Spurned Microsoft Researchers Form Their Own 'MSRC'


A group of security researchers disillusioned by Microsoft's reaction to public disclosure of a Windows XP Help Center bug by a Google engineer have formed their own "union" called the Microsoft Spurned Researcher Collective.

The group claimed they were galvanized into uniting by Microsoft's dismissive response to Google engineer Tavis Ormandy's public disclosure of a zero-day Windows Help Center flaw affecting XP and Windows 2000, which is currently being exploited in active "in the wild" attacks.

"Due to hostility toward security researchers, the most recent example being Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer," according to a security advisory on the group's Website.

Ormandy had been the brunt of criticism from Microsoft after his public disclosure of an unpatched critical zero-day XP Help Center vulnerability last month. Among other things, the software giant accused Ormandy of irresponsibly disclosing the flaw and further exposing users to more risk from the inevitable barrage of ensuing attacks before the company was adequately prepared to address the issue.

The newly formed Microsoft Spurned Researcher Collective (MSRC) published a new zero-day vulnerability affecting Windows Vista and Windows Server 2008. If left unpatched, the security bug, a privilege escalation vulnerability that occurs in the Windows kernel, paves the way for hackers to launch denial of service attacks on users' computers, and possibly remote code execution.

"An attacker may exploit this issue to execute arbitrary code with kernel-level privileges, however, this has not been confirmed. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts may cause a denial-of-service condition," according to a Security Focus blog post.

However, the security vulnerability will likely not constitute a critical flaw due to the fact that its remote code execution attacks could not be confirmed, according to Vupen Security, which rated the flaw as a moderate risk.

In addition to disclosing zero-day vulnerabilities, the philosophy behind the MSRC's advisories will be to take potshots at Microsoft, starting with the group's name, Microsoft Spurned Researchers Collective (MSRC), which is an obvious spoof of Microsoft's own Microsoft Security Response Center.

The rest of the MSRC's Windows Vista security advisory continues to poke fun at Microsoft and its processes. In their workaround section, researchers tell users to locate the HKCU Microsoft Windows CurrentVersion Security registry key and change the "OurJob" Boolean value to "FALSE." The group then provides an e-mail address if others interested in joining the cause wanted to chime in with comments or questions.