it's true - their work has value and perhaps stroking their egos is the price you pay for having people hack at your stuff for free, but their motivations are (1) ego, (2) looking cool as a hacker, (3) cashing in, ..., (999) improving computer security.

Re:Not to side with Microsoft, but... (4, Interesting)

kimvette (919543) | more than 4 years ago | (#32814728)

It seems that people are upset with Microsoft because 1) they have software vulnerabilities in their OS and 2) they do too little too late to fix these vulnerabilities before hackers start exploiting them.

You forgot 3) but they don't neglect fixing holes in the activation process, even if they end up creating false alerts and block activation of legitimate IDs.

Re:Not to side with Microsoft, but... (1)

Karunamon (1845630) | more than 4 years ago | (#32814740)

They could have at least kept them in the loop instead of being complete jerks about it. Serves Microsoft right. If Microsoft doesn't want people telling others how to break their OS, they'd better play nice with those people. You don't play hardball with someone with nothing to lose.

Re:Not to side with Microsoft, but... (1)

Americano (920576) | more than 4 years ago | (#32814894)

You don't play hardball with someone with nothing to lose.

Nor is it particularly wise to play fast and loose with a company with billions of dollars to burn and a corporate legal team that makes prison-yard thugs look like old ladies in muumuus.

Neither response makes me more secure, so why should I be thanking Microsoft, or their jilted lovers?

Re:Not to side with Microsoft, but... (1)

John Hasler (414242) | more than 4 years ago | (#32815748)

> Neither response makes me more secure...

How does being notified of vulnerabilities in the software you are running not make you more secure? If "security researchers" have a responsibility to tell anyone about security bugs they find it is the users who the bugs put at risk.

Re:Not to side with Microsoft, but... (1)

jgagnon (1663075) | more than 4 years ago | (#32814924)

All too often the problem is that they HAVE notified Microsoft and even months later Microsoft hasn't done anything to fix the problem. How long do you wait around and watch inaction before you become a "complete jerk" and report the issue to the public? Keep in mind that the hackers likely already know about the issue long before the public does. A company keeping their head in the sand over an issue does not mean others cannot see the problem.

Re:Not to side with Microsoft, but... (1)

Karunamon (1845630) | more than 4 years ago | (#32814998)

No no no, you misunderstood. I meant MICROSOFT could have kept THE RESEARCHERS in the loop. If MS doesn't want to play nice with the security researchers, they really shouldn't be surprised when the researchers.. um... research security.

Re:Not to side with Microsoft, but... (1)

jgagnon (1663075) | more than 4 years ago | (#32815166)

Sorry, I was getting a little jumpy there. Agreed, full disclosure from both sides serves everyone best. Chances are very good that the hackers already know about the issue long before the public does anyway. I would bet even some researchers feed the hacker network as well as people from Microsoft and other companies. Likely neither would admit as such, though.

Re:Not to side with Microsoft, but... (1)

alien9 (890794) | more than 4 years ago | (#32815194)

actually this as a (somehow agressive) response to previous attitude from microsoft regarding disclosures.

Re:Not to side with Microsoft, but... (0, Offtopic)

Blakey Rat (99501) | more than 4 years ago | (#32815562)

Meanwhile, everybody's ignoring the sieve-like Adobe suite of products which are infecting thousands of new computers every day.

Grow up (0)

Anonymous Coward | more than 4 years ago | (#32814588)

I can't stand the righteousness of these guys. Hope their grandmothers get hacked because they love shouting out vulnerabilities.

Dumbdumbdumbdumbdumb (4, Insightful)

Saint Stephen (19450) | more than 4 years ago | (#32814596)

MS has to test stuff to make sure the fix doesn't make things worse. Decisions get made, people don't like the outcome. But recklessly announcing security holes is just dumb, and isn't helping anyone.

fail.

Re:Dumbdumbdumbdumbdumb (0)

Anonymous Coward | more than 4 years ago | (#32814688)

you have to fight fire with fire, no one said the fire had to be smart

Re:Dumbdumbdumbdumbdumb (4, Insightful)

Itninja (937614) | more than 4 years ago | (#32814734)

Large US corporations care more about avoiding highly publicized lawsuits than 'doing the right thing'. By calling MS out by announcing to the world their Windows flaws, it forces MS to either publicly refuse to fix the issue or put some of the ample resources on fixing it. Refusing to fix it will certainly spawn lawsuits (or even government action). That's sure good for everyone...

Re:Dumbdumbdumbdumbdumb (2, Interesting)

Saint Stephen (19450) | more than 4 years ago | (#32814832)

Limited worldview, stupid assumptions. It's just childish to assume that MS delays action on a patch because "it hurts their feelings". It's far smarter to realize they have to manage the process in a controlled way.

Now, beauracracy means things get done slower than some people wish - that's a fair gripe. But a far smarter way to handle it would be to announce there's X issues that Microsoft is Y days behind on patching rather than detailing what the issues are, correct?

That way you'd get your point across without being destructive to the rest of us.

Re:Dumbdumbdumbdumbdumb (4, Informative)

cynyr (703126) | more than 4 years ago | (#32814978)

But lets say something needs port 11234 open in both directions to work*, a sys admin that knows about the flaw(before the fix is out) can make some attempts to limit his exposure to the flaw. Without that info in the wild he things he's safe and all is well while he gets back doored.... Some of these flaws have way to limit or remove exposure to them while the vendor is producing a fix. You may be able to disable a feature, firewall off the machines that need o run it, block all connection attempts on a port with a payload that matches "foobar". Making sure people know that helps lessen the problem while the fix is getting out. Also it does apply pressure on the vendor to fix it fast as all of the people with support contracts are bugging them for a fix for "the foobar bug" There have been few bugs that can't be band-aided recently discovered, so the harm is really only to the people that don't follow security in the first place(home users that put their birthday pin and mothers maiden name into any form they see on the internet.).

*Bad example i know as all ports not known to be doing something useful should be blocked in both directions, but you get the idea.

Re:Dumbdumbdumbdumbdumb (1)

VGPowerlord (621254) | more than 4 years ago | (#32815676)

But lets say something needs port 11234 open in both directions to work*, a sys admin that knows about the flaw(before the fix is out) can make some attempts to limit his exposure to the flaw. Without that info in the wild he things he's safe and all is well while he gets back doored.... Some of these flaws have way to limit or remove exposure to them while the vendor is producing a fix. You may be able to disable a feature, firewall off the machines that need o run it, block all connection attempts on a port with a payload that matches "foobar". Making sure people know that helps lessen the problem while the fix is getting out. Also it does apply pressure on the vendor to fix it fast as all of the people with support contracts are bugging them for a fix for "the foobar bug" There have been few bugs that can't be band-aided recently discovered, so the harm is really only to the people that don't follow security in the first place(home users that put their birthday pin and mothers maiden name into any form they see on the internet.).

*Bad example i know as all ports not known to be doing something useful should be blocked in both directions, but you get the idea.

er... you don't see a difference between telling people "You should block port 11234 on your Firewall because of a potential exploit in X." and "X is vulnerable, doing Y on port 11234 allows you run arbitrary commands through it."?

Re:Dumbdumbdumbdumbdumb (1)

Itninja (937614) | more than 4 years ago | (#32816090)

But a far smarter way to handle it would be to announce there's X issues that Microsoft is Y days behind on patching rather than detailing what the issues are, correct?

Totally agree. But MS has known about serious security holes sometimes for years (coming out with new OS versions in the meantime) and done nothing. When the new OS is out, the problem still is there....

Re:Dumbdumbdumbdumbdumb (2, Informative)

Blakey Rat (99501) | more than 4 years ago | (#32815684)

Large US corporations care more about avoiding highly publicized lawsuits than 'doing the right thing'. By calling MS out by announcing to the world their Windows flaws, it forces MS to either publicly refuse to fix the issue or put some of the ample resources on fixing it.

Microsoft already puts ample resources on fixing it. Jesus Christ, haven't any security researchers read "No Silver Bullet?" There's no reason to believe that Microsoft can do anything to speed up this process in the short term-- putting a freakin' ad in the paper reading, "wanted: 46 random people on the street to fix security holes" isn't going to help!

Look, Windows is a HUGE product. Last I heard, it takes something like 12-15 hours JUST TO BUILD. God knows how long the regression testing takes.

Re:Dumbdumbdumbdumbdumb (0)

Anonymous Coward | more than 4 years ago | (#32814804)

Not true. It's just helping people who would actively exploit it.

If MS doesn't have their very large and very extensively employed software shop in order, boo-fucking-hoo! Let the chips fall where they may.

Re:Dumbdumbdumbdumbdumb (5, Insightful)

Guil Rarey (306566) | more than 4 years ago | (#32814974)

MS has to test stuff to make sure the fix doesn't make things worse. Decisions get made, people don't like the outcome. But recklessly announcing security holes is just dumb, and isn't helping anyone.

fail.

Excuse me. Corporations release crap products that cause problems and then refuse to man up and take responsibility for fixing them. Not exactly news, no.

  But when corporations behave with the ethical and moral standards of petulant spoiled children - like Microsoft consistently, persistently does - then they have earned exactly what they get, including pretty much any and all guerilla tactics to smack them into behaving.

Re:Dumbdumbdumbdumbdumb (4, Insightful)

Rakishi (759894) | more than 4 years ago | (#32815310)

There's QA of a bugfix and then there's sitting on it for months or years. Apparently Microsoft likes to do the later often enough to annoy people.

People have apparently tried to give Microsoft some time between to fix bugs before making them public. Microsoft promptly attacked them for being hacked, cyberterrorists and all that jazz.

In other words, Microsoft thought they could strong arm people and those people decided to show Microsoft that being an asshole has repercussions.

Re:Dumbdumbdumbdumbdumb (1)

gad_zuki! (70830) | more than 4 years ago | (#32815536)

Dont bother, this is slashdot where all corporations are evil and releasing zero days and never paying for movies or music is the norm.

vetting? (3, Funny)

LordPhantom (763327) | more than 4 years ago | (#32814598)

FTA: Current MSRC Members (alphabetical order!): XX XXXXXX XXXX XXXXXXXX XXXXX XXX XXXXXXX XXXXXXX XXXXXX XXXXXXXXX XXXXX XXXXXXXX

If you wish to responsibly disclose a vulnerability through full disclosure or want to join our team, fire off an email to: msrc- disclosure () hushmail com We do have a vetting process by the way, for any Microsoft employees trying to join ;-)


I wonder how they are going to determine *that*......

Re:vetting? (2, Funny)

BlueBoxSW.com (745855) | more than 4 years ago | (#32814642)

They test your pee for Mountain Dew.

Re:vetting? (1)

Nadaka (224565) | more than 4 years ago | (#32814718)

At this point, I think I could pass that test at 100%.

Re:vetting? (0)

Anonymous Coward | more than 4 years ago | (#32814760)

An even easier test, involving no bodily fluids whatsoever: a standard (sterilized) comb is run through the applicant's neckbeard, and then sent off to a lab to analyze for the presence of Cheetos crumbs.

Re:vetting? (2, Funny)

Anonymous Coward | more than 4 years ago | (#32815198)

FTA:
We do have a vetting process by the way, for any Microsoft
employees trying to join ;-)

I wonder how they are going to determine *that*......

I found the below code from their website...

IF RIGHT(strEmail,14) = "@microsoft.com" THEN
        boolPassedVetting = False
ELSE
        boolPassedVetting = True
END

And now, in the true spirit of things...

NOTIFICATION OF 0-DAY VULNERABILITY:
If a user gives an email address under 13 characters in length, then the command will fail, dumping the user to a shell and giving them complete admin access (as the script was running as root of course)

Re:vetting? (1)

Demonantis (1340557) | more than 4 years ago | (#32815418)

Why should they vet. Everyone should keep each other at arms length. It is not like they have to meet in person or are trying to keep what they are doing secret or anything. This just makes it sound like some club house of children with secret passwords. Makes me wonder if they are attached to their ideals and how much of it is playing secret agents.

Re:vetting? (1)

Blakey Rat (99501) | more than 4 years ago | (#32815834)

Why would they care if a Microsoft employee joins the list? I mean, their policy is to disclose ASAP anyway-- what do they think is going to happen?

I'm forming a similar collective (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#32814600)

...of researchers spurned by Megan Fox.

Plans include calling Brian Austin Green a fag a lot.

Oh, great.... (2, Interesting)

bobdehnhardt (18286) | more than 4 years ago | (#32814692)

Just what we need: a one-stop shop for 0-day exploit code. Way to improve security, guys! Right on! Stick it to The Man! And by that, I mean the man (or woman) in the next cubical, or next door, or down the street, or....

I am all for responsible disclosure of vulnerabilities - secrecy does not equal security, and "let's not talk about it and hope nobody notices" is never an appropriate response to vulnerabilities. But responsible disclosure includes working with the vendor, giving them the full data and an opportunity to correct prior to full public disclosure.

If MS is giving researchers the cold shoulder or worse in response to vulnerabilities that are responsibly disclosed to them, that's shame on Microsoft. But to my view, jumping to public disclosure is not the appropriate response.

Re:Oh, great.... (4, Insightful)

h4rr4r (612664) | more than 4 years ago | (#32814858)

They tried that, it did not work so now they do this.

What should they do when "responsible" disclosure gets you either a prompt STFU, the just ignore the problem or worstcase a lawsuit?

Re:Oh, great.... (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32815546)

The name researcher gave them 5 days to fix a vulnerability. Even today, no easy solution for that has been found and the said "security researcher" (paid by Google) really released the exploit publicly. Since then it has been exploited. So you STFU.

Re:Oh, great.... (0)

h4rr4r (612664) | more than 4 years ago | (#32816042)

They got 5 days they would not have had with a black hat so I think they got a good deal. If your OS is this crappy perhaps customers should get a refund.

Re:Oh, great.... (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32815630)

They didn't try anything. They got there feelings hurt cause people are mad at there friend. They did not give MS a chance, they said you were mean so we will destructively release this cause we are mad. And it get used to hurt people I think this group should get there asses sued. Just like the big ego-ed big babies they are. All releasing an exploit does is give the finder cred and that is what they want. If they were good people they would never release an exploit just tell the vendor and that is it. I like how people rationalize it, I gave them 30 days. Well somethings can't be fixed in 30 days or even 30 weeks. People just wanna say I found it look at me..... And that is what makes them crappy people.

Re:Oh, great.... (0)

Anonymous Coward | more than 4 years ago | (#32816102)

They tried that, it did not work so now they do this.

What should they do when "responsible" disclosure gets you either a prompt STFU, the just ignore the problem or worstcase a lawsuit?

How does the appropriate axiom go?

Oh, right, "If you're not part of the solution, you're part of the problem."

Before they were at least part of the solution. Now they're not, ergo now they're part of the problem. Just like Microsoft is.

Re:Oh, great.... (2, Insightful)

Locke2005 (849178) | more than 4 years ago | (#32814888)

The generally accepted practice is to disclose the vulnerability to the publisher first, and give them 30 days to issue a fix. If there is no fix available after the waiting period, THEN you disclose it to the general public. Although I'm sure the length of the waiting period can be a source of much debate, I don't believe making vulnerabilities public before giving the publisher a chance to fix the problem is in the best interest of computer users.

Re:Oh, great.... (1)

h4rr4r (612664) | more than 4 years ago | (#32815008)

If the vendor does not promptly fix issues perhaps moving to a vendor that does is a better move.

Re:Oh, great.... (1)

Fallen Kell (165468) | more than 4 years ago | (#32815108)

I don't believe making vulnerabilities public before giving the publisher a chance to fix the problem is in the best interest of computer users.

I would actually debate that with you. Knowing full well that exploits will be promptly publicly published (no pun intended), will force the large software makers to spend a little more time/effort keeping these kinds of exploits from being in their code to begin with. In many cases, a simple vetting process would detect many of these issues at the design stage. The more the computer users suffer the consequences of buggy code being released, the larger their up-roar against the maker of the software demanding more secure software to begin with and let the market forces dictate that code that is less vulnerable be a much higher demand on the market. Because let us face it, if people simply keep on paying for products, there is no incentive for the software company to spend time and money on keeping vulnerabilities out of their products.

I have plenty of karma to burn (1, Insightful)

trifish (826353) | more than 4 years ago | (#32814710)

The first thing that came to my mind was: "What a group of immature jerks."

Re:I have plenty of karma to burn (1)

TheMeuge (645043) | more than 4 years ago | (#32814898)

Analogy:

I have found a common cold virus that can be used as a biological weapon with minimal manipulation. It's highly transmissible and lethal. I contacted the CDC and they told me they weren't interested in developing treatments for it. As a consequence, I have no option but to publicly disclose the methods used in preparing and purifying this reagent (below).

Re:I have plenty of karma to burn (0)

Anonymous Coward | more than 4 years ago | (#32815428)

Hint:

People can't go to another body vendor if they don't like theirs.
There is noone responsible if their bodies have bugs and glitches, and their certainly can't sue their parents.

Apart from that, overstating something ad absurdum is rarely making a point (like crying out "partial murder / massacre of a my cells" when someone hits you).

Re:I have plenty of karma to burn (1)

VortexCortex (1117377) | more than 4 years ago | (#32815506)

Another Analogy:

I have found a common cold virus that is so easy to make into a biological weapon that I'm surprised we're all not dead already.
I contacted every government authority and they all wanted to keep it top secret even though there are simple steps the public can take to prevent infection.
I now face persecution as a "terrorist" for these "crimes against humanity" (AKA basic genetic research).
I am now deeply distrustful of those in authority. I could go into hiding, but leaving the innocent public in such danger is against my morals.

The ease of discovery and manufacture of this biological terror makes it evident that our enemies may make an identical discovery very soon.
In order to inform the public of the danger currently on the horizon, and to (hopefully) clear my name, I have no choice to take my findings to the media.
I can only hope to force the government into action before I'm assassinated, or a plague sweeps across the world.

yes, it is childish (1)

circletimessquare (444983) | more than 4 years ago | (#32814996)

and the attitude of microsoft is parental and dismissive, cold, aloof, and arrogant

and so the attitudes match each other perfectly

the question is: what would you do if you attempted to do the responsible thing and were rebuffed and in fact punished for the effort?

if there is no reward for responsible behavior, don't act surprised when irresponsible behavior prevails

Re:yes, it is childish (1)

Americano (920576) | more than 4 years ago | (#32815124)

if there is no reward for responsible behavior, don't act surprised when irresponsible behavior prevails

I'm glad this isn't the standard for our legal systems, else violent crime would rapidly spell an end to the species.

Re:yes, it is childish (1)

Galactic Dominator (944134) | more than 4 years ago | (#32816114)

Yes, as all those years humans survived despite not even possessing a legal code are surely a flawed study.

Re:yes, it is childish (0)

Anonymous Coward | more than 4 years ago | (#32815352)

if there is no reward for responsible behavior, don't act surprised when irresponsible behavior prevails

It is not called "responsible behavior" if you are expecting a reward. The fact that you believe shows only that you are a selfish, ignorant, and petulant child. I can only hope that your breed of self-serving swine dies out before the human race is no longer worth the carbon we are made from.

They tried... (0)

Anonymous Coward | more than 4 years ago | (#32815080)

They tried to do it the "right" way, and that failed miserably. So what exactly do you suggest they do, STFU and give Microsoft (along with black hats) the right of way?

Microsoft wants holes in their code to remain secret so they won't have to lift a finger or spend a dime. Black hats want the holes to remain secret, so they have a chance to exploit them. By keeping it a secret, you're helping microsoft, and you're helping the black hats -- that's a net loss.

Re:I have plenty of karma to burn (1)

aarenz (1009365) | more than 4 years ago | (#32815568)

The best thing that these guys could do, would be to make a logical push to help Linux get deployed at large business. Hitting back at the "mean" superpower will accomplish nothing but make them look like jerks. Get the masses to work against MS and then the can get something done. Most of the vulnerabilities that have been found recenlty require so many, what-if's to be in place before they work that it is unlikely that anything will be put in the wild to take advantage of this. Would be much easier to create a Flash based attack on the general public and be done with it. I am sure that MS weights the potential use of the threat when they develop a plan of which items to fix. The assumption is always, that the newest item that we know about is the most dangerous, but that is just a narrow perception of what is going on.

A long time ago... (1, Funny)

Anonymous Coward | more than 4 years ago | (#32814730)

Such unprofessional things were not done, at least not openly. For over 1000 months, the professionals were the guardians of peace and justice in the old businesses. Before the dark times. Before the internet.

Petulant Children? (0)

Anonymous Coward | more than 4 years ago | (#32814838)

This is the Ormandy thing all over again. I assume these "researchers" have had jobs? Is Computer Science so much easier than engineering that you can just shift manpower to cover the latest issue?

I'm an engineer, and unless the problem is loss-of-life catastrophic all problems or issues go through the same chain of actions. Reported issue, verify issue, bring issue before supervisor, supervisor and management decide if it's worth the money to fix, project assigned, problem solved, rolled into production or new line established, new line or new production staff is trained, actual product may hit the market in a few months (for larger industries I imagine it goes to years...).

If I have a problem that no one knows exists and that will affect .01% of my customers, and I have another problem that no one knows about and it will affect perhaps 1%. Unless that .01% problem is apocalyptic, it's getting pushed down the line until the 1% problem is solved. It's not laziness, it's not poor planning, it's prioritization. It's something every good engineer does because you simply can't solve every problem at once.

I hope these people eventually get real jobs.

The thing is (1, Insightful)

trifish (826353) | more than 4 years ago | (#32814866)

Use responsible disclosure and not only Microsoft, but above all the users of Windows will like you.

Expose them to an unpatched vulnerability and they will love you, uh, less.

Re:The thing is (2, Informative)

h4rr4r (612664) | more than 4 years ago | (#32814890)

They tried that. "Responisble" disclosure often results in nothing happening or worst case a lawsuit. It is cheaper for MS to ignore problems than fix them.

Re:The thing is (1)

Stumbles (602007) | more than 4 years ago | (#32814988)

They tried that and was ignored. Besides it probably doesn't matter because if these "good guys" found it, it is not unreasonable to think the bad guys already know about it. In fact the more I think about this, it is the "bad guys" who are being more responsible than the "good guys" because the bad guys KEEP THEIR MOUTH about vulnerabilities.

How to fix the IIS5 exploit (0)

Anonymous Coward | more than 4 years ago | (#32814958)

for those still running IIS5
get URLScan (if you haven't already)
http://technet.microsoft.com/en-us/security/cc242650.aspx [microsoft.com]

and add this to your urlscan.ini file in the [DenyUrlSequences] section
INDEX_ALLOCATION

Incredible (0)

Anonymous Coward | more than 4 years ago | (#32815048)

The term 0-day is used correctly in the /. summary! Who would have thought!

errrr... (0)

Anonymous Coward | more than 4 years ago | (#32815072)

well, we must first distinguish vendor punishment from harming the public. To me there is no excuse when any ordinary hard working (or whatever) internet user (or admin or)... gets harmed by a released 0day. I totally understand the point of these actions but I definitely cannot accept the consequences...

Re:errrr... (1)

h4rr4r (612664) | more than 4 years ago | (#32816098)

Then use a vendor that fixes issues.

With this public you can now take some actions to protect yourself as opposed to before when you had no idea you were vulnerable.

Re (1)

Vihhieblu (1849506) | more than 4 years ago | (#32815138)

Its one of my favorite post. Thanks for nice information.

Malicious Intent (2)

pwileyii (106242) | more than 4 years ago | (#32815146)

Based on what I've read, this was done intentionally and with malicious intent on the behalf of the researchers in retaliation for the negative attitude Microsoft showed toward Tavis Ormany. In Tavis' case, I think Microsoft simply had some negative words to say, but in this case, Microsoft can claim that these security researchers intended to damage them based on the their threats "that they will continue to do so in response to how Microsoft treated Tavis Ormany."

It is clear to me that the researchers are either a) little kids or b) acting like little kids and I hope Microsoft and the rest of the security community comes down hard on them to prevent further retaliation tactics that hurt users more then the companies they are attempting to damage.

Re:Malicious Intent (0)

Fulcrum of Evil (560260) | more than 4 years ago | (#32816116)

Spoken like someone who knows nothing of the backstory. MS has a reputation for sitting on these sorts of things until their hand is forced, so the responsible thing is to skip the private notification step and force a resolution more quickly. This isn't malicious - it's just learning from the treatment of others.

this is the best news i heard all day (0)

FudRucker (866063) | more than 4 years ago | (#32815214)

if i had the expertise and time i would do it that way, if i found vulnerabilities in MS software i would publicly reveal them anonymously on lots of websites, wikileaks, craigslist, slashdot, digg, reddit & etc... give it as much exposure as possible as quickly as possible.

The bad guys knows about them already. (4, Insightful)

miffo.swe (547642) | more than 4 years ago | (#32815392)

The real bad guys most certainly knows about these security issues long before they becomes common knowledge. Responsible would be Microsoft patching their stuff as soon as they learn about an exploit instead of waiting for the known ones to be spread in the wild.

Responsible disclosure is just Microsofts way of trying to get people to shut up about their crappy security. If Microsoft was the least interested in security they would care more about real security than UAC (put the blame on the user) and playing statistics by making more secure products, hiding patches and grouping patches etc.

woohhooo I have an opinion (0)

Anonymous Coward | more than 4 years ago | (#32815488)

what prevents a security flaw from getting fixed? $$$
What causes security flaws to be released ? $$$

Assuming that is mostly accurate, I would then postulate that microsoft protects their profits at the expense of an acceptable amount of security flaws (among a bunch of other stuff)

To argue pro MS on their behavior wrt idenfitying security flaws in their system, given the above (if the above were true that is), would be akin to this:

"Please do not diminish Microsofts profits just to increase end users security. "

If you agree with the restatement of the counter argument, then I have to disagree with you. If the restatement is incorrect, then one of the assumptions must be wrong - which I believe they are not.

At this point then, my opinion is, lets not worry about Microsoft's profits, lets instead worry about the end users and Microsoft's ability to serve their end users well. If you see that the profits from MS are getting spent on these wonderful things and believe that the profits are more valuable then this whole "computing" stuff - then perhaps I might agree with you - go ahead and make a case for me to read. If I were convinced, then I probably would conclude that MSRC are in the wrong.

By revealing a flaw is the MSRC putting end users at risk?
By diagnosing a terminally ill cancer patient, does the doctor kill the cancer patient?

Maybe, so - but even if that were the case - should we worry about removing the doctors or worry about curing cancer?

Re:woohhooo I have an opinion (1)

ashridah (72567) | more than 4 years ago | (#32816086)

Interesting idea, but it's worth pointing out that time is a significant factor, and is not directly inter-changable with money. It's more of an inversely proportional relationship. More money equals less and less time taken.

Sometimes you're really, REALLY, just out of time, and absolutely have to ship, and then where do you draw the line? You can't find and fix every single bug ever in a finite time frame (I hope I don't need to discuss the halting problem with the Slashdot crowd, here).

That said, acting the way these researches are is never going to improve the situation for either side in this argument. While it may feel good to the self-righteous slashdot crowd, that's cold comfort to the teams who were planning how to juggle security/features going forward, and had the rug ripped out from under them and now have to rush out a fix with less testing than is normally done. (This is precisely what a HotFix is, an under-tested patch that doesn't meet the full-standard for "we support this 100%"). For a company that prides itself on back-compat, and selling to companies that do their own staged-rollout, a month or two's delay before the release is minor. And some bugs are just less important.

I wouldn't be surprised if the bugs that had been 'sat on for a year' are some of the more obscure special case bugs, and aren't part of the common configuration, and that there's some grandstanding going on, which ignored prioritization completely, just because it was these researcher's claim to fame.

A little sence (0)

Anonymous Coward | more than 4 years ago | (#32815716)

Come on, any company that is informed of a bug will and should not issue a fix for it as soon as they have a fix, these fixes need to be tested and verified in lots of different test environments and this takes time. I'm sure they have a process for new issues that come to light, although I think I read 60-90 days, this may be a little long, is this the same for hot fixes?, still not knowing the amount of testing that is done I'm not sure .The Google muppet that got all offended over Microsoft not fixing the security hole as quick as he would have liked and so made it public was just plain stupid, and this MSRC group will be no different.

Thanks to MSRC now every script kiddie will be logging on for the latest info to do more harm than good. Why don't MSRC just inform Microsoft of the things they find and not make it public until it’s been fixed? oo but wait, that’s the whole point, they want to be counterproductive, I wonder how many companies/users will be on the ill end of MSRC released code! and should they be held liable for damages incurred because of it!

This just in... (0)

Anonymous Coward | more than 4 years ago | (#32815760)

Basic techniques employed by Microsoft are sometimes used by other people writing Operating Systems!

It's not just about saying "hey Microsoft, you've got a vulnerability". For researchers, it's about discovering what techniques have what vulnerabilities.

Parser Error (missing hyphen) (3, Informative)

Tetsujin (103070) | more than 4 years ago | (#32815916)

Microsoft Spurned Researchers Release 0-Day

I get about as far as "Microsoft Spurned Researchers" and then the rest of it doesn't make any sense. Like you need a conjunction or something after "Researchers"...

Or, you know, hyphenate "Microsoft-Spurned" so the damn headline makes sense.

from The Jargon File (0)

Anonymous Coward | more than 4 years ago | (#32815950)

Back in the mid-1970s, several of the system support staff at Motorola discovered a relatively simple way to crack system security on the Xerox CP-V timesharing system. Through a simple programming strategy, it was possible for a user program to trick the system into running a portion of the program in 'master mode' (supervisor state), in which memory protection does not apply. The program could then poke a large value into its 'privilege level' byte (normally write-protected) and could then proceed to bypass all levels of security within the file-management system, patch the system monitor, and do numerous other interesting things. In short, the barn door was wide open.

Motorola quite properly reported this problem to Xerox via an official 'level 1 SIDR' (a bug report with an intended urgency of 'needs to be fixed yesterday'). Because the text of each SIDR was entered into a database that could be viewed by quite a number of people, Motorola followed the approved procedure: they simply reported the problem as 'Security SIDR', and attached all of the necessary documentation, ways-to-reproduce, etc.

The CP-V people at Xerox sat on their thumbs; they either didn't realize the severity of the problem, or didn't assign the necessary operating-system-staff resources to develop and distribute an official patch.

Months passed. The Motorola guys pestered their Xerox field-support rep, to no avail. Finally they decided to take direct action, to demonstrate to Xerox management just how easily the system could be cracked and just how thoroughly the security safeguards could be subverted.

They dug around in the operating-system listings and devised a thoroughly devilish set of patches. These patches were then incorporated into a pair of programs called 'Robin Hood' and 'Friar Tuck'. Robin Hood and Friar Tuck were designed to run as 'ghost jobs' (daemons, in Unix terminology); they would use the existing loophole to subvert system security, install the necessary patches, and then keep an eye on one another's statuses in order to keep the system operator (in effect, the superuser) from aborting them.

One fine day, the system operator on the main CP-V software development system in El Segundo was surprised by a number of unusual phenomena. These included the following:

  • Tape drives would rewind and dismount their tapes in the middle of a job.
  • Disk drives would seek back and forth so rapidly that they would attempt to walk across the floor (see walking drives [catb.org] ).
  • The card-punch output device would occasionally start up of itself and punch a 'lace card' (card with all positions punched). These would usually jam in the punch.
  • The console would print snide and insulting messages from Robin Hood to Friar Tuck, or vice versa.
  • The Xerox card reader had two output stackers; it could be instructed to stack into A, stack into B, or stack into A (unless a card was unreadable, in which case the bad card was placed into stacker B). One of the patches installed by the ghosts added some code to the card-reader driver... after reading a card, it would flip over to the opposite stacker. As a result, card decks would divide themselves in half when they were read, leaving the operator to recollate them manually.

Naturally, the operator called in the operating-system developers. They found the bandit ghost jobs running, and killed them... and were once again surprised. When Robin Hood was gunned, the following sequence of events took place:

!X id1
 
    id1: Friar Tuck... I am under attack! Pray save me!
    id1: Off (aborted)
 
    id2: Fear not, friend Robin! I shall rout the Sheriff
        of Nottingham's men!
 
    id1: Thank you, my good fellow!

Each ghost-job would detect the fact that the other had been killed, and would start a new copy of the recently slain program within a few milliseconds. The only way to kill both ghosts was to kill them simultaneously (very difficult) or to deliberately crash the system.

Finally, the system programmers did the latter -- only to find that the bandits appeared once again when the system rebooted! It turned out that these two programs had patched the boot-time OS image (the kernel file, in Unix terms) and had added themselves to the list of programs that were to be started at boot time (this is similar to the way Windows viruses propagate).

The Robin Hood and Friar Tuck ghosts were finally eradicated when the system staff rebooted the system from a clean boot-tape and reinstalled the monitor. Not long thereafter, Xerox released a patch for this problem.

It is alleged that Xerox filed a complaint with Motorola's management about the merry-prankster actions of the two employees in question. It is not recorded that any serious disciplinary action was taken against either of them.

Irrevokeable Authenticated Delayed Publication (4, Interesting)

John Hasler (414242) | more than 4 years ago | (#32816020)

We need an irrevokeable authenticated delayed publication mechanism: some way to put a GPG-signed document into a pipeline such that it will be published at the end of X days no matter what anyone (including the author) does. Researchers could then send their discoveries to vendors with the notation "This vulnerability will come out of the IADP system in sixty days". Browbeating them for more time would be pointless and their priority of discovery would be secure.

There are no doubt many other uses for such a system as well.

Best Practice (1)

munky99999 (781012) | more than 4 years ago | (#32816180)

1. You could auto release 0day; never contact the fella like Microsoft to see if they'll fix it. You are left with lots of known insecure machines. 2. You could give microsoft all the info and tell them to fix it and never release info to public. Microsoft never fixes these. You are left with a public who is insecure and doesnt know. Best Practice is both. Contact Microsoft get them to sign NDA that expires in ~1 month(or whatever is plenty of time to fix the bug relative to severity). Give them all the info they need to fix it. Tell them that X date full disclosure so fix it or be in bad PR situation of explaining why they didnt fix it in that time period given. MS really really is going to fix it then.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?