11.02.09

Gemini version available ♊︎

Microsoft Breaks the Law by Not Patching Windows as Per the Agreement

Posted in Law, Microsoft, Security, Windows at 4:35 am by Dr. Roy Schestowitz

Balance

Summary: Microsoft’s legal obligations are hanging in the balance while Windows 2000 does not receive security patches

ABOUT a month ago we showed that Microsoft broke its contract with the customers by refusing to patch Windows XP. As it turns out, Microsoft is doing this with Windows 2000 as well.

Our reader Ryan, who is a former Microsoft MVP and an expert in this area, wrote in IRC: “You should drive home a point that you aren’t when talking about Conficker and its brethren. Windows 2000 will be TEN YEARS OLD on February 17, 2010, and still manages to get at least a dozen security patches a month, even now. It’s a good way to point out that no matter how many patches you install, there’s always more vulnerabilities. Several thousand of them have been patched in Windows 2000 and it’s still regularly patched. You would think that the patch rate would have slowed down and the OS would have more or less settled by now, but it’s going to be patched from birth to abortion. You should also mention that companies won’t necessarily throw out Windows 2000 on their systems just because it’s out of support. From Wikipedia: ‘On 8 September 2009, Microsoft skipped patching two of the five security flaws that were addressed in the monthly security update, saying that patching one of the critical security flaws was “infeasible”.[93] According to the Microsoft Security Bulletin MS09-048, “The architecture to properly support TCP/IP protection does not exist on Microsoft Windows 2000 systems, making it infeasible to build the fix for Microsoft Windows 2000 Service Pack 4 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Microsoft Windows 2000 Service Pack 4 operating system, [...] there would be no assurance that applications designed to run on Microsoft Windows 2000 Service Pack 4 would continue to operate on the updated system.”‘ Windows 2000 not only shares all the vulnerabilities in XP, Microsoft has started refusing to patch some while the damned thing is still supported (to try and force an upgrade). It’s not the first time that Microsoft has refused a security patch for operating systems still in support, they left some critical Windows 98 and Windows NT 4 vulnerabilities unpatched, with a year left on the support lifecycle.

“In other words, Microsoft can flagrantly violate the hell out of their side of the agreement, but don’t you dare to step out of line or install Windows on two systems with one license.”
      –Ryan
“Windows 2000 is supported until July of 2010, meaning that per their support agreement, every security patch should be delivered on until then, so they’re violating their own support agreement, but insisting that you obey your obligations under their EULA. This is kind of like the times Microsoft was found violating their side of the privacy agreement in Windows Media Player 7 (they probably still do). In other words, Microsoft can flagrantly violate the hell out of their side of the agreement, but don’t you dare to step out of line or install Windows on two systems with one license.”

Fewa responds with: “Microsoft has always been an outlaw corporation. They only obey the laws that benefit them and disregard those that would dare limit their greed of monopoly. They even wish to impose on other those laws. It’s not just that; of course having the government totally hijacked for 6 years did not help. The democrats got a majority in 2006 (in the house).”

“8 years,” insists Ryan, “and I’d argue that they still do. Obama has packed the DOJ with more RIAA mafia types.” Here is a collection of references.

Ryan is not optimistic. “They’re one of the richest companies and have hundreds of lawyers,” he says. “You could sue them, in theory, but they could just stall forever.”

To summarise, writes Ryan: “What kind of confuses me is that according to Microsoft, breaking their EULA is “illegal”, but when they break their side of the agreement it’s OK as long as they can say “It would have been too much work to close that critical patch on Windows 2000.” It would be like me saying “Well, I installed the same copy of Windows on ten computers cause it would have been too much of a strain on my finances to buy 9 more licenses”; Same defense they’re trying, too much of a strain on limited resources, so it’s OK to break the agreement.”

In other news, Microsoft’s cryptology is broken again.

Microsoft releases fix for crypto patch

[...]

The ocsasnfix.exe (direct download) program is to fix the glitch both in the client and in the server. In a knowledgebase article, Microsoft describes how to run the program and what other actions may need to be taken.

Perhaps Microsoft could not just disable the features this time around [1, 2].

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

8 Comments

  1. Jose_X said,

    November 2, 2009 at 7:51 am

    Gravatar

    >> Our reader Ryan, who is a former Microsoft MVP and an expert in this area, wrote in IRC: “…Windows 2000 will be TEN YEARS OLD on February 17, 2010, and still manages to get at least a dozen security patches a month, even now. It’s a good way to point out that no matter how many patches you install, there’s always more vulnerabilities… You would think that the patch rate would have slowed down and the OS would have more or less settled by now, but it’s going to be patched from birth to abortion….”

    http://boycottnovell.com/2009/03/08/conficker-alive-vista-office-flaws/#comment-60287

    > Do they “patch” one hole by moving it around to a different hiding place?

    Rather than _fix_ a vulnerability, I’d almost wager that they keep the holes around but re-hide them. This would allow the holes/backdoors to keep existing but hide their location so that unauthorized sources can’t exploit them (at least not until these get rediscovered).

    Or maybe Microsoft developers are simply sloppy repeatedly at infinitum. All those smart people might be too wealthy to put in solid effort. We should help them regain their mojave by contributing less money to them.

    Really, perhaps it’s “too much work” to fix the vulnerabilities when a quick reshuffling would stop the current malware cold. The pressure is on to find fixes quickly. Who will know the difference anyway? Microsoft keeps the source code to themselves, and if the hole is rediscovered, it will simply appear as an new distinct vulnerability.

    Maturing software? What’s that?

    Alright, the hole shuffling might not be the norm. Who knows?

    Either way, it is a little scary to think what will happen when Microsoft’s profits aren’t large enough for their needs. What will become of your data on your PCs on their abandoned software?

    Will you get the locked proprietary data out of your systems before the virus and other malware completely decimate the host computers and everything on them?

    Will Microsoft promise to meet their contract security obligations when it’s no longer extremely profitable to do so? [I'm echoing the article]

    With Linux+FOSS [I have to mention this in case some readers don't know], there is a free upgrade path for life and the data is not locked. That’s at least two viable paths that can be taken no matter what (well, to an approximation since really old software source code is not looked at too much). Also, vulnerabilities (at least for important widely used software) usually aren’t simply moved around for convenience’s sake because those watching likely catch it right away and scream (or make the fixes themselves).

  2. Yuhong Bao said,

    November 2, 2009 at 11:03 am

    Gravatar

    “It’s not the first time that Microsoft has refused a security patch for operating systems still in support, they left some critical Windows 98 and Windows NT 4 vulnerabilities unpatched, with a year left on the support lifecycle.”
    Yea, I told you that what MS recently did to XP is not new.
    “Windows 2000 is supported until July of 2010, meaning that per their support agreement, every security patch should be delivered on until then, so they’re violating their own support agreement”
    See my comments to this article:
    http://boycottnovell.com/2009/09/21/windows-xp-security-eol/

  3. Yuhong Bao said,

    November 2, 2009 at 11:17 am

    Gravatar

    “> Do they “patch” one hole by moving it around to a different hiding place?
    Rather than _fix_ a vulnerability, I’d almost wager that they keep the holes around but re-hide them”
    This is the closest thing to this happening that I can find:
    http://vx.netlux.org/lib/apf00.html
    http://pferrie.tripod.com/papers/ani.pdf
    Note however that the support lifecycle and the EULA are not the same agreement. The latter is for licensing, the former is for support of the same software.

  4. Yuhong Bao said,

    November 2, 2009 at 11:20 am

    Gravatar

    I think a fair comparison is look at how many security holes are still being discovered in say Linux 2.4 years after it was released.

    Roy Schestowitz Reply:

    But Linux is just a kernel and Microsoft hides/lumps together flaws (it got caught).

    Yuhong Bao Reply:

    “Microsoft hides/lumps together flaws (it got caught). ”
    Really? But even if not, it is certainly not as simple as comparing numbers.

    Roy Schestowitz Reply:

    Yes, that’s another issue, one of granularity.

  5. TheTruth said,

    November 3, 2009 at 1:23 am

    Gravatar

    It;s so funny that you bright and ‘honest’ people do not know what a EULA IS !!!..

    It stands for END USER license agreement.

    That means it’s the agreement THE END USER enters into.

    If it was a “Software manufacturers license agreement” then you might (but probably not) have a case.

    But it’s an agreement the END USER enters into, not an agreement the software company signs onto.

    Microsoft is ___ NOT ___ repeat NOT the END USER..

    Go figure, that bright people or people who claim to “know” whats going on would make such an error.

    But for BN it’s expected… almost compulsory to warp, bend or just plain out break the truth..

    Oh and Yes, im Mutex, and yes Roy we all know you dont censor dissenters. But you do, and why ?? because you either dont like, or cannot asnwer even simple questions in relation to you supporting your wild, and untrue “claims”.

    And what OS are you using Roy ?? Linux ?? how do you cope with using linux with all that Novell code in the kernel ???

    How do you sleep at night knowing that every second of every day you are running code written by NOVELL..

    Oh thats right, you can pick and choose what you like in regards to your ’cause’.

    Sure it does not matter that a huge amount of the code you run all the time, was written by NOVELL.

    Why dont you create your own distro, and strip out all the NOVELL code, and replace it with your own.

    Oh thats right, you dont code do you, in fact you dont contribute to FOSS at all. you are hell bent on taking away linux and FOSS.

    Thats right, if all the NOVELL code on your computer suddenly went away, do you think it would still work…, Ill tell you, IT WONT..

    But somehow you can both boycott NOVELL and use their product ALL THE TIME. but in your mind that is ok,,, right ??

    And why are you so very scared of me Roy, what is it that I do that makes you feel so uneasy, is it because I CHECK YOUR ‘FACTS’. and when I see that you are lying I TELL YOU..

    My bad, I should of guessed you dont like to have people question your motives.

    Hows your PhD going ?? how many years ago did you finish it,, 2006?

    Gee Roy, it must be nice to mooch off Daddy and Mommy, and spend your life (waste your life) running your hate site.

    I see now you’ve also branched into politics, and anything else you dont agree with, including racist remarks about the President of the USA…

    You do understand that it would be much easier for you to state what you DO like, as opposed to stating what you HATE… as the list would be much smaller.

    But go on using your NOVELL code, all day every day, that very code that is hosting this web site, is FROM NOVELL…

    So how is that boycotting them ?? it’s not..

    but trying to talk logically to you is impossible, apart from you running a 3 minute mile when I start to question you..

    It’s funny, (or sad) how you can pick and choose what you use and hate and how they can be both the same thing…

    Roy,,, get a job, stop being a leech on humanity, and do something !!!!.

    Oh,, that would be “WORK” and you dont do that, BN is just too important for you to

    SUDO APT-GET A LIFE …

DecorWhat Else is New


  1. Links 19/10/2021: MyGNUHealth 1.0.5 and Ubuntu 22.04 Now Developed

    Links for the day



  2. [Meme] [Teaser] Thrown Under the Bus

    Tomorrow we shall look at Danish enablers of unlawful EPO regulations, Jesper Kongstad and Anne Rejnhold Jørgensen



  3. The World Needs to Know What Many Austrians Already Know About Rude Liar, the Notorious 'Double-Dipper'

    Today we publish many translations (from German) about the Austrian double-dipper, who already became the subject of unfavourable press coverage in his home country; he’s partly responsible for crushing fundamental rights at the EPO under Benoît Battistelli‘s regime



  4. The EPO’s Overseer/Overseen Collusion — Part XVI: The Demise of the Austrian Double-Dipper

    Friedrich ‘Rude Liar’ Rödler is notorious in the eyes of EPO staff, whom he was slandering and scandalising for ages while he himself was the real scandal



  5. Links 18/10/2021: Porteus Kiosk 5.3 and Ventoy 1.0.55

    Links for the day



  6. [Meme] [Teaser] More to Life Than Patents

    Greedy sociopaths oughtn’t be put in charge of patent offices; this is what’s dooming the EPO in recent years (all they think about is money



  7. Microsoft GitHub Exposé — Part II — The Campaign Against GPL Compliance and War on Copyleft Enforcement

    Microsoft contemplated buying GitHub 7.5 years ago; the goal wasn’t to actually support “Open Source” but to crush it from the inside and that’s what Microsoft has been doing over the past 2.5 years (we have some details from the inside)



  8. Links 18/10/2021: Linux 5.15 RC6 and 7 New Stable Kernels

    Links for the day



  9. [Meme] The Austrian School of Friedrich Rude Liar

    With reference to the Austrian School, let’s consider the fact that Friedrich Rude Liar might in fact be standing to personally gain by plundering the EPO‘s staff by demonising them while helping Benoît Battistelli crush them



  10. IRC Proceedings: Sunday, October 17, 2021

    IRC logs for Sunday, October 17, 2021



  11. How (Simple Technical Steps) to Convince Yourself That DuckDuckGo is Just Spyware Connected to Microsoft, Falsely Advertised as 'Privacy'

    In recent days we published or republished some bits and pieces about what DuckDuckGo really is; the above reader dropped by to enlighten us and demonstrate just how easy it is to see what DuckDuckGo does even at the client side (with JavaScript); more people need to confront DuckDuckGo over this and warn colleagues/friends/family (there’s more here)



  12. Austria's Right-Wing Politicians Displaying Their Arrogance to EPO Examiners

    The EPO‘s current regime seems to be serving a money-hungry lobby of corrupt officials and pathological liars; tonight we focus on Austria



  13. [Meme] Friedrich Rödler's Increasingly Incomprehensible Debt Quagmire, Years Before EPO Money Was Trafficked Into the Stock Market

    As it turns out, numerous members of the Administrative Council of the EPO are abundantly corrupt and greedy; They falsely claim or selfishly pretend there’s a financial crisis and then moan about a "gap" that does not exist (unless one counts the illegal gambling, notably EPOTIF, which they approved), in turn recruiting or resorting to scabs that help improve ‘profit margins’



  14. The EPO’s Overseer/Overseen Collusion — Part XV: Et Tu Felix Austria…

    Prior to the Benoît Battistelli and António Campinos regime the EPO‘s hard-working staff was slandered by a corrupt Austrian official, Mr. Rödler



  15. Links 17/10/2021: Blender 2.93.5, Microsoft Bailouts

    Links for the day



  16. Links 17/10/2021: GhostBSD 21.10.16 and Mattermost 6.0

    Links for the day



  17. IRC Proceedings: Saturday, October 16, 2021

    IRC logs for Saturday, October 16, 2021



  18. [Meme] First Illegally Banning Strikes, Then Illegally Taking Over Courts

    The vision of Team Battistelli/Campinos is a hostile takeover of the entire patent system, not just patent offices like the EPO; they’d stop at nothing to get there



  19. Portuguese Network of Enablers

    Instead of serving Portuguese people or serving thousands of EPO workers (including many who are Portuguese) the delegation from Portugal served the network of Campinos



  20. In Picture: After Billions Spent on Marketing, With Vista 11 Hype and Vapourware, No Real Gains for Windows

    The very latest figures from Web usage show that it’s hardly even a blip on the radar; Windows continues bleeding to death, not only in servers



  21. [Meme] [Teaser] Double-Dipping Friedrich Rödler

    As we shall see tomorrow night, the EPO regime was supported by a fair share of corrupt officials inside the Administrative Council



  22. The EPO’s Overseer/Overseen Collusion — Part XIV: Battistelli's Iberian Facilitators - Portugal

    How illegal “Strike Regulations” and regressive ‘reforms’ at the EPO, empowering Benoît Battistelli to the detriment of the Rule of Law, were ushered in by António Campinos and by Portugal 5 years before Campinos took Battistelli’s seat (and power he had given himself)



  23. Links 16/10/2021: SparkyLinux Turns 10 and Sculpt OS 21.10

    Links for the day



  24. “Facebook Whistleblowers” Aside, It Has Been a Dying Platform for Years, and It's Mentally Perverting the Older Generation

    Guest post by Ryan, reprinted with permission



  25. [Meme] Microsoft Has Always Been About Control Over Others

    Hosting by Microsoft means subjugation or a slavery-like relationship; contrary to the current media narrative, Microsoft has long been censoring LinkedIn for China’s autocratic regime; and over at GitHub, as we shall show for months to come, there’s a war on information, a war on women, and gross violations of the law



  26. EFF Pushes for Users to Install DuckDuckGo Software After Being Paid to Kill HTTPS Everywhere

    Guest post by Ryan, reprinted with permission



  27. The Reign in Spain

    Discussion about the role of Spain in the EPO‘s autocratic regime which violates the rights of EPO staff, including Spanish workers



  28. [Meme] Spanish Inquisition

    Let it be widely known that Spain played a role in crushing the basic rights of all EPO workers, including hundreds of Spaniards



  29. Why You Shouldn’t Use SteamOS, a Really Incompetent GNU/Linux Distribution With Security Pitfalls (Lutris is a Great Alternative)

    Guest post by Ryan, reprinted with permission



  30. IRC Proceedings: Friday, October 15, 2021

    IRC logs for Friday, October 15, 2021


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts