Upset Security Researchers Start Releasing Microsoft 0Days

Rally behind Google security engineer Tavis Ormandy

By on July 5th, 2010 13:25 GMT
A group of security researchers have released full details and exploitation code for an unpatched Windows local privilege escalation vulnerability. The researchers openly stated that they will continue to do so in response to how Microsoft treated Tavis Ormany, the Google engineer blamed for disclosing a critical Windows bug publicly last month.

The advisory for a new zero-day vulnerability affecting Windows Vista and Windows Server 2008 contains an interesting manifesto which reads: "Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."

The name is clearly a pun directed at Microsoft's Security Response Center (MSRC), while Tavis Ormandy is the Google engineer who disclosed the Windows XP Help Center vulnerability that is currently being exploited in the wild. Ormandy has taken a lot of heat from both Microsoft and from others in the security community for publishing details about an unpatched critical vulnerability in the public domain.

According to Security Focus, the bug exposed by the so called "Microsoft-Spurned Researcher Collective" can lead to local privilege escalation. "An attacker may exploit this issue to execute arbitrary code with kernel-level privileges, however, this has not been confirmed. Successful exploits will result in the complete compromise of affected computers," the Security Focus advisory reads.

The upset security researchers poke more fun at Microsoft in its disclosure. For example their workaround section tells the company to locate the HKCU\Microsoft\Windows\CurrentVersion\Security registry key and change the "OurJob" boolean value to FALSE. They even include an email address that others willing to join the cause can use to make contact.

In related news, two other Microsoft zero-day vulnerabilities have been disclosed in the past week. One is located in mshtml.dll and exploitation leads to a memory leak condition. According to Ruben Santamarta, the security researcher who discovered it, the flaw affects Internet Explorer 8 on Windows XP, Vista and 7 32/64 bit, and can potentially be leveraged to circumvent ASLR and DEP.

The second bug affects Internet Information Services (IIS) 5.1 and can be used to bypass the server's security restrictions remotely. A security researcher named Soroush Dalili is credited with discovering this vulnerability. Complete exploitation details are available on his blog.

You can follow the editor on Twitter @lconstantin

13 Comments