Microsoft Challenged By Security Researchers

Microsoft's efforts to restrict the public disclosure of information relating to bugs in its products -- before it's had time to fix them as part of its monthly patch cycle -- now face a challenge from an anonymous group of anti-Microsoft security researchers.

The group has dubbed itself MSRC, for the Microsoft-Spurned Researcher Collective. According to a manifesto released by the group, it was formed "due to hostility toward security researchers, the most recent example being of Tavis Ormandy" and promised that "MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."

Ormandy last month informed Microsoft of a zero-day -- that is, previously unknown -- vulnerability in Windows Help and Support Center. Five days later, he then publicly disclosed the existence of the vulnerability. That move earned him both condemnation and praise.

The existence of MSRC surfaced last week, when its manifesto came attached to a vulnerability announcement distributed by VUPEN Security, an information security research firm not associated with MSRC.

According to VUPEN, "a vulnerability has been identified in Microsoft Windows, which could be exploited by local attackers to cause a denial of service or potentially gain elevated privileges." The issue stems from an error in a call to a kernel function, the failure of which "could allow malicious users to crash an affected system or potentially execute arbitrary code with kernel privileges."

VUPEN said it verified that the vulnerability exists on Microsoft Windows Vista SP2 and Windows Server 2008 Service Pack 2. "However, successful exploitation for code execution is unlikely," according to the firm, which means that it's rated as a "low risk" bug. To date, no vendor-supplied patch has been issued.

As regards MSRC, the name is an obvious play on the Microsoft Security Response Center, tasked by Microsoft with investigating any and all security vulnerabilities that affect Microsoft products and services. It's also the designated first point of contact for any security researcher wishing to report a vulnerability to Microsoft.

In its disclosure, MSRC took a few more jabs at Microsoft, noting in a vulnerability workaround section that "Microsoft can workaround these advisories by locating the following registry key: HKCUMicrosoftWindowsCurrentVersionSecurity and changing the 'OurJob' boolean value to FALSE." In addition, stated the advisory, "we at MSRC would like to help you, the users, work around this issue, but PatchGuard will not allow us." PatchGuard is Kernel Patch Protection, which prevents kernel patching for x64 versions of Microsoft Windows.

Finally, MSRC issued an open call for any security researchers to join its team, or to report a vulnerability, by applying via a Hushmail e-mail account. "We do have a vetting process by the way, for any Microsoft employees trying to join," said the advisory.