Microsoft Investigating Windows Security Vulnerability as Disclosure Debate Continues
Cybersecurity
SHARE
Facebook X Pinterest WhatsApp

Microsoft Investigating Windows Security Vulnerability as Disclosure Debate Continues

Written By
Brian Prince
Brian Prince
Jul 6, 2010
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Microsoft said it is investigating a security flaw revealed by researchers upset at Microsoft’s “hostility toward security researchers.”

A group going by the name “Microsoft-Spurned Researcher Collective”-a play on the name of the Microsoft Security Response Center-published information last week about a vulnerability affecting Windows Vista and Windows Server 2008 that can be used to crash vulnerable machines.

“Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective,” the group said in a post to the Full Disclosure list. “MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer.”

Ormandy, an engineer at Google, was at the center of a full disclosure debate a few weeks ago when he publicly disclosed a vulnerability five days after contacting Microsoft, which critics argued did not give the vendor enough time to patch. According to information released by Microsoft last week, the vulnerability has been exploited in attacks against more than 10,000 machines.

In addition to the Ormandy situation, VUPEN Security’s failure to immediately report its discovery of a bug affecting Office 2010 issue also triggered talk about disclosure policies, though VUPEN Security did not make details of the bug public.

So far, Microsoft has not issued an advisory on the vulnerability found by the “Microsoft-Spurned Researcher Collective.”

“Our initial analysis of the Proof-of-Concept code supplied has determined that an attacker must be able to log on locally or already have code running on the target system in order to cause a local denial of service,” Jerry Bryant, group manager of response communications at Microsoft. “To minimize risk to computer users, Microsoft continues to encourage responsible disclosure. Reporting vulnerabilities directly to vendors helps to ensure that potentially affected customers receive high-quality, comprehensive updates before cyber-criminals learn of a vulnerability, and work to exploit it.”

According to the researchers, Microsoft “can work around these advisories by locating the following registry key: HKCUMicrosoftWindowsCurrentVersionSecurity and changing the ‘OurJob’ boolean value to FALSE.”
Brian Prince
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information