EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

01.22.10

Microsoft Security Negligence Confirmed: Critical Internet Explorer Flaw Known and Ignored for 4 Months

Posted in Deception, Microsoft, Security, Windows at 4:12 pm by Dr. Roy Schestowitz

Summary: The newest facts show that Microsoft knowingly refused to fix flaws that led to tremendous damage; lies from Microsoft (about its competition) are refuted as well

IN MANY RECENT posts about Internet Explorer [1, 2, 3, 4, 5, 6, 7, 8], we have pointed out Microsoft’s pattern of negligence [1, 2, 3], which always passes costs (damages) to the public. Microsoft should probably be sued for it, rather than make money from it. Microsoft — like Goldman Sachs — is making a lot of money out of a crisis caused by its own risk-taking.

Here are some self-explanatory news headlines:

Microsoft lies to your face about browser security

Microsoft’s Head of Security and Privacy in the UK has told TechRadar that people who jump ship from Internet Explorer after the recent spate of bad headlines risk ending up on a less secure browser. With France and Germany both advising a move away from Internet Explorer, things are far from rosy for Microsoft’s browser [...yet] Microsoft’s UK security chief Cliff Evans insists that a non-Microsoft browser is the worse option. “The net effect of switching [from IE] is that you will end up on less secure browser,” insisted Evans. “The risk [over this specific] exploit is minimal compared to Firefox or other competing browsers… you will be opening yourself up to security issues.

Let’s fight FUD with facts…

Vulnerability Report: Mozilla Firefox 3.5.x
Unpatched: 0

Vulnerability Report: Google Chrome 3.x
Unpatched: 0

Vulnerability Report: Opera 10.x
Unpatched: 0

Vulnerability Report: Apple Safari 4.x
Unpatched: 0

Vulnerability Report: Microsoft Internet Explorer 6.x
Unpatched: 24
Most Critical Unpatched: Extremely critical

Vulnerability Report: Microsoft Internet Explorer 7.x
Unpatched: 11
Most Critical Unpatched: Extremely critical

Vulnerability Report: Microsoft Internet Explorer 8.x
Unpatched: 4
Most Critical Unpatched: Extremely critical

My recommendation if you use Windows: make sure the version of IE that’s installed (because you can’t uninstall it!) is the latest/least vulnerable (IE8) and then install at least one of the non-IE browsers listed (personally I always recommend Firefox :) and then use THAT. Of course, you could always switch to a Mac or Linux…

Microsoft patches IE, admits it knew of bug last August

As Microsoft patched the Internet Explorer (IE) vulnerability that was used to break into Google’s network, it also acknowledged that it had known of the bug since August 2009, when an Israeli security company reported the flaw.

MS knew of Aurora exploit four months before Google attacks

Microsoft first knew of the bug used in the infamous Operation Aurora IE exploits as long ago as August, four months before the vulnerability was used in exploits against Google and other hi-tech firms in December, it has emerged.

Redmond’s security gnomes finally got around to patching the exploit on Thursday. the hack attacks against Google et al targeted IE 6, a browser first released in 2001. Exploits involved tricking users of vulnerable browsers into visiting booby-trapped websites. These sites downloaded the Hydraq backdoor Trojan and other malicious components onto compromised PCs.

[...]

A quick search of Secunia’s database, via its PSI patching tool, reveals a problem with an unpatched ActiveX control that looks just as bad, for example.

Emergency IE patch goes live as exploits proliferate

Microsoft released an emergency security update for all versions of Internet Explorer on Thursday as attacks exploiting a critical vulnerability in the widely used browser spread to hundreds of websites.

[...]

While some of the sites hosting the attacks were free services that had been co-opted, others appeared to be domains of legitimate companies that had been compromised.

[...]

In an admission that’s sure to spark criticism, Microsoft said it learned of the critical bug more than three months ago.

[...]

The unscheduled bulletin fixes a memory corruption flaw in most versions of the widely used browser that allows attackers to execute malicious code simply by luring victims to a booby-trapped website. It fixes seven other privately reported vulnerabilities, some of which also made remote code execution possible, that Microsoft had been planning to issue next month during its next regularly scheduled patch release.

[...]

Systems compromised by the sites reported by Symantec were infected with a backdoor that collected registry settings and other system information and sent it to an email address that was under the control of attackers. That email address has since been disabled, Talbot said.

Widespread Attacks Exploit Newly Patched IE Bug

The first widespread attack to leverage a recently patched flaw in Microsoft’s Internet Explorer browser has surfaced.

Starting late Wednesday, researchers at antivirus vendor Symantec’s Security Response group began spotting dozens of Web sites that contain the Internet Explorer attack, which works reliably on the IE 6 browser, running on Windows XP. The attack installs a Trojan horse program that is able to bypass some security products and then give hackers access to the system, said Joshua Talbot, a security intelligence manager with Symantec.

Once it has infected a PC, the Trojan sends a notification e-mail to the attackers, using a U.S.-based, free e-mail service that Symantec declined to name.

Make the right browser update: Firefox 3.6

Neolithic Windows security hole alive and well in Windows 7

One of the reasons I’ve never liked Windows is that it was never made to deal with the security problems of working in a networked, multi-user world. As a direct result, Windows has been fundamentally insecure for more than a decade. Even so, I was surprised to find that there’s a 17-year old security hole that’s been in Windows since NT and it’s still present today in Windows 7.

Wow. Even I’m shocked by this latest example of just how rotten Windows security is. It just reminds me again though that while Microsoft keeps adding features and attempting to patch its way out of security problems to Windows, Windows’ foundation is built on sand and not on the stone of good, solid design.

[...]

Be that as it may, the code’s still in there. An attacker can trigger the vulnerability through a variety of means. The end-result is, surprise, another Windows machine that’s totally owned by the attacker. Once in charge, they can vacuum down your files, install malware, and all the other usual tricks.

Vista 7 was never secure to begin with. See the examples below.

  1. Cybercrime Rises and Vista 7 is Already Open to Hijackers
  2. Vista 7: Broken Apart Before Arrival
  3. Department of Homeland Security ‘Poisoned’ by Microsoft; Vista 7 is Open to Hijackers Again
  4. Vista 7 Security “Cannot be Fixed. It’s a Design Problem.”
  5. Why Vista 7 Could be the Least Secure Operating System Ever
  6. Journalists Suggest Banning Windows, Maybe Suing Microsoft Over DDoS Attacks
  7. Vista 7 Vulnerable to Latest “Critical” Flaws
  8. Vista 7 Seemingly Affected by Several More “Critical” Flaws This Month
  9. Reason #1 to Avoid Vista 7: Insecurity
  10. Vista 7 Left Hijackable Again (Almost a Monthly Recurrence)
Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email
  • Slashdot

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

A Single Comment

  1. uberVU - social comments said,

    January 22, 2010 at 9:26 pm

    Social comments and analytics for this post…

    This post was mentioned on Twitter by schestowitz: Critical Internet Explorer Flaw Known and Ignored for 4 Months http://boycottnovell.com/2010/01/22/refusing-to-fix-ie-flaws/

What Else is New


  1. Links 7/8/2020: Ubuntu 20.04.1 LTS and GNU C Library 2.32 Released

    Links for the day



  2. IRC Proceedings: Thursday, August 06, 2020

    IRC logs for Thursday, August 06, 2020



  3. Our Collective Privacy is Under Unprecedented Attacks and Privacy is Now Conflated With Bad Hygiene, Not Just Criminality

    At warp speed the "War on cash" or "War on anonymous transactions" is moving ahead; now that COVID-19 infects a lot of people we're led to assume that mass surveillance saves lives not because of counter-terrorism but because of contact-tracing or whatever (in practice it's hardly effective, but it's conditioning people to give up any remnants of their privacy)



  4. The Psychology of Developers

    "It turns out, there are ways around a free license -- you can make software "less free" or more imposing, without changing the license at all."



  5. Social Justice is Fine... When It is Not Just a Shallow Marketing Ploy

    Don't let well-meaning concepts such as "Social Justice" become mere buzzwords or tools of corporate propaganda (greedy people's objectives disguised as populism)



  6. Site Upgrades Likely Coming Soon

    After more than 28,000 posts are published it might be time to move from the WordPress x.9.x LTS to something newer (5.5 is about to be released); we explain why it’s not as simple as it might first seem



  7. Focus on the Big Issues, Not the Words

    The pattern that is emerging in recent months if not years is that words hurt and therefore contributors to code must shut up about injustices, including corporate misbehaviour



  8. Computing vs. Marketing

    “The important lesson here is that Windows is NOT a computer — it is actually a horrible thing that people DO to a computer, and to themselves.”



  9. Release: Several Police Reports About Searching the Home of Bill Gates' Engineer (Stockpiles of Child Pornography Found Along With Illegal Firearm)

    The final part of the first installment from Seattle PD, this one focusing on people who searched the home to find a lot of underage pornographic material being amassed



  10. Video: Microsoft-Sponsored 'Copyleft' Conf (Keynote Sold to Microsoft, a Serial GPL Violator and Primary FUD Source) Features Previous FSF (Co)President and RMS Ouster

    There's now a video online of the debates in CopyleftConf 2020



  11. Miseducation

    "...the real crime (OLPC founder Nicholas Negropontes word for it) is that schools aren't teaching computers at all -- they're doing application training."



  12. [Meme] RMS Succeeded by a Microsoft Sponsor

    Congratulations to the FSF, which elected a president almost a year after pushing RMS (its founder) out; but questions need to be answered by the new president, who apparently sees nothing wrong reinforcing the Microsoft monopoly, participating in a PR ploy designed to distract from the notorious ICE contract, and even paying Microsoft (as if it deserves the money)



  13. Controlling Your Computing

    "We at least want our software to be free, and for a while, that was possible. We want software to be free again, so let's talk about what made it free, what made it less free, and what could hopefully improve in the future."



  14. User Libre: Free Computing For Everyone, Start With Perfection

    "As the threats to user freedom evolve, so too must the response to those threats. So long as freedom remains the first priority, worthwhile responses will give more power to every user, and keep limits on how much control can be imposed by developers."



  15. IRC Proceedings: Wednesday, August 05, 2020

    IRC logs for Wednesday, August 05, 2020



  16. Release: Search Warrant and Reports on Findings When Bill Gates' Engineer Arrested for Pedophilia

    Readers can finally see all the details about what was taken (portable drives, laptop, desktop etc.) and what was found when a search was executed at the home of Bill Gates' engineer while he was at Bill's house (where he worked regularly); as far as we are aware, the police never searched Bill's house and computers



  17. Links 6/8/2020: FSF Has New Chief, LibreOffice 7.0, Linux App Summit Goes Online

    Links for the day



  18. Links 5/8/2020: Wayfire 0.5 and Plasma Browser Integration

    Links for the day



  19. IRC Proceedings: Tuesday, August 04, 2020

    IRC logs for Tuesday, August 04, 2020



  20. SUSE is Still Pushing Microsoft Proprietary Software and Bragging About the Novell Patent Collusion With Microsoft

    SUSE seems to have learned no lessons after the aftermath of its (or Novell’s) Microsoft patent scam, which had been negotiated partly by Miguel de Icaza (now working directly for Microsoft) before causing Novell to collapse and offload its patents to Microsoft (‘TikTok operandi’ or asset stripping); the past cannot be left behind if SUSE — like Novell — celebrates and perpetuates that past



  21. Release: 29 Pages of Internet Access Report About Pedophile Working for Bill Gates at His Home

    As we’ve found nothing too sensitive in the document, today we’re finally disclosing and publishing the second release (first one published yesterday); this includes network addresses used on the devices of the engineer of Bill Gates, who had a laptop and external hard drives (portable) with plenty of child pornography (imagery and videos)



  22. Links 4/8/2020: Kodachi 7.2, Collabora Office 6.4

    Links for the day



  23. [Meme] Nadella is Doing With Donald Trump What Ballmer Did With Elop and Icahn to Steal Other Companies (Nokia and Yahoo, Respectively)

    The illegal (attempted) confiscation of a Chinese company to distract from or compensate for Microsoft's collapse reminds us that Microsoft is only getting worse and more malicious under Nadella, who is happy to liaise with a hugely corrupt and racist regime



  24. We Don't Really Know How Many People Died With (or From) COVID-19 and How Many Will Die After Home Recovery or Release From Hospital

    The coronavirus pandemic that began last year as an epidemic (COVID-19) is still a very serious problem, even half a year after its widespread arrival in Europe; it's important to emphasise the importance of not down-playing this problem (which is far from solved) because social control media is full of junk



  25. IRC Proceedings: Monday, August 03, 2020

    IRC logs for Monday, August 03, 2020



  26. Release: Police Report About Arrest of Bill Gates Engineer for Pedophilia (Detained at Residence of Bill Gates)

    Today we release 15 pages (amongst almost 3,000 pages we have) about the Jones arrest; this includes details about what happened when the detectives came to the home of Bill Gates



  27. Bill Gates' Personal Engineer Rick Jones is Connected to Other Child Pornographers. One Key Contact Works (or Worked) Indirectly for Microsoft.

    MagicHour listed Microsoft among their clients, as we noted before, and the full (redacted for child porn reasons) name is Brett Paine. We had reached out to the employer (several of us, separately), but we never received any reply.



  28. Links 3/8/2020: Linux 5.8, GNU Linux-libre 5.8, Libinput 1.16, Rust 1.45.2, Julia 1.5

    Links for the day



  29. IRC Proceedings: Sunday, August 02, 2020

    IRC logs for Sunday, August 02, 2020



  30. [Meme] Is It Not a Layoffs Round When You Rebrand It?

    More and more Microsoft layoffs; but the media is hardly interested in reporting those and/or analysing the growing scale of the layoffs (about half a dozen rounds of layoffs this summer alone)


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts