Microsoft Spurned Researcher Collective - Is it irresponsible? - Security Protection

Common Tasks

Community

Email Notifications

Personal Links

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

Microsoft Spurned Researcher Collective - Is it irresponsible?

The ISC is conducting a poll and there is currently a 50% "YES" vote. I would encourage folks to vote their conscious on this and to only vote once.

VOTE HERE: Microsoft Spurned Researcher Collective - Is it irresponsible?
http://isc.sans.edu/poll.html?pollid=295

BACKGROUND: Recently a security researcher attempted to pressure Microsoft into making changes within a certain timetable, as it was a serious flaw in a rarely used service. While I'm not certain of what was discussed, it appears that the two sides could not agree.

The frustrated researcher then documented proof of concept code publicly to force Microsoft to patch. Within 2 days dangerous exploits appeared in the wild. That truly placed pressure on Microsoft to patch this vulnerability and it will be accomplished in the July updates. While I don't know if the exploit had been used in targeted attacks previously, public disclosure exacerbated the issue. Some folks got infected through this dangerous exploit, although thankfully it is not widespread.

I believe that the researcher would have been better served to report the incident and kept the potentially malicious source code private. If vendors don't respond on a timely basis, the researcher has done their part. A highly talented individual who provides code publicly that could be easily used by malicious individuals reduces the safety of the Internet.

Even when a patch might be rushed out the door, an estimated one third of folks don't patch. While the reseacher and Microsoft both published patches, well over 90% of users did not apply the FixIt solution. These individuals would be vulnerable if directed to a malicious website or via dangerous P2P sites. As anti-virus vendors sometimes cover dangerous exploits, that's truly the only protection for most folks.

MSRC is the Microsoft Security Response Center, and this new group spoofs this in their new name. They are doing so as a parody, in empathy for the researcher, who was critiqued extensively. Maybe a more appropriate name for the group is the "Malware Seeding Research Center" ;-)

As in most things there are no absolutes and the link below discusses public disclosure. For example, vendors need to invest more in security and improve their timeframe for patching. Bill Gate's 2002 TWC directive has made a positive difference for Microsoft (and continous improvement is always needed). The security function is one of safety and I favor all practices that keep potentially malicious code out of the hands of the bad guys:

Security Researchers and Public Disclosure - Pros and Cons
http://msmvps.com/blogs/harrywaldron/archive/2010/06/26/security-researchers-and-public-disclosure-pros-and-cons.aspx

Posted: Jul 10 2010, 07:19 AM by Harry Waldron | with no comments

Questions? Contact Susan at Susan-at-msmvps.com. Each post's copyright held by the original author. All rights reserved. Blog site is an independent site not sponsored by Microsoft.
Our servers would like to thank www.ownwebnow.com and www.exchangedefender.com. We wouldn't be here without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems

Theme based on the Paperclip Blog Theme included in Community Server.
Enhanced to a Site-Wide Theme by Interscape Technologies.