Skip to main content
  1. Home
  2. Computing
  3. News

Security Experts Rally…Against Microsoft

By
Image used with permission by copyright holder

In the world of computer security, the industry standard best practice is a process called “responsible disclosure:” when a security issue is discovered with a software product, the discoverer reports to the problem to the software vendor and gives them time to develop a patch or workaround. Once a fix is available, then the bug’s discoverer (or the affected software company) can make information about the bug public. The idea is to reduce (or eliminate) the amount of time knowledge about the problem is floating around the Internet with no fix available.

Now, an anonymous group of security researchers has become frustrated with the “hostility” displayed by software giant Microsoft to outside security researchers, and has decided to throw responsible disclosure to the wind. Naming themselves the Microsoft-Spurned Researchers Collective—MSRC, a play on Microsoft’s own Microsoft Security Response Center—they have pledged to full disclose any vulnerabilities they uncover, without first reporting the problems to Microsoft so the company can evaluate them and develop a fix. To make good on their charter, the group disclosed a vulnerability in Windows Vista and Server 2008 that could be used to crash systems and, potentially, execute malicious code.

Recommended Videos

The anonymous group cites Microsoft’s recent treatment of Tavis Ormandy as the inventive for their action; Ormandy found the 17-year-old security problem in WIndows’ Virtual DOS Machine and more recently reported a significant security issue with Windows XP’s Help Center. Microsoft identified Ormandy as a Google employee; Ormandy maintains his reports to Microsoft were independent of Google and the company’s name should not have been used.

If the Microsoft-Spurned Researcher Collective gains momentum—and is able to deliver up significant security vulnerabilities to the general public—the group could be a boon to attackers and malware developers always looking for new ways to break into Windows systems. However, the group’s existence highlights the often contentious relations between software vendors and security researchers: while the vast majority of security issues are reported and patched without public drama, software makers do need to be mindful of how they interact with broader computer security communities.

Editors' Recommendations

Topics
Geoff Duncan
Geoff Duncan
Former Digital Trends Contributor
Geoff Duncan writes, programs, edits, plays music, and delights in making software misbehave. He's probably the only member…
How to insert a signature into Microsoft Word
how to insert a signature into microsoft word microsoftwordlaptop1

Inserting a signature into Microsoft Word is the perfect way to make your document appear more professional, as well as to provide a personal touch. Microsoft Word allows you to implement a digital signature for authenticity purposes, a handwritten signature, and a signature line that can be signed manually once the document is printed out.

Let's take a look at how to insert a signature into Microsoft Word.

Read more
Microsoft Edge vs. Google Chrome: Performance, design, security, and more
Microsoft Edge browser on a computer screen.

Google Chrome remains the king of the web browsers, with around 60% share of the browser market as of December 2021. Microsoft's Edge browser, which uses the Chromium open-source engine, is in a lower spot around 12%, which is impressive with the browser having only been introduced in the last couple of years. Microsoft pushed the new Edge to all Windows 10 desktops, replacing the old Windows 10 version and giving Edge a built-in -- well -- edge. Edge is also the default browser for Windows 11.

Which browser should you use? The two share a lot of similarities, but some key differences make one the clear winner.
Design

Read more
Frustrated security researcher discloses Windows zero-day bug, blames Microsoft
Laptop sitting on a desk showing Windows 11's built-in Microsoft Teams experience.

There's a new zero-day issue in Windows, and this time the bug has been disclosed to the public by an angry security researcher. The vulnerability relates to users leveraging the command prompt with unauthorized system privileges to share dangerous content through the network.

According to a report from Bleeping Computer, Abdelhamid Naceri, the security researcher who disclosed this bug, is frustrated with Microsoft over payouts from the bug bounty program. Bounties have apparently been downgraded significantly over the past two years. Naceri isn't alone, either. One Twitter user reported in 2020 that zero-day vulnerabilities no longer pay $10,000 and are now valued at $1,000. Earlier this month, another Twitter user reported that bounties can be reduced at any time.

Read more