We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Researchers publish info about Windows Vista flaw

Payback for hostility to security researchers

A group of security researchers has published information about a flaw in Windows Vista and Server 2008, in revenge for the way Microsoft treated a colleague.

The flaw, which has not been patched, could be used by attackers to gain unauthorised access to a PC or cause it to crash.

Microsoft downplayed the threat, saying that the vulnerability required an attacker to have physical access to the computer or have compromised it with another exploit.

More intriguing than the vulnerability or its public disclosure - both are commonplace with Windows - was the declaration that began with the message posted July 1 to the Full Disclosure security mailing list.

"Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective," the message read.

"MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."

The name of the group is a poke at the Microsoft Security Response Center, the group responsible for investigating vulnerabilities, which also goes by the acronym (MSRC).

Tavis Ormandy is the Google security engineer who was at the center of a storm last month after he publicly disclosed a Windows vulnerability when Microsoft wouldn't commit to a patching deadline.

Ormandy's vulnerability was quickly put to use by hackers, who began launching attacks five days after he publicised the flaw. Last week, Microsoft claimed that it had tracked attacks on more than 10,000 computers since June 15.

While some security researchers criticised Ormandy for going public with the Microsoft vulnerability, others rose to his defence, calling out both Microsoft and the press - including PC Advisor's sister title Computerworld for linking Ormandy to his employer, Google .

The Microsoft-Spurned Researcher Collective posted their message anonymously using an account from the Hushmail service and listed six names supposedly associated with the group. The names, however, were represented only by multiple Xs.

The group also called on other researchers to join it and along the way took another jab at its opponent. "We do have a vetting process, by the way, for any Microsoft employees trying to join," the group said.

Microsoft confirmed it was investigating the bug, but said the risk to users was minimal.

"Our initial analysis of the Proof-of-Concept code supplied has determined that an attacker must be able to log on locally or already have code running on the target system in order to cause a local Denial of Service," said Jerry Bryant, a group manager with the company's MSRC.

Bryant said he bug didn't meet the bar for releasing a security advisory, Microsoft's usual first step in the process it goes through to patch a problem.

Danish vulnerability tracking firm Secunia agreed with Microsoft that the bug was relatively minor, classifying it as a 'less critical' threat, the second-lowest ranking in its five-step system.

According to Secunia, the bug affects fully patched versions of Windows Vista Business SP1 and Windows Server 2008 Enterprise SP1 and SP2, and possibly other editions of operating system.

The flaw revealed by the Microsoft-Spurned Researcher Collective was not the only unpatched vulnerability to go public in recent days.

Secunia published an advisory this week that outlined a 'moderately critical' bug in Windows 2000 and Windows XP that could be used to hijack PCs. Microsoft said via Twitter it was investigating that bug report as well, and said it would provide an update "when we have more information."

Last week, Ruben Santamarta, a researcher with the Spanish security firm Wintercore, disclosed information and published attack code for a critical vulnerability in Internet Explorer 8 (IE8) running on Windows XP, Vista or Windows 7.

Santamarta claimed that the bug could be used to sidestep DEP (data execution prevention) and ASLR (address space layout randomisation), two security defenses baked into Windows.

See also: Microsoft offers work-around to Windows XP flaw


IDG UK Sites

Sony Xperia Z3 Compact review: A better deal than the Z3 and most smartphones

IDG UK Sites

Why people aren't upgrading to iOS 8: new features are for power users, not the average Joe

IDG UK Sites

Free rocket & space sounds: NASA launches archive of interstellar audio on SoundCloud

IDG UK Sites

iPad Air 2 review: Insanely fast and alarmingly thin. Speed tests, camera tests, beautiful...