Too many zero-days: Microsoft threatens legal action

Evidence of security vulnerabilities in Microsoft Windows has been published multiple times recently without a security update being available. Such vulnerabilities were then also exploited, for example in the unpatched Windows zero-days RedSun, UnDefend, and BlueHammer. Microsoft disapproves of this. The company is threatening lawsuits and the police. The discoverer of the Windows vulnerabilities denies the accusations.

In a blog post, the Microsoft Security Response Center (MSRC) expresses annoyance that it was not informed about the security vulnerabilities in advance. This is fundamentally part of good practice in the IT security industry: As part of standardized Coordinated Vulnerability Disclosures (CVD), discoverers of a security vulnerability inform the responsible parties and give them a limited time to release updates to fix the flaw. Large organizations also regularly reward discoverers financially for responsible disclosure.

CVD is intended to prevent security vulnerabilities from being actively exploited while simultaneously encouraging software vendors to secure their products promptly. “Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences,” writes the MSRC. Microsoft will not refrain from suing both the actual perpetrators and the publishers “– as needed in cooperation with law enforcement around the world.”