The software giant referred to the disclosed flaw as "the claimed vulnerability," but left the door open for issuing a patch or workaround. "Microsoft is investigating new public claims of a possible vulnerability in Windows 2000 and Windows XP. We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact. Once we're done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-band update or additional guidance to help customers protect themselves," said Jerry Bryant, group manager, response communications for Microsoft in a statement today.
The revelation this week of the buffer overflow vulnerability, which could allow an attacker to take control of Windows machines remotely, came the same day another potential zero-day disclosure was made by a group of apparently disgruntled hackers. The so-called "use-after-free" vulnerability posted by a group of hackers calling themselves the Microsoft-Spurned Researcher Collective could be exploited to crash Vista and Server 2000 systems, according to the disclosure posting. The group said its goal is to "fully" disclose vulnerabilities in protest to vendors berating researchers who disclose bugs on their own and without first handing them over to the affected vendors: "Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer," the hackers said in their post.
Ormandy is the Google engineer and researcher who last month posted online a Windows Help and Support Center zero-day bug, drawing the ire of Microsoft and its staunch policy of "responsible disclosure," where researchers inform the affected vendor of holes in its products. Live exploits abusing the bug began thereafter.
Microsoft voiced its displeasure with the handling of the disclosure, in which Ormandy reported the bug to Microsoft on June 5 and then went public with it four days later, before the vendor was able to fix it.
Meanwhile, the software giant says it's also still investigating the MSRC's Vista and Windows Server 2008 disclosure. "Our initial analysis of the Proof-of-Concept code supplied has determined that an attacker must be able to log on locally or already have code running on the target system in order to cause a local Denial of Service," Bryant said in a statement.
The disclosure by the group of hackers is yet another example of rebellion among the researcher community against Microsoft's firm stance on bug disclosure. The group is openly recruiting help as well: "If you wish to responsibly disclose a vulnerability through full disclosure or want to join our team, fire off an email to: msrc-disclosure () hushmail com," says the group's post. "We do have a vetting process by the way, for any Microsoft employees trying to join ;-) ."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.