Rogue Security Researchers vs Microsoft: Karma Is Brutal!

What happens when a giant software company ticks off a group of security researchers? Microsoft is finding out. A group of rogue security researchers calling itself MSRC (Microsoft-Spurned Researcher Collective) announced it will publicize any Windows vulnerabilities it finds, as opposed to quietly reporting them to Microsoft for the company to patch. MSRC anonymous security researchers are not to be confused with the Microsoft Security Response Center, also MSRC, the group within Microsoft responsible for investigating vulnerabilities.  Yesterday, another MS exploit was released.

Their declaration against Microsoft was posted on the Full Disclosure security mailing list.

 Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer. 

“We at MSRC would like to help you, the users, work around this issue, but PatchGuard will not allow us ;-(“

MSRC added the workaround as: “Microsoft can workaround these advisories by locating the following registry key: HKCUMicrosoftWindowsCurrentVersionSecurity and changing the “OurJob” boolean value to FALSE.”

The term PatchGaurd refers to Kernel Patch Protection (KPP), a feature of x64 editions of Microsoft Windows that prevents patching the kernel. It was first introduced in 2005 with the x64 editions of Windows XP and Windows Server 2003 Service Pack 1, according to Wikipedia.

Microsoft replied that it is investigating that bug, but that the risk to users was minimal. Secunia, a Danish vulnerability tracking firm agreed with Microsoft, stating that the bug would only affect fully patched versions of Windows Vista Business SP1 and Windows Server 2008 Enterprise SP1 and SP2.

On Monday, Secunia published an advisory that outlined a “moderately critical” bug in Windows 2000 and Windows XP that could be used to hijack PCs.

On Tuesday, however, the Microsoft-Spurned Researcher Collective hit MS a bit harder. MusntLive released a “serious Microsoft MS SQL advisory” along with a note to “Free Travis!” According to the disclosure, this exploitable MS SQL data execution prevention violation is, “Up for sale to highest bidder (serious replies only) 6 0-day PoC’s in MS SQL.”

Microsoft declined to comment when I emailed them for quote regarding the new full-disclosure.

What escalated the tension between Microsoft and security researchers who, in their free time and for free, find security vulnerabilities in MS products and report them in confidentiality to MS, was the case of Tavis Ormandy.

Ormandy found a security vulnerability in Windows XP’s Help and Support Center and then he gave Microsoft five days heads-up, while communicating with MS about a patch, before publishing the proof-of-concept code that demonstrates how to exploit it. Ormandy was a Swiss Google employee, but working for Google had nothing to do with it. Microsoft-Spurned Researcher Collective seems very displeased that Ormandy’s employer was mentioned. It hit the fan in security circles, the right or wrong of public disclosure and responsible or irresponsible disclosure of security exploits. Microsoft reported that it has tracked more than 10,000 separate attacks that used the Windows XP zero-day exploit.

Sophos Senior Security Advisor Chester Wisniewski said on his firm’s blog last week, “While these attacks are very serious, it strikes me as some classic PR on Microsoft’s part to release a statistic like this while trying to blame Google for Tavis’s ‘irresponsible disclosure.’ Has Microsoft commented on the hundreds of thousands of Windows PCs infected with the ZBot Trojan? How about malicious PDFs? It seems that Microsoft is putting on the full court press to make a point about how they want vulnerability disclosures to be handled.”

Disclosing vulnerabilities into the wild is a hotbed of contention. The ethical gray area is justified by some if they feel that the discovered flaw needs to be patched sooner instead of later. Some security and IT professionals back Microsoft and “responsible disclosure,” stating that any vendor needs 60 days minimum to examine the vulnerabilities before coming up with a patch. Other security professionals believe public pressure from end-users will force Microsoft to close the exploit instead of being tempted to ignore it. Still others consider zero-day disclosures something done only by cyber security vigilantes. The other side of that coin is that freelance security researchers who point out problems to be patched are tired of the private reporting mechanism and apparent games by Microsoft. Perhaps the biggest winners here are the hackers who exploit the disclosed holes using the various Microsoft products.

That means the biggest losers are the enterprises, whose networks fall prey to hackers while the so-called white hats squabble.

Microsoft-Spurned Researcher Collective claims to be recruiting and checks to ensure no Microsoft employees infiltrate their ranks.  “If you wish to responsibly disclose a vulnerability through full disclosure or want to join our team, fire off an email to: msrc-disclosure () hushmail com,” the statement reads. This war seems to be heating up, with zero-day vulnerabilities being fully disclosed right and left.

Note to both sides: Tread easy. Karma is a bitch brutal…