Angry researchers disclose Windows zero-day bug
Anonymous group claims Microsoft has hostile attitude, backs Google researcher
Computerworld - An anonymous group of security researchers last week published information about an unpatched Windows bug, saying that they were disclosing the vulnerability because of the way Microsoft treated a colleague.
The flaw in Windows Vista and Server 2008 could be used by attackers to gain unauthorized access to a PC or cause it to crash.
Microsoft downplayed the threat, saying that the vulnerability required an attacker to have physical access to the computer or have compromised it with another exploit.
More intriguing than the vulnerability or its public disclosure -- both of which are commonplace with Windows -- was the declaration that began the message posted July 1 to the Full Disclosure security mailing list.
"Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective," the message read. "MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."
The name of the group is a poke at the Microsoft Security Response Center, the group responsible for investigating vulnerabilities, which also goes by the acronym MSRC.
Tavis Ormandy is the Google security engineer who was at the center of a storm last month after he publicly disclosed a Windows vulnerability when Microsoft wouldn't commit to a patching deadline.
Ormandy's vulnerability was quickly put to use by hackers, who began launching attacks five days after he publicized the flaw. Last week, Microsoft claimed that it had tracked attacks on more than 10,000 computers since June 15.
While some security researchers criticized Ormandy for going public with the Microsoft vulnerability, others rose to his defense, calling out both Microsoft and the press -- including Computerworld -- for linking Ormandy to his employer, Google.
The Microsoft-Spurned Researcher Collective posted its message anonymously using an account from the Hushmail service and listed six names supposedly associated with the group. The names, however, were represented only by multiple X's.
The group also called on other researchers to join it and along the way took another jab at its opponent. "We do have a vetting process, by the way, for any Microsoft employees trying to join," the group said.
Microsoft confirmed that it was investigating the bug but said that the risk to users was minimal. "Our initial analysis of the Proof-of-Concept code supplied has determined that an attacker must be able to log on locally or already have code running on the target system in order to cause a local Denial of Service," said Jerry Bryant, a group manager with the company's MSRC, in an e-mail late Monday.



- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Overcome Top 7 Admin Challenges of Active Directory
- As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,...
- Insiders Can Ruin Your Company. Take Action.
- Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in...
- Top Solutions and Tools to Prevent Devastating Malware
- Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring...
- X-Ray of the PCI Process-4 Proactive Steps
- This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into...
- Identity Governance: The Business Imperatives
- This white paper describes the business challenges and opportunities that are driving interest in Identity Governance while discussing considerations your organization should make... All Security White Papers
- Live Webcast
Playing Defense: Staying on Top of Your Disaster Recovery Game - When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing...
- Introduction to VMware vCenter Site Recovery Manager 5
- Traditional disaster recovery solutions are often too expensive, complex and unreliable to meet business requirements. As a result, IT departments are hesitant to...
- The Top Ten Secrets to Avoiding SAN Performance Problems
- Maintaining peak performance while simultaneously addressing the root cause of SAN errors is challenging. Learn the most common SAN problems and explore new...
- Deduplication Without Compromise
- Go inside Quantum's scalable, high-performance, multi-protocol new DXi deduplication appliances, designed to make backup much more effective. Discover how the new future-proof DXi6700...
- Director of Disk Products Discusses DXi6700
- Discover how the new DXi 6700 series of deduplication appliances provide investment protection and a future-proof feature set, all while delivering fast, scalable,...
- Playing Defense: Staying on Top of Your Disaster Recovery Game
- When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing... All Security Webcasts