Conficker is Alive, Windows Vista is Critically Vulnerable and Microsoft Office Likewise

Dr. Roy Schestowitz

2009-03-08 15:01:14 UTC
Modified: 2009-03-08 15:01:14 UTC

Magaphone
Patchy Tuesdays always get you down

Summary: New evidence for the lingering pattern of vulnerability, arrogance, and lack of responsibility at Microsoft

Conficker has been a colossal PR problem for Microsoft and security headache to its customers. For the uninitiated, here are some previous posts that we wrote about Conficker:

Microsoft would rather pretend that Conficker is history, but it's far from history. In fact, new variants of it are now appearing and Symantec has issued warnings. For the latest details, see:

i. Conficker Worm Strikes Back With New Variant

The Conficker/Downadup worm managed to slither onto millions of PCs worldwide at its height, but after it initially infected a computer it only really acted to spread itself, and didn't cause further harm. Until now.

Symantec reports today that it has found a new variant of the virulent worm that will identify antivirus software or security analysis tools running on the infected PC, and attempt to shut down those programs. This is a strong signal that the worm's mysterious creators haven't abandoned their creation in the face of worldwide attention, as some in the industry have theorized, but may still have plans to make a buck off their work.

ii. Conficker gets upgraded with defenses

Researchers at Symantec have discovered what could be a significant development in the ongoing Conficker worm saga: a new module that is being pushed out to some infected systems.

In a couple of ways, the new component is designed to harden infected machines against an industry consortium that is actively trying to contain the prolific worm. For one, the update targets antivirus software and security analysis tools to prevent them from removing the malware. Not only does it try to disable anti-malware titles, it also goes after programs such as Wireshark and regmon.

It gets worse. The illusion that Windows Vista can be secured is long dead, so no update or upgrade can redeem the user from becoming a zombie (even Vista 7 is open to hijackers [1, 2, 3], long before release). It's the same old routine now that Windows Vista is discovered to be suffering from another "critical" flaw (or set thereof) which has not been patched yet.

March's Patch Tuesday will see yet another critical fix for Microsoft's flagship operating systems.

Users of Microsoft Office will be left vulnerable for at least another month:

Vole said that it will not be fixing a critical Excel vulnerability, which allows attackers to launch malicious code remotely on users' computers via an infected Excel spreadsheet file.

From IDG:

Microsoft Corp. today said it will deliver three security updates on Tuesday, one of them ranked as "critical," but will not fix an Excel flaw that attackers are now exploiting.

All three updates spelled out in today's notice will tackle vulnerabilities in Windows, but as is its practice, Microsoft did not drill any deeper than to specify which versions will be affected.

As usual, Microsoft is hiding the real scale and the real number of vulnerabilities. InformationWeek wrote about this also. ⬆

"Our products just aren't engineered for security."

--Brian Valentine, top Windows executive

"It is no exaggeration to say that the national security is also implicated by the efforts of hackers to break into computing networks. Computers, including many running Windows operating systems, are used throughout the United States Department of Defense and by the armed forces of the United States in Afghanistan and elsewhere."

--Jim Allchin, top Windows executive

Comments

Jose_X

2009-03-08 16:41:20

"Not engineered for security" is why you have a zillion variants of bugs around. Do they "patch" one hole by moving it around to a different hiding place?

I'm guessing their situation is horrible, but can you actually patch Windows against all the bugs at once, or will the different patches undue work done in other patches as these holes are moved around?

[I think the answer is that the above is true for some holes but not all. When you don't engineer for security, you have to crudely keep redefining names and numbers to keep the malware guessing.]
pcolon

2009-03-08 21:44:15

@Jose_X: It's sounds like the old "Whack-a-mole" game.
David Gerard

2009-03-08 22:12:07

The Iceland MCP story has three Slashdot firehose links - 1, 2, 3 - please vote up!
Needs Sunlight

2009-03-09 09:35:19

One word: racketeering

http://www.law.cornell.edu/uscode/html/uscode18/usc_sup_01_18_10_I_20_96.html
Dave

2009-03-09 13:01:58

Wow, unbeleivable what an idiot you are Roy. You can't even read the simplest of security advisories.

The vunerability used by Conficker is NOT a critical vunerability for Vista. It is only critical for windows XP !!!!

This blog is really a disgrace full of disinformation and lies !!!
Dave

2009-03-09 13:03:03

And not to mention of course that the vunerability used by the Conficker worm has already been patched last year.
Roy Schestowitz

2009-03-09 13:07:50

The dunce here is you, Dave.

If you had read this post carefully, then you would realise that you are mixing together two completely isolated parts of it (Vista vulnerability and Conficker).
David Gerard

2009-03-09 13:08:18

A patch was released, but unfortunately people don't trust Microsoft patches any more because they accidentally break things way too often. (Not to mention deliberately sabotaging people's machines with Windows Genuine Advantage and suchlike.)

So people actually have to go through and check the machines. I had to do this at work (we have some Windows boxes for proprietary software that's a required part of our production chain; we're not happy about this). Ridiculously tedious.

Furthermore, the patch last year only patches the Internet transmission vector for Conficker - it doesn't actually disable the memory stick or CD vector (the autoplay problem).

[And may I say also how much autoplay sucks. I have a 500GB drive full of ripped CDs in FLAC - I plug it into a Windows XP box and it pauses for a minute while it tries to work out how to autoplay the thing. WHAT.]
Caitlin

2009-04-01 04:53:01

Quite honestly, I thought it was some kind of scam for a cruel April Fools joke, but when I saw that it said in I believe, a CNN article "IF YOU RECEIVED AN UPDATE FROM MICROSOFT FOR SECURITY UPDATES, YOU SHOULD BE FINE"

I immediately checked my Windows Update, and Lo and behold, the update was there.

NOT INSTALLED.

It's now installing at 55% complete.
jocaferro

2009-04-02 01:44:17

ooopppss, sorry "2000, XP, 2003 Server, Vista." - and 2008 Server too!
Roy Schestowitz

2009-04-02 01:46:16

Patches arrive when attacks commence.
jocaferro

2009-04-02 01:42:24

March patch - MS09-006: “This security update resolves several privately reported vulnerabilities in the Windows kernel. The most serious vulnerability could allow remote code execution if a user viewed a specially crafted EMF or WMF image file from an affected system.”

Yes, several (privately) vulnerabilities. Where? Windows kernel! 2000, XP, 2003 Server, Vista. An unpatched Windows computer is a serious problem since the moment everyone knows about it. In the MS/Windows world this situation can take months even years until all computers become patched! How long MS (privately) know about this problem? Or, how long MS (privately) know about many problems without caring for a patch?
Clump

2009-04-01 22:08:25

If your computer is and has been set to automatically update then your computer itself is OK. Then you only have to worry about the systems out there holding your personal information!

You'd think only a small percent of people wouldn't have this patch already, but it seems about 30% of Windows users haven't patched. North Americans will weather it better than Asians as most North American systems are patched while the big numbers of no-patch are in Asia, S. America etc.

David Gerard

2009-04-01 22:15:47

Problem: Microsoft sends through too many patches that either (a) accidentally break things or (b) deliberately break things (WGA, which they just tried sending through again recently).

So people just don't trust Microsoft patches.

Yggdrasil

2009-04-02 03:23:48

No, that is an overblown fear that some people have, but like many fears it's irrational. Given the enormous number of Windows machines in place, problems due to updates are relatively small, though no software is perfect.

I specifically remember trying to update a Ubuntu distro to 8.10. After it finished the machine rebooted, only to halt on the next boot complaining that it could not locate some file. Had I been using this machine for anything important, I would have been royally screwed. Updates "can" break installs or software on ANY OS. That's the nature of computer software. Problems with Windows will always seem worse since there are more Windows machines in use.

Try upgrading your Amiga 500 to OS 3.1, which includes having to replace a ROM chip, then find out your favorite game won't work. Computers are complex machines. To assume you will never have problems using some other OS or hardware platform is purely delusional.

For the record, in 12 years of using Windows machines, I have never had any update or security patch cause any serious problems. That includes the machines owned by my parents and sister. At the very worst, I might have had to update an older piece of software for some odd reason, but again.... that's normal.

David Gerard

2009-04-02 13:00:13

However, Microsoft really does deliberately send through patches designed to disable machines. At least when Ubuntu fucks up (and as an Ubuntu user, I am entirely too aware of how good they are at this) it's not with deliberate malicious intent.

Roy Schestowitz

2009-04-01 22:16:27

People conveniently forget sometimes that this serious flaw was not supposed to exist in the first place.

Gentoo User

2009-04-01 23:46:03

This wasn't suppose to exist, either. But it does.

"Today's [Red Hat] is run by a cabal of vultures.": it seems safe to assume Red Hat too will languish away
Microsoft Layoffs in 2026 Can be Bigger Than 2025 Microsoft Layoffs (30,000+ Workers Laid Off): "Is there going to be any reorg or Microsoft layoffs?"
The Free Software Foundation (FSF) Represents People, Not Corporations: FSF isn't in the "business" of appeasing oligarchs
IBM: We Can't Make 'AI' (Voice Recognition) Do the Work of a McDonald's Teenager, So Let's Try the Same on Saudi Planes: IBM is lost. It's truly lost.
Links 22/12/2025: Data Breaches, deterioration in Politics, and Geminispace: Links for the day
Links 22/12/2025: North Korean Applicants Target GAFAM (Amazon), ‘Orwellian Climate of Fear’ of CPC (Even Outside China): Links for the day
More IBM Layoffs in India: It's not as simple as "laid off to be replaced by an Indian"
GAFAM Deeply Connected to Jeffrey Epstein, Richard Stallman (RMS) in No Way Connected to Jeffrey Epstein: people who hoarded all the capital get to decide what people think and say
Linus Torvalds Has a Birthday This Coming Weekend, Thankfully He Still Controls His Main Project: GNU and Linux should remain under their control as long as they live
Mozilla is Getting Attention for All the Wrong Reasons, Take a Look at LibreWolf: Just last week Mozilla added a new top-level manager who (as usual) came from a "tech giant"
When Conformism Means Capitulation and Defeat: In an age of injustices like these, we all have some kind of moral obligation not to be conformist.
Text is Still King: But the so-called 'industry' insists that we should download 10 MB of objects from multiple domains... even just to read 5-10 paragraphs of text
Links 22/12/2025: Facebook "Testing $14.99 Monthly Subscription Fee to Post Links" and "Middle East Petrostates as American Media Owners": Links for the day
Beyond the World Wide Web (WWW): We continue to treat Gemini Protocol as a first-class citizen
Serbia: GNU/Linux Rises, Windows Down to All-Time Lows: According to statCounter
"Wrestling With Pigs": "Never wrestle with a pig. You both get dirty, and the pig likes it."
Productive Year and Better Access to Techrights' Archives Going Back to 2006: we've long needed and wanted native, local, independent search facilities
Linux Abandoned by Linux Foundation: It speaks for Microsoft and for so-called 'AI' companies
Microsoft Has Practically Given Up on XBox Already: Expect many XBox related layoffs when 2026 starts (Q1)
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Sunday, December 21, 2025: IRC logs for Sunday, December 21, 2025
Gemini Links 21/12/2025: Solstice, Chaos of CSS, and Program Interpreter Fun: Links for the day
Why?: Why write articles?
Microsoft-Connected Publisher Spinning XBox's Death Spiral (It's Dying Fast) as a Strength and Something Deliberate: "Microsoft’s big gaming pivot"
Slop is Rare by Now: A year ago slop was so abundant that we did a whole series about it, and it was daily
Links 21/12/2025: U.S. Strikes in Syria, "Epstein Files Photos Disappear From Government Website": Links for the day
Gemini Links 21/12/2025: Labrador Retriever of Lagrange's Developer Dies From Cancer, Political Philosophy, and "Getting to Inbox Zero": Links for the day
Microsoft is Becoming Irrelevant: The Case of Georgia: Not Georgia Tech
Sirius Open Source is Now Imminently Dead (Struck Off): compulsory strike-off
Dr. Richard Stallman, Invited by LibreTech Collective, is Giving a Public Talk in Georgia Tech Next Month (Scheller College of Business): They can probably squeeze about 400 people into this room
25 Years of Activism for GNU/Linux: My passion for GNU/Linux brought a lot of contentment
Africa, Where Microsoft Used De Facto Slaves to Pretend to be "AI", Chatbots Usage is 0.2% of Measured Online Traffic: Judging by recent trends in Africa, many "Windows PCs" are being converted into GNU/Linux computers
New Drone Footage Shows IBM is Dead (Parts of It): The people who participated in IBM when IBM actually mattered probably have boasting rights, unlike people who work for IBM today
Michael Larabel Adds Slop Category to Phoronix, Quickly Realises That It's Worthless: Phoronix nowadays gets carried away; it made a new category to talk about slop and it decided to call it "intelligence" with some caricature of a brain (that's misleading)Phoronix nowadays gets carried away; it made a new category to talk about slop and it decided to call it "intelligence" with some caricature of a brain (that's misleading)
After 35 Years the World Wide Web, HTML, and HTTP Are Proprietary: HTTP/2 added a lot of complexity (it's just a Google protocol, based on SPDY originally), many image formats are proprietary and patented, HTML got 'replaced' by Java-Scripts [sic], and many URLs (the URL system was created in the early 90s) are just long strings for proprietary 'webapps'
The General Public License (GPL) Inspired the Web's Original Openness/Freedom, According to Tim Berners-Lee: "During the preceding year I had been trying to get CERN to release the intellectual property rights to the Web code under the General Public License (GPL) so that others could use it."
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Saturday, December 20, 2025: IRC logs for Saturday, December 20, 2025
The Register MS Has Lowered Its Standards Considerably: Incidentally, we've only just noticed that "US editor for The Register since July 2025" has not been active for 4 weeks already
Scamfarms, Spamfarms, and Slopfarms in "Linux" Clothing: Today, Linux searches in Google News produced no slop at all. That's an improvement.
Did Bill Gates Lobby to Blur the Face of the Young Woman He Openly Braces (and Who Isn't His Wife)?: "This photo of of Microsoft co-founder Bill Gates with a woman whose face is blurred out is just one of 68 more photos and documents released today."
Links 20/12/2025: Microsoft Ruins Televisions, 'Epstein Files' Deeply Sanitised (to Protect Particular Culprits): Links for the day
Gemini Links 20/12/2025: Merry Christmas 2025 and Running a Factorio Headless Server on FreeBSD with the Linuxulato: Links for the day
With 10 Days Left, the Free Software Foundation (FSF) Has Already Raised Close to $300,000 This Winter: they're besieged by despicable corporations and very despicable people
The Real Problem With Rust is Not "Wokeness" (It Never Was): Don't feed the trolls who attack "Rust People" on political grounds
2025 in Numbers: What was very good about this year is that we truly got "into the rhythm" of publishing
More Microsoft Layoffs Coming Soon: When I spoke about Microsoft layoffs (routinely) I got very viciously attacked by Microsoft boosters
My Humble Assessment of the Future of Red Hat, A Company That IBM is Flushing Down the Loo: GNU/Linux will be OK without Red Hat, but shaping the future of it matters because we don't want companies like Valve (DRM) to set the agenda
Probably the Least Useful Gadgets, Ever: as if a "smart" thing worn on the wrist is the "new Rolex"
Former Manager at IBM Research (Yorktown) Says Why IBM is Doomed and the Anonymous Tipline (Speak Up) is a Trap: IBM isn't willing to change or to address internal issues
Links 20/12/2025: Fentanylware Becomes CheeTok and "Why Roomba Died": Links for the day
Linux Foundation: Richard Stallman Developed Only a Software Licence: We already criticised this report several times last night
Impulsive Writing, Quotas, and Keeping Things as Concise as Feasible: A 10-word sentence being read by a million people can have the same impact or magnitude (exposure-wise) as a million-word book being read by just 10 people
Gemini Links 20/12/2025: Christmas Songs, Storms, and Old Web: Links for the day
Coming to Grips With a Lack of Future at IBM: Red Hat's future doesn't look bright under the auspices as they seem right now
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Friday, December 19, 2025: IRC logs for Friday, December 19, 2025
Links 20/12/2025: Media Layoffs, a Third of Online Traffic is Bots: Links for the day

Conficker is Alive, Windows Vista is Critically Vulnerable and Microsoft Office Likewise

Comments

Recent Techrights' Posts