Microsoft-Spurned Researcher Collective Formed!

A group of security researchers, pissed off with the way Microsoft supposedly ‘treated‘ Tavis Ormandy, a Google engineer, for publicly disclosing a zero-day Windows XP Help Center vulnerability, currently being exploited in the wild, has come together to form the “Microsoft-Spurned Researcher Collective”!

Ormandy had taken a lot of heat from both Microsoft and from the security community for publishing details about the unpatched critical vulnerability in the public domain.

This advisory reads:

“Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer.”

It was also noted that the upset security researchers poke more fun at Microsoft in its disclosure:

Their workaround section tells the company to locate the HKCU\Microsoft\Windows\CurrentVersion\Security registry key and change the “OurJob” boolean value to FALSE. They even include an email address that others willing to join the cause can use to make contact.

Quite an immature way to react, if I may say so! This step, by these security researchers, will only expose the Windows end-users to risk!

Posted by on , in Category Security with Tags
Anand Khanse aka HappyAndyK is an end-user Windows enthusiast, a Microsoft MVP in Windows, since 2006, and the Admin of TheWindowsClub.com. Please create a System Restore Point before trying out any software & be careful about any third-party offers while installing freeware. Add me on Google+.
  • Muchenjeri

    Disclosing vulnerabilities to the public before informing the vendor for a fix is irresponsible and must be treated as cyber-terrorism. It is high time these people excercise responsibility rather than whining about how Microsoft treats them.

  • TheBigOldDog

    Well said Muchenjeri. I could not agree with you more.

    There is little difference between these technical assassins and the criminals they allegedly protect against. They may not pull the triggers but they are happy to hand the hackers the guns it seems.

    I wonder how many of the “security experts” draw paychecks from Google.

  • http://not.null.com EvenOlderPal

    “Disclosing vulnerabilities to the public before informing the vendor for a fix must be treated as cyber-terrorism”

    Hmm… and what if disclosed vulnerabilities to the vendor remain unpatched during years?

    Shouldn’t the vendor be sanctioned for exposing its end-users so carelessly?

    And, what about a vendor who injects more security holes in patches than the patches were supposed to close?

    Shouldn’t this behavior be considered as irresponsible and be sanctioned?

    Your comments are short of any insight about the nature of the problem.

  • Dee

    “Disclosing vulnerabilities to the public before informing the vendor for a fix is irresponsible and must be treated as cyber-terrorism.”

    Cyber-terrorism? Such remarks must be treated as screaming hyperbole.

  • TC

    While I understand that the target demographic for this site is Windows users, I am still amazed that you could actually lay Microsoft’s lack of security (and the risks of using their software) at a 3rd party’s feet. Is full and immediate disclosure the preferred manner of dealing with issues such as this? No, it is not. However, before the readers of this site begin to cry foul they should remember two things;

    1. Microsoft has the absolute worst sustained security track record of any operating system vendor in the history of computing. There are many viable reasons/excuses for this state of affairs (picked on the most because of market saturation, et. al.) however, regardless of your position on the underlying cause, everyone can agree that this is simply indisputable fact.

    2. Microsoft has a history of doing everything possible to quash knowledge of their vulnerabilities when notified of them. Previously, when approached by external sources with information on Windows-based exploits Microsoft’s concern has revolved around image, not safety.

    While I do applaud Microsoft’s relatively late-coming epiphany in regards to understanding the implications of an ill-served and poorly secured user-base, ridiculous comments such as ‘cyber-terrorism’ do absolutely nothing for your point of view or anyone’s ability to take your fan base seriously.

    So, how should these ‘Microsoft Spurned Researchers’ best serve the industry? Simple. Use their anonymity to safely notify Microsoft first. Give MS the chance to act responsibly. If Redmond fails to act in the best interests of their user-base after a reasonable (yet limited) amount of time, then it would be the MSRC’s responsibility to force their hand by going public.

    By staying consistent with this methodology, real changes in vendor behavior may be realized in a relatively short amount of time.

    Then we all win.

  • Recent Comments