EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

12.03.07

FUD Alert: Microsoft’s Jeff Jones Aims His Lying Pistol at Firefox (Updated)

Posted in FUD, GNU/Linux, Security, Windows at 3:09 pm by Dr. Roy Schestowitz

More lies reveal new fears

Jim Powers wrote to point out this bit from Glyn Moody:

So, Microsoft refers to a report that just happens to be written by one of its employees, but without mentioning that fact.

This isn’t exactly new (Matt Asay pointed this out a couple of days ago), but it connects nicely to our observation that Microsoft uses its internal people and various hired ‘analysts’ to deceive the public. More on that in a moment, but first, here’s Asay’s take.

It’s a convenient fiction that buying everything from one vendor makes life easier. It may make installation and integration between programs easier, but that ease leads to single points of failure. Hijacking a browser is nice, but using the browser to dig deep into the OS, to have that hijacking facilitated by a too-close tie between the browser and the OS? Even better.

For reasons that were briefly mentioned a couple of days ago, Microsoft likes to hide its patches (or simply not patch at all) in order to keep up appearance. There are some recent examples of this, e.g.:

1. Skeletons in Microsoft’s Patch Day closet

This is the first time I’ve seen Microsoft prominently admit to silently fixing vulnerabilities in its bulletins — a controversial practice that effectively reduces the number of publicly documented bug fixes (for those keeping count) and affects patch management/deployment decisions.

2. Beware of undisclosed Microsoft patches

Forget for a moment whether Microsoft is throwing off patch counts that Microsoft brass use to compare its security record with those of its competitors. What do you think of Redmond’s silent patching practice?

Then, consider the invalidity of patch count.

Sorry, but Microsoft’s self-evaluating security counting isn’t really a good accounting.

[...]

The point: Don’t count on security flaw counting. The real flaw is the counting.

Only days ago, the weaknesses of Internet Explorer security were mentioned in the following article.

When Didier Stevens recently took a closer look at some Internet Explorer malware that he had found, something surprised him somwehat. He discovered that the IE-targeted malware had been obfuscated with null-bytes (0×00) and when run against VirusTotal, he found that fewer than half of the products identified the sample as malware (15 of 32). When all null-bytes were removed, the chances of successful detection improved, though not as much as would normally be expected (25 of 32 detections).

Going further back you’ll find that IE7 has already been the victim of quite a lot of “critical” flaws (the highest level of severity, which compromises the operating system remotely, with or without user intervention). Examples include:

1. Code posted for Internet Explorer attack

“This type of vulnerability has been very popular with malicious attacks in the past, and we expect to see its usage increase substantially, now that exploit code is publicly available,” security vendor Websense. warned in a note published Monday.

2. Microsoft probes possible IE 7 phishing hole

The vulnerability relates to the message IE displays when Web page loading is aborted, Raff wrote. An attacker can rig the message by creating a malicious link. The message will offer a link to retry loading the page; hitting it brings up the attacker’s page, but showing an arbitrary Web address, he wrote.

3. Critical IE Graphics Flaw Resurfaces

It’s bad enough when crooks exploit bugs to ruin a home computer, but the consequences of a successful attack can be much worse. A substitute teacher in Norwich, Connecticut, found that out when a computer she was using in her classroom suddenly started showing pornographic pop-up ads to everyone in the class. She now faces up to 40 years in prison after being convicted of willfully showing her students the images. A security expert hired by her defense, however, says he found malicious software on the PC.

4. Monthly Microsoft Patch Hides Tricky IE 7 Download

Opinion: Microsoft used the January 2007 security update to induce users to try Internet Explorer 7.0 whether they wanted to or not. But after discovering they had been involuntarily upgraded to the new browser, they next found that application incompatibility effectively cut them off from the Internet.

5. Attack code out for ‘critical’ Windows flaw

All recent versions of Windows are vulnerable when all recent versions of IE, including IE 7, are in use, according to Microsoft.

6. IE7 ‘critical update’ causes headaches for managed desktop environments

As many organisations may not feel compelled to turn off automatic updates, they should be prepared to face this is issue when Internet Explorer 7 is downloaded and installed automatically.

7. IE 7 bugs abound

“But browser testers may already be at risk, according to security researcher Tom Ferris. Late Tuesday, Ferris released details of a potential security flaw in IE 7. An attacker could exploit the flaw by crafting a special Web page that could be used to crash the browser or gain complete control of a vulnerable system, Ferris said in an advisory on his Web site. Microsoft had no immediate comment on Ferris’ alert.”

8. Information disclosure bug blights IE7 release

The flaw stems from error in the handling of redirections for URLs with the “mhtml:” URI handler. Security notification firm Secunia reports that the same bug was discovered six months ago in IE6 but remains unresolved.

9. IE Used to Launch Instant Messaging and Questionable Clicks

First of all, you need to visit an infection site using Internet Explorer – this exploit doesn’t work in Firefox, for example.

10. IE Exploit Could Soon Be Used By 10,000-plus Sites

First reported by Florida-based Sunbelt Software Tuesday, the bug has already been used to compromise PCs and load them with scores of adware and spyware programs, as well as other malicious code. Users surfing with IE 6 and earlier can be infected simply by viewing the wrong site.

11. Russian sites using new IE bug to install spyware

This is the second unpatched flaw found in IE over the past week. On Sept. 14, researchers posted code that could be used to exploit a different vulnerability in a multimedia component of the Web browser. Microsoft is still investigating that flaw and is not saying whether it too will be patched next month.

12. Seen in the wild: Zero Day exploit being used to infect PCs

The exploit uses a bug in VML in Internet Explorer to overflow a buffer and inject shellcode. It is currently on and off again at a number of sites.

Security researchers at Microsoft have been informed.

13. Attack code targets new IE hole

Computer code that could be used to hijack Windows PCs via a yet-to-be-patched Internet Explorer flaw has been posted on the Net, experts have warned.

Then, come to consider some comparisons, e.g.:

1. Which Is Safer: Internet Explorer 7 or Firefox 2.0

In the SmartWare test, Microsoft’s Internet Explorer 7 blocked 690 known phishing sites, or 66.35 percent of the total. In contrast, Firefox blocked 78.85 percent when using a local antiphishing database and 81.54 percent when using the online database.

2. Firefox Still Tops IE for Browser Security

“Mozilla is forthcoming about vulnerabilities,” Levy said, whereas “it takes Microsoft far longer to acknowledge vulnerability.”

How much longer? “In the last reporting period, the second half of last year, Microsoft had acknowledged 13 vulnerabilities. We’ve now revised it to 31. The difference is that now Microsoft has acknowledged these vulnerabilities.”

[...]

“Mozilla can turn around on a dime,” Levy said. “Open-source programmers can recognize a problem and patch it in days or weeks.”

And as for Microsoft?

“If a vulnerability is reported to Microsoft, Microsoft doesn’t acknowledge it for at least a month or two. There’s always a certain lag between knowing about a bug and acknowledging it,” Levy said.

Other recent articles state that Firefox may have its weak points, but often they are the result of attempts to mimic IE functionality on Windows, which means that the fragile layer is the operating system, not just the Web browser. On operating systems security, consider the following articles from the past year:

The great value of GNU/Linux is something that Microsoft itself cannot deny. In fact, it wasn’t long ago that it was ‘caught’ praising it. Microsoft’s campus is full of Linux devices that the company is happy with.

What the press statement didn’t mention is that Aruba mobility controllers run the Linux operating system which Microsoft has aggressively targeted as being inferior to Windows as part of its “Get the Facts” marketing campaign.

[...]

Pandey’s appraisal of Aruba’s technology is in stark contrast to Microsoft’s “Get the Facts” rhetoric which places Windows as a more secure, and higher-performing choice over Linux.

Let’s not forget that for many years, Microsoft has run its Web sites behind the Akamai clusters that are all GNU/Linux. As evidence, consider this recent blog post that contains a screenshot.

Microsoft has also bought companies whose entire infrastructure is based on GNU/Linux and Free software. Examples include the recent acquisition of Newsvine:

The funny thing is, The site is hosted on Debian Linux…

There is also the $6 billion acquisition of aQuantive:

This month’s announcement by Microsoft to acquire digital marketing services firm aQuantive has revealed little on how the companies will integrate their IT, but inside information indicates the deal may be Redmond’s largest commitment to free software.

[...]

Whether the businesses are complementary or not, Microsoft’s integration work will no doubt involve a lot of open source software used by aQuantive.

Information available from Atlas’ Web site indicates the Internet software company employs extensive use of open source software including Linux, Apache, MySQL, and Solaris.

Software engineers at Atlas’ Raleigh office do client/server development in C and C++, software maintenance and “scripting”, and developing and maintaining custom reporting capabilities.

Remember Hotmail, which ran a BSD for several years after Microsoft had acquired it? There are many more examples, but they would make this post extremely long.

”While Microsoft controls the media, buys the media, and even buys voices on the Internet, nobody can be trusted.“As promised, returning to the original point of this post, Microsoft can deny the truth all it wants, but we ought to judge things for ourselves. While Microsoft controls the media, buys the media, and even buys voices on the Internet, nobody can be trusted. The antitrust exhibit known as “Effective Evangelism” [PDF] shows that Microsoft has for a long time intended to hire analyst whose output only appears to be independent. One need only look a month back for a live demonstration.

Going a year into the past, Redmond Kool-Aid seems likely to have played a role in another story which turned out to be an anti-Firefox lie. It did a lot of damage even after it was called a lie, by admission of the claim’s own so-called ‘hacker’. More information here.

Lately, I read the headline: “Open Source browser Firefox is so critically flawed that it is impossible to fix, according to two hackers.” Further on, in the ZDNet article I read: “The hackers claim they know of about 30 unpatched Firefox flaws. They don’t plan to disclose them, instead holding onto the bugs.”

Since that sounds suspicious, I decided to start searching for connections with MS. Easy enough, here it is…

So, as you can see, the anti-Mozilla Firefox crusade has roots in the past. It remains to be seen how the media will respond to Microsoft’s latest attempt to spread Firefox FUD.

Update: A Mozilla senior, who is also a former Microsoft employee, spills the beans on Microsoft and reveals more information about the deception mentioned above.

This is a small subset of all the vulnerabilities, because the vulnerabilities that are found through the QA process and the vulnerabilities that are found by the security folks they engage as contractors to perform penetration testing are fixed in service packs and major updates. For Microsoft this makes sense because these fixes get the benefit of a full test pass which is much more robust for a service pack or major release than it is for a security update.

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New


  1. Nefarious Forces for Patent Abuse and Software Patents in the United States, Australia, India, Korea, and Europe

    A roundup of news from the weekend and today, with emphasis on the elements inside the system (or the media) which push for regressive policies that benefit them financially at the expense of everybody else



  2. [ES] El Sistema de Patentes de los EE.UU: Donde Uno Desperdicia Aos en Corte y Gasta $8,000,000 en Honorarios de Abogados Peleándo una Patente Falsa

    un sumario de noticias acerca de las patentes de software en los EE.UU. Y ha lo que han llevado, debido en gran manera al decline en calidad de las patentes por parte de la USPTO (dejando que otros se las arreglen limpiando el desórden)



  3. [ES] La Oficina Europea de Patentes Todavía Sigilósamente Abusiva, Pagará $15,000 en Compensasió a Trabajadora Tras un Tardío Fallo de la ILO

    La Organización Internacional del Trabajo (ILO) emite un fallo en un caso de abuso de la EPO y nota “la excesiva duración de los procedimienteos internos de apelación.”



  4. Links 2/5/2016: Linux 4.6 RC6, DragonBox Pyra

    Links for the day



  5. Links 1/5/2016: Wine 1.9.9, Devuan Jessie 1.0 Beta

    Links for the day



  6. The US Patent System: Where One Wastes Years in Court and Spends $8,000,000 in Lawyers' Fees Fighting a Bogus Patent

    A roundup of news about software patents in the US and what they have led to, owing in part to the USPTO's declining patent quality (leaving others to clean up its mess)



  7. The European Patent Office Still Silently Abusive, Will Pay $15,000 in Compensation to Female Worker After Belated ILO Judgment

    The International Labour Organisation (ILO) issues a judgment on a case of abuse by the EPO and notes "excessive length of the internal appeal proceedings."



  8. [ES] Alice Continúa Quebrando Patentes de Software Asi Que los Abogados de Patentes, Cabilderos de los Monopolistas, Etc. Ahora Atacan a la Corte Suprema por Hacer Esto

    los cabilderos Corpórativos y abogados de patentes están tratándo de poner a Alicia en la tumba, por su impacto en las patentes de software que es muy profundo y así hasta ahora casi indetenible



  9. [ES] ¿Cómo Salvar la Reputación de la EPO?: Crear Más Jurados de Apelaciónes en Europa y Abolir la Malgíada/Malintencionada Fantasía de la UPC

    Una crítica evaluación de lo que ocurre en la Oficina Europea de Patentes (EPO), la que rápidamente se está yendo para abajo (y degradando sobre todo) a el nivel de los sistemas Chinos, en conjuntamente con corrupción, los abusos, y la bajísima calidad de las patentes



  10. [ES] La Corte de Apelaciónes del Circuito Federal (CAFC) Acaba de Ponerse a Favor de los Trolles de Patentes

    la tristémente célebre CAFC, que manifestó las patentes de software en los EE.UU, acaba de dar un regalo a los trolles de patentes quienes típicamente usan las patentes de software para extorsión enc complicidad con los jueces del Este de Texas



  11. [ES] Análisis de los Últimos Datos de Lex Machina Acerca de la Litigación de Patentes Muestra Como está Declinándo

    el Professor Mark Lemley de Lex Machina resalta las tendencias en litigation al colectar y analizar datos relacionados con patente y concerniéntes a monopolios intelectuales en general; actualmente muestra una sequía de litigaciones (muestran que ha disminuído)



  12. [ES] La India Está Teniendo Otra Prueba de los Peligros de las Patentes Occidentales, Debe Aprender a Rechazar Completamente las Patentes de Software en Medio de Gran Presión

    El gigante de software que es la India continua enfrentándos ea la cruel y agresivo cabildeo de Occidente, haciéndo que este controle a la India por patentes que no deberían de existir en primer lugar



  13. [ES] Microsoft Dice que Continuará Extorsiónando a Compañías Que Distribuyan Linux, Usando Patentes de Software Usuallmente

    La guerra de Microsoft contra Linux, una guerra que es peleada usando patentes de software patents (por ganancias y/o por chantáje con arreglos empaquetados), todavía continúa a pesar de todas las tácticas de relaciónes públicas de Microsoft y sus sócios



  14. Alice Continues to Smash Software Patents So Patent Lawyers, Monopolists' Lobbyists Etc. Now Attack the Supreme Court for Doing This

    Corporate lobbyists and patent lawyers are trying to put Alice in the grave, for its impact on software patents is very profound and thus far almost unstoppable



  15. How to Salvage the EPO's Reputation: Create More Boards of Appeal in Europe and Abolish the Misguided UPC Fantasy

    A critical evaluation of what goes on at the European Patent Office (EPO), which is quickly descending down (and overall degrading) to the level of Chinese systems, along with the corruption, the abuses, and the low quality of patents



  16. Court of Appeals for the Federal Circuit (CAFC) Has Just Sided With Patent Trolls

    The notorious CAFC, which manifested software patents in the United States, has just given a gift to patent trolls that typically use software patents for extortion down in Texas



  17. Analyses of the Latest Data From Lex Machina About Patent Litigation Show Some Litigation Declines

    Professor Mark Lemley's Lex Machina highlights litigation trends by collecting and analysing data related to patents and pertaining to intellectual monopolies in general; now it shows litigation droughts



  18. India is Having Another Taste of the Dangers of Western Patents, Must Learn to Reject Software Patents in the Face of Great Pressure

    The growing software giant which is India continues to face cruel and aggressive lobbying from the West, enabling the West to control India by patents that should not exist in the first place



  19. Links 29/4/2016: GNOME 3.21.1, Fairphone

    Links for the day



  20. Microsoft Says It Will Continue to Extort Companies That Distribute Linux, Using Software Patents As Usual

    Microsoft's war on Linux, a war which is waged using software patents (for revenue and/or for coercion in bundling deals), is still going on in spite of all the PR tactics from Microsoft and its paid partners



  21. Australia Might be Next to Block Software Patents If Commission's Advice is Followed

    Australian advice against software patents, which can hopefully influence Australian politicians and put an end, once and for all, to all software patents in Australia



  22. [ES] ''Si la Forma de Pensar de la EPO fuese Seguida, Guantánamo Sería Posible en Suelo Alemán.”

    La EPO está todavía bajo fuego, pero mucho de ello pasa detrás de las cortinas y envuelve abogados y/o burócratas



  23. The European Copy-Paste Office (EPO)

    This morning's example (not the first) of how the EPO uses 'social' media



  24. Links 28/4/2016: Fedora 24, EE Goes Open Source

    Links for the day



  25. Amid Referendum “the New European Unitary Patent System is Likely to Collapse Before It Started”

    The Unitary Patent Court (UPC) vision seems like it may be just one month away from its gradual death, depending on British voices amongst other key factors



  26. USTR is Trying to Shame and Bully India Into Introducing Software Patents in India

    Lobbying body of the US (corporations-led) is trying its usual dirty tactics against India's sound policy which excludes software/algorithms from patent scope



  27. No, Visual Studio is NOT Open Source and Xamarin Openwashing is NOT News

    The latest example of Microsoft openwashing, courtesy of confidants of Microsoft and those who got bamboozled by them



  28. Latest Black Duck Puff Pieces a Good Example of Bad Journalism and How Not to Report

    Why the latest "Future of Open Source Survey" -- much like its predecessors -- isn't really a survey but just another churnalism opportunity for the Microsoft-connected Black Duck, which is a proprietary parasite inside the FOSS community



  29. If EPO “Form of Thinking Were to be Followed, Guantanamo on German Soil Would be Possible.”

    The EPO is still under fire, but a lot of it happens behind the scenes and involves lawyers and/or bureaucrats



  30. Links 28/4/2016: Tomb Raider for GNU/Linux, Proxmox VE 4.2

    Links for the day


CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts