10.13.09
Gemini version available ♊︎Vista 7 Gets Royal (Patch) Treatment, Windows XP in Court for “Spyware” Behaviour
Summary: Many security issues in Vista 7, Windows XP has Microsoft sued for behaving like malicious software
SEVERAL days ago we wrote about Vista 7 being left insecure. Given all that has happened in the past year (c.f. links at the bottom), this should not be surprising and SJVN has just written a short article claiming that Vista 7 suffers from “unimproved security”.
When it comes to security and Windows 7, it’s just more of the same old, same old.
This point really came home to me when I was looking over all the patches that Microsoft will delivering tomorrow in what may be the largest Patch Tuesday ever. Microsoft “will ship a total of 13 updates next week, eight of them pegged “critical,” the highest threat ranking in its four-step scoring system, beating the previous record of 12 updates shipped in February 2007 and again in October 2008.”Of these 13, five are for Windows 7.
That’s Tuesday, that’s today.
Microsoft claims 5 patches for Vista 7, but as experience suggests, Microsoft lies about these numbers. It is not obliged to adhere to the same reporting standards as Free software.
Many people will continue using Windows XP when 7 comes out, but XP is permanently insecure since Microsoft refuses to patch it. And to make matters worse, based on this report, Microsoft is still stuck in court having been sued for XP being spyware, which it is (for more than one reason).
The plaintiffs allege that Microsoft improperly distributed the Windows Genuine Advantage tool, without proper consent from users, in a manner normally reserved for “high priority” security updates. WGA, as it’s known, tests to see if a copy of Windows is valid and delivers warnings if it doesn’t pass. Microsoft’s Automatic Update system lets users opt in to receive fixes and patches for the operating system.
That’s a lie or an embellishment at the very least. Microsoft overrides those settings. Even if the user requests that updates shall not be pushed through, Windows settings are totally ignored. Users have shown this for years. █
On Vista 7 security problems:
- Cybercrime Rises and Vista 7 is Already Open to Hijackers
- Vista 7: Broken Apart Before Arrival
- Department of Homeland Security ‘Poisoned’ by Microsoft; Vista 7 is Open to Hijackers Again
- Vista 7 Security “Cannot be Fixed. It’s a Design Problem.”
- Why Vista 7 Could be the Least Secure Operating System Ever
- Journalists Suggest Banning Windows, Maybe Suing Microsoft Over DDoS Attacks
- Vista 7 Vulnerable to Latest “Critical” Flaws
- Vista 7 Seemingly Affected by Several More “Critical” Flaws This Month
- Reason #1 to Avoid Vista 7: Insecurity
Yuhong Bao said,
October 13, 2009 at 1:56 pm
“Microsoft claims 5 patches for Vista 7, but as experience suggests, Microsoft lies about these numbers. It is not obliged to adhere to the same reporting standards as Free software.”
Yep, it is not as simple as comparing numbers.
“Many people will continue using Windows XP when 7 comes out, but XP is permanently insecure since Microsoft refuses to patch it.”
Not completely, you should see my comments on the linked article, which talks about this in more detail.
Roy Schestowitz Reply:
October 13th, 2009 at 2:10 pm
Disablement is not a fix though.
Yuhong Bao Reply:
October 13th, 2009 at 4:17 pm
Of course not, even MS claimed that it was only a workaround. MS released the fix for this SMB2 flaw today, and it is MS09-050. I was mostly commenting on the lack of XP and 2000 patches for MS09-048, saying it is that it is only this particular patch that don’t have a version for Win2000 or WinXP. MS has not in general stopped patching Win2000 or WinXP and will not until the extended support ends.
Roy Schestowitz Reply:
October 13th, 2009 at 4:24 pm
Patching does not equate to quality patching. The half-hearted maintenance is causing trouble to all of us who share the Internet (systemic cost).
Yuhong Bao Reply:
October 13th, 2009 at 5:06 pm
Note in this particular case however that the vulnerablities MS is not patching are only DoS vulnerablities that in theory only affects the machine attacked. There is a Remote Code Execution vulnerablity in the bulletin, but it only affects Vista and Server 2008, not XP or Server 2003. If you want more info, you should read the bulletin:
http://www.microsoft.com/technet/security/Bulletin/ms09-048.mspx