A group of security researchers, pissed off with the way Microsoft supposedly ‘treated‘ Tavis Ormandy, a Google engineer, for publicly disclosing a zero-day Windows XP Help Center vulnerability, currently being exploited in the wild, has come together to form the “Microsoft-Spurned Researcher Collective”!
Ormandy had taken a lot of heat from both Microsoft and from the security community for publishing details about the unpatched critical vulnerability in the public domain.
This advisory reads:
“Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer.”
It was also noted that the upset security researchers poke more fun at Microsoft in its disclosure:
Their workaround section tells the company to locate the HKCU\Microsoft\Windows\CurrentVersion\Security registry key and change the “OurJob” boolean value to FALSE. They even include an email address that others willing to join the cause can use to make contact.
Quite an immature way to react, if I may say so! This step, by these security researchers, will only expose the Windows end-users to risk!