Microsoft Investigating Windows Security Vulnerability as Disclosure Debate Continues

A group of security researchers upset about Microsoft's handling of the responsible disclosure debate surrounding the findings of Google engineer Tavis Ormandy have released details of a bug of their own. Microsoft is investigating the vulnerability, and urged researchers to report vulnerabilities to the company directly rather than disclosing details publicly.

Microsoft said it is investigating a security flaw revealed by researchers upset at Microsoft's "hostility toward security researchers."

A group going by the name "Microsoft-Spurned Researcher Collective"-a play on the name of the Microsoft Security Response Center-published information last week about a vulnerability affecting Windows Vista and Windows Server 2008 that can be used to crash vulnerable machines.

"Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective," the group said in a post to the Full Disclosure list. "MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."

Ormandy, an engineer at Google, was at the center of a full disclosure debate a few weeks ago when he publicly disclosed a vulnerability five days after contacting Microsoft, which critics argued did not give the vendor enough time to patch. According to information released by Microsoft last week, the vulnerability has been exploited in attacks against more than 10,000 machines.

In addition to the Ormandy situation, VUPEN Security's failure to immediately report its discovery of a bug affecting Office 2010 issue also triggered talk about disclosure policies, though VUPEN Security did not make details of the bug public.

So far, Microsoft has not issued an advisory on the vulnerability found by the "Microsoft-Spurned Researcher Collective."

"Our initial analysis of the Proof-of-Concept code supplied has determined that an attacker must be able to log on locally or already have code running on the target system in order to cause a local denial of service," Jerry Bryant, group manager of response communications at Microsoft. "To minimize risk to computer users, Microsoft continues to encourage responsible disclosure. Reporting vulnerabilities directly to vendors helps to ensure that potentially affected customers receive high-quality, comprehensive updates before cyber-criminals learn of a vulnerability, and work to exploit it."

According to the researchers, Microsoft "can work around these advisories by locating the following registry key: HKCU\Microsoft\Windows\CurrentVersion\Security and changing the 'OurJob' boolean value to FALSE."