A group of security researchers upset about Microsoft's handling of the responsible disclosure debate surrounding the findings of Google engineer Tavis Ormandy have released details of a bug of their own. Microsoft is investigating the vulnerability, and urged researchers to report vulnerabilities to the company directly rather than disclosing details publicly.
Microsoft said it is investigating a security flaw revealed by researchers
upset at Microsoft's "hostility toward security researchers."
A group going by the name "Microsoft-Spurned Researcher Collective"-a
play on the name of the Microsoft Security Response Center-published
information last week about a vulnerability affecting Windows Vista and Windows
Server 2008 that can be used to crash vulnerable machines.
"Due to hostility toward security researchers, the most recent
of Tavis Ormandy, a number of us from the industry (and some
not from the industry) have come together to form MSRC: the Microsoft-Spurned
Researcher Collective," the group said in a post to the Full Disclosure list
"MSRC will fully disclose vulnerability information discovered in our free
time, free from retaliation against us or any inferred employer."
Ormandy, an engineer at Google, was at the center of a full disclosure
debate a few weeks ago when he publicly disclosed a vulnerability five days
after contacting Microsoft, which critics argued did not give the vendor enough
time to patch. According to information
released by Microsoft last week
, the vulnerability has been exploited in
attacks against more than 10,000 machines.
In addition to the Ormandy situation, VUPEN Security's failure to
immediately report its discovery of a bug affecting Office
also triggered talk about disclosure policies, though VUPEN Security
did not make details of the bug public.
So far, Microsoft has not issued an advisory on the vulnerability found
by the "Microsoft-Spurned Researcher Collective."
"Our initial analysis of the Proof-of-Concept code supplied has determined
that an attacker must be able to log on locally or already have code running on
the target system in order to cause a local denial of service," Jerry Bryant,
group manager of response communications at Microsoft. "To minimize risk to
computer users, Microsoft continues to encourage responsible disclosure.
Reporting vulnerabilities directly to vendors helps to ensure that potentially
affected customers receive high-quality, comprehensive updates before cyber-criminals
learn of a vulnerability, and work to exploit it."
According to the researchers, Microsoft "can work around these
advisories by locating the following registry key:
HKCU\Microsoft\Windows\CurrentVersion\Security and changing the 'OurJob'
boolean value to FALSE."