Microsoft remains hostile towards security researchers
July 8, 2010
Some Internet security researchers irritated and frustrated in the manner that Microsoft responded to Google engineer Tavis Ormany's public disclosure of a zero-day Windows XP Help Center security flaw have joined together in forming a coalition group called the Microsoft Spurned Researcher Collective. And the group seems to be gaining traction fast around the globe.
The team is forming a sort of union in the belief that together they will be better placed to handle various misconceptions from the software giant following the publication of its Windows XP security bugs.
A statement, published by The Windows Club blog, explains the Collective's concept. “Due to some hostility towards various Internet security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose security vulnerability information discovered in our free time, and unbiased from retaliation against us or any inferred employer,” the group said.
On July 1st, the researcher published a "zero day flaw" affecting Windows Vista and Windows Server 2008. The unpatched security hole creates a means for hackers to crash affected PCs and servers and stems from a security flaw in the Windows kernel.
The controversy about responsible security disclosure of such vulnerabilities is as old as software development itself, the group said. Security researchers argue that by disclosing problems they give end-users a chance to act and put pressure on software developers, who might otherwise be tempted to ignore the issues.
Various commercial software developers including Oracle, Adobe and many others have long argued that properly disclosing security vulnerabilities in the absence of a fix greatly imperils users.
The argument hinges on whether a security vulnerability is been actively exploited or not. But in most cases found, it is. The length of time a software vendor has had to fix a security hole, a period that can sometimes run into months, especially in the case of Microsoft, is also a very important factor the group said.
Vupen Security, which published an advisory on Windows XP's security bugs but isn't part of the coalition group, rates the vulnerability only as a moderate risk simply because it doesn't lend itself to remote execution.
However, not everybody at the Microsoft Spurned Researcher Collective agrees with Vupen.
In June, Internet security solution provider Softchoice Corp. has encouraged its clients to deploy Microsoft Windows XP Service Pack 3 (SP-3) or Windows 7 as end of support for Service Pack 2 (SP-2) will expire for good on Tuesday, July 13, 2010.
On that date, Windows 2000 Professional and Windows Server 2000 will also reach end of support as well, Microsoft warned as early as April 2009.
According to a research brief from Softchoice, which analyzed a total of 278,500 corporate and public sector computers and workstations from 117 different companies and organizations across the U.S. and Canada, about 45.2 percent are still running the older version of Windows XP Service Pack 2.
The numbers were collected and analyzed by Softchoice from January 3rd to June 10th of this year.
Elliot Katz, senior product manager for Windows client at Microsoft's regional office in Toronto says that with end of support, the software giant will no longer provide support or security patches for the above versions, unless MS customers install the latest XP Service Pack 3 or upgrade to Windows 7 all together.
Dean Williams, services development manager at Softchoice, said that based upon findings from its most recent research note around Windows XP SP-2, Softchoice is taking on a mission of education to help spread caution to its customers that the end of support date is coming closer every day.
“The main impact on end-users when a product reaches end of support is that security updates, which include critical patches, are no longer delivered to the operating systems,” Katz said. “We want customers to be fully aware that they can still upgrade to SP-3 with Windows XP or go and upgrade directly with the newer Windows 7.
Windows' XP SP-3 is a free download, but if customers don't have the Internet bandwidth or if they share a slower Internet connection, they can still order the DVD from us and just pay the shipping and handling.”
"This is simply a mission of education for us and our customers. In our opinion, the problem doesn't stem from people not wanting to deploy SP3, it's just that they don't know what service pack they're currently using. This then becomes a more complex problem involving people and various other processes," says Katz.
Customers and industry partners should start taking a look at their environments to see what operating system they're currently running, Katz added.
With no more security updates after July 13, Williams said the customers that fail to migrate to the new service pack or new operating system will be exposed to potential security risks and attacks.
Source: The Microsoft Spurned Researcher Collective.
You can link to the Internet Security web site as much as you like.