A group of hackers says it will begin anonymously releasing proof-of-concept exploit code for Microsoft vulnerabilities in retaliation for the software giant’s recent criticism of third-party security researchers.
And to show how serious its members are, the group — which has taken the name Microsoft-Spurned Researcher Collective, usurping the acronym for Microsoft’s (NASDAQ: MSFT) own security team, has already released code demonstrating a newly discovered exploit in Windows Vista and Windows Server 2008.
Microsoft, as well as other companies, relies on third-party security researchers for warnings about vulnerabilities in its software. However, the software industry also has taken researchers to task for revealing the details of a potential security hole before affected vendors have had time to issue a patch.
Most recently, Google security researcher Tavis Ormandy, on at least two occasions in the past six months, publicly disclosed security vulnerabilities as well as proof-of-concept code that demonstrates how to exploit them. For example, Ormandy released code last month that ultimately led to more than 10,000 separate attacks on vulnerable computers. That security flaw emanates from the way Windows XP handles files in its Help and Support Center.
Ormandy’s efforts served to stir up the long-lasting controversy over whether security researchers should wait to disclose the software exploits they discover to the public — and potentially, to nefarious hackers — before they notify the software’s developer. Many researchers have argued that the threat of public disclosure spurs software vendors to action; otherwise, the thinking goes, they wouldn’t bother to update their products in a timely fashion.
The Microsoft-Spurned Researcher Collective is also challenging what it describes as a combative attitude among software vendors toward independent and third-party security researchers.
“Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective,” the newly formed group said in a post to the Full Disclosure security mailing list last week. “MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer.”
But Jerry Bryant, group manager for response communications at the Microsoft Security Response Center, said in an e-mail to InternetNews.com that his company calls for “responsible disclosure” by security researchers.
“Reporting vulnerabilities directly to vendors helps to ensure that potentially affected customers receive high-quality, comprehensive updates before cybercriminals learn of a vulnerability, and work to exploit it,” he said.
In last month’s incident, some bloggers also took Ormandy and his employer, Google, to task for not having disclosed the vulnerability and proof-of-concept to Microsoft in time for it to act before Ormandy published details of the security hole on the Internet.
According to Ormandy’s post, he gave Microsoft five days warning before revealing details of the Help and Support Center vulnerability online.
Others, meanwhile, said the industry needs to strike a balance.
“While these attacks are very serious, it strikes me as some classic PR on Microsoft’s part to release a statistic like this [the 10,000 attacks enabled by Ormandy’s disclosure] while trying to blame Google for Tavis’s ‘irresponsible disclosure’,” Sophos Senior Security Advisor Chester Wisniewski said in a post on his firm’s blog last week.
“I am not taking sides here, but what would seem to best serve the community is an open, honest discussion among the parties involved where we can all learn from this incident,” Wisniewski added.
That doesn’t seem to be in the cards any time soon, however. The MSRC hackers group did not pre-notify Microsoft before releasing the latest exploit in their post to the Full Disclosure mailing list.
New vulnerability in Windows Server 2008, Vista
Although Microsoft has not yet released a Security Advisory for the new hole revealed by the group, a spokesperson for the company said the problem is not as serious as many others.
“Microsoft is currently investigating the public disclosure of a vulnerability affecting Windows Vista and Windows Server 2008. Our initial analysis of the proof-of-concept code supplied has determined that an attacker must be able to log on locally, or already have code running on the target system, in order to cause a local denial of service,” Bryant said in his e-mail.