EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

01.22.10

Microsoft Security Negligence Confirmed: Critical Internet Explorer Flaw Known and Ignored for 4 Months

Posted in Deception, Microsoft, Security, Windows at 4:12 pm by Dr. Roy Schestowitz

Summary: The newest facts show that Microsoft knowingly refused to fix flaws that led to tremendous damage; lies from Microsoft (about its competition) are refuted as well

IN MANY RECENT posts about Internet Explorer [1, 2, 3, 4, 5, 6, 7, 8], we have pointed out Microsoft’s pattern of negligence [1, 2, 3], which always passes costs (damages) to the public. Microsoft should probably be sued for it, rather than make money from it. Microsoft — like Goldman Sachs — is making a lot of money out of a crisis caused by its own risk-taking.

Here are some self-explanatory news headlines:

Microsoft lies to your face about browser security

Microsoft’s Head of Security and Privacy in the UK has told TechRadar that people who jump ship from Internet Explorer after the recent spate of bad headlines risk ending up on a less secure browser. With France and Germany both advising a move away from Internet Explorer, things are far from rosy for Microsoft’s browser [...yet] Microsoft’s UK security chief Cliff Evans insists that a non-Microsoft browser is the worse option. “The net effect of switching [from IE] is that you will end up on less secure browser,” insisted Evans. “The risk [over this specific] exploit is minimal compared to Firefox or other competing browsers… you will be opening yourself up to security issues.

Let’s fight FUD with facts…

Vulnerability Report: Mozilla Firefox 3.5.x
Unpatched: 0

Vulnerability Report: Google Chrome 3.x
Unpatched: 0

Vulnerability Report: Opera 10.x
Unpatched: 0

Vulnerability Report: Apple Safari 4.x
Unpatched: 0

Vulnerability Report: Microsoft Internet Explorer 6.x
Unpatched: 24
Most Critical Unpatched: Extremely critical

Vulnerability Report: Microsoft Internet Explorer 7.x
Unpatched: 11
Most Critical Unpatched: Extremely critical

Vulnerability Report: Microsoft Internet Explorer 8.x
Unpatched: 4
Most Critical Unpatched: Extremely critical

My recommendation if you use Windows: make sure the version of IE that’s installed (because you can’t uninstall it!) is the latest/least vulnerable (IE8) and then install at least one of the non-IE browsers listed (personally I always recommend Firefox :) and then use THAT. Of course, you could always switch to a Mac or Linux…

Microsoft patches IE, admits it knew of bug last August

As Microsoft patched the Internet Explorer (IE) vulnerability that was used to break into Google’s network, it also acknowledged that it had known of the bug since August 2009, when an Israeli security company reported the flaw.

MS knew of Aurora exploit four months before Google attacks

Microsoft first knew of the bug used in the infamous Operation Aurora IE exploits as long ago as August, four months before the vulnerability was used in exploits against Google and other hi-tech firms in December, it has emerged.

Redmond’s security gnomes finally got around to patching the exploit on Thursday. the hack attacks against Google et al targeted IE 6, a browser first released in 2001. Exploits involved tricking users of vulnerable browsers into visiting booby-trapped websites. These sites downloaded the Hydraq backdoor Trojan and other malicious components onto compromised PCs.

[...]

A quick search of Secunia’s database, via its PSI patching tool, reveals a problem with an unpatched ActiveX control that looks just as bad, for example.

Emergency IE patch goes live as exploits proliferate

Microsoft released an emergency security update for all versions of Internet Explorer on Thursday as attacks exploiting a critical vulnerability in the widely used browser spread to hundreds of websites.

[...]

While some of the sites hosting the attacks were free services that had been co-opted, others appeared to be domains of legitimate companies that had been compromised.

[...]

In an admission that’s sure to spark criticism, Microsoft said it learned of the critical bug more than three months ago.

[...]

The unscheduled bulletin fixes a memory corruption flaw in most versions of the widely used browser that allows attackers to execute malicious code simply by luring victims to a booby-trapped website. It fixes seven other privately reported vulnerabilities, some of which also made remote code execution possible, that Microsoft had been planning to issue next month during its next regularly scheduled patch release.

[...]

Systems compromised by the sites reported by Symantec were infected with a backdoor that collected registry settings and other system information and sent it to an email address that was under the control of attackers. That email address has since been disabled, Talbot said.

Widespread Attacks Exploit Newly Patched IE Bug

The first widespread attack to leverage a recently patched flaw in Microsoft’s Internet Explorer browser has surfaced.

Starting late Wednesday, researchers at antivirus vendor Symantec’s Security Response group began spotting dozens of Web sites that contain the Internet Explorer attack, which works reliably on the IE 6 browser, running on Windows XP. The attack installs a Trojan horse program that is able to bypass some security products and then give hackers access to the system, said Joshua Talbot, a security intelligence manager with Symantec.

Once it has infected a PC, the Trojan sends a notification e-mail to the attackers, using a U.S.-based, free e-mail service that Symantec declined to name.

Make the right browser update: Firefox 3.6

Neolithic Windows security hole alive and well in Windows 7

One of the reasons I’ve never liked Windows is that it was never made to deal with the security problems of working in a networked, multi-user world. As a direct result, Windows has been fundamentally insecure for more than a decade. Even so, I was surprised to find that there’s a 17-year old security hole that’s been in Windows since NT and it’s still present today in Windows 7.

Wow. Even I’m shocked by this latest example of just how rotten Windows security is. It just reminds me again though that while Microsoft keeps adding features and attempting to patch its way out of security problems to Windows, Windows’ foundation is built on sand and not on the stone of good, solid design.

[...]

Be that as it may, the code’s still in there. An attacker can trigger the vulnerability through a variety of means. The end-result is, surprise, another Windows machine that’s totally owned by the attacker. Once in charge, they can vacuum down your files, install malware, and all the other usual tricks.

Vista 7 was never secure to begin with. See the examples below.

  1. Cybercrime Rises and Vista 7 is Already Open to Hijackers
  2. Vista 7: Broken Apart Before Arrival
  3. Department of Homeland Security ‘Poisoned’ by Microsoft; Vista 7 is Open to Hijackers Again
  4. Vista 7 Security “Cannot be Fixed. It’s a Design Problem.”
  5. Why Vista 7 Could be the Least Secure Operating System Ever
  6. Journalists Suggest Banning Windows, Maybe Suing Microsoft Over DDoS Attacks
  7. Vista 7 Vulnerable to Latest “Critical” Flaws
  8. Vista 7 Seemingly Affected by Several More “Critical” Flaws This Month
  9. Reason #1 to Avoid Vista 7: Insecurity
  10. Vista 7 Left Hijackable Again (Almost a Monthly Recurrence)
Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

A Single Comment

  1. uberVU - social comments said,

    January 22, 2010 at 9:26 pm

    Social comments and analytics for this post…

    This post was mentioned on Twitter by schestowitz: Critical Internet Explorer Flaw Known and Ignored for 4 Months http://boycottnovell.com/2010/01/22/refusing-to-fix-ie-flaws/

What Else is New


  1. TechBytes Episode 89: Chromebooks, Privacy, and Vista 10

    An episode which focuses on the rise of Chromebooks, serious issues pertaining to privacy, media bias, and the demise of Windows



  2. Links 2/9/2015: Chromebooks and Red Hat Enterprise Linux 7.2 Beta

    Links for the day



  3. Software Patent From Troll Called 'Rothschild Connected Devices Innovations' a Symptom of a Rotten Patent System

    Another example of patent trolls and software patents as gatekeepers and parasites, denying access to very trivial ideas or implementations



  4. When Even Patent Lawyers' Blogs Acknowledge the Rapid Demise of Software Patents

    Voices for patents are accepting the new order wherein software patents are hardly potent at all (and increasingly difficult to acquire)



  5. Calling Proprietary Software, Software Patents, Lock-in (Like OOXML) and DRM 'Open'

    What Microsoft et al. call 'Next-Generation Open Media Formats' are basically neither open nor acceptable (it's DRM) and what Microsoft apologists dub 'Open Source Tools' are just another example of a Microsoft Office openwashing Trojan horse



  6. Recycled Old News About Vista 10, Stressing That Not Only '10' is Spyware But All of Windows is

    How Microsoft propagandists are spinning Microsoft's gross and potentially illegal privacy violations as a reason to 'upgrade' to Vista 10



  7. Links 1/9/2015: Manjaro Linux 0.8.13, Netrunner 14.2 LTS

    Links for the day



  8. Patents Roundup: IAM's Claims About India, Lawyers' Patent Bias, ITC for Microsoft, and PTAB Against Kyle Bass

    Another weekly summary, focusing on issues that pertain to or affect Free software in particular



  9. Microsoft Crowd Rocks the Media With Misleading Claims and Deliberate Lies About GNU/Linux, Vista 10, and Free/Open Source Software

    A roundup of rigged press coverage, intended purely to serve Microsoft's agenda



  10. Links 31/8/2015: Linux 4.2, LXLE 14.04.3

    Links for the day



  11. IRC Proceedings: August 9th, 2015 – August 29th, 2015

    Many IRC logs



  12. “Conservative” Site Responds (Yet Again) to Misguided “Conservative” Efforts to Derail Patent Reform in the US

    Patent trolls throw stones in glass houses, contributing to their own unpopularity, but some influential “Conservatives” continue to defend (conserve) them



  13. Increase in Lobbying for Software Patents in Europe and Its Trojan Horse, the Unitary Patent (UPC)

    The relentless campaigns to bring software patents into Europe have not stopped and so-called 'unification' -- much like so-called 'trade' deals -- serves to support them



  14. Microsoft Technology Crashes Financial Markets, Again

    SunGard, which is a Microsoft shop, is clearly failing to provide what it calls mission-ciriticaal [sic] solutions



  15. Alice v. CLS Bank (Alice/§101) Comes to Squash Software Patents Even in Eastern District of Texas

    The crackdown on software patents is coming along nicely and the Alice case is now being utilised even in the capital of patent trolls



  16. Apple's Patent Cases Against Android Are Falling Apart, as Acknowledged Even by the Anti-Android Lobby





  17. Links 29/8/2015: NetworkManager 1.0.6, Systemd Merges “su” Command Replacement

    Links for the day



  18. Microsoft Loves Linux to Death and Still Tries to Kill GNU/Linux

    Microsoft's relentless attacks on GNU/Linux and Free software in general (even if it runs on Windows) are so evident that claims of 'love' remain laughable at best (if not infuriating)



  19. Censorship, Self-Censorship and Intimidation Now the Modus Operandi at EPO

    The European Patent Office has ceased even trying to pretend that it respects human rights, including the right to free speech



  20. Patent Practitioners: "The Unitary Patent Might be Able to Open the Floodgates for Software Patents in Europe"

    The EPO-backed Unitary Patent scheme threatens to bring software patents to Europe and along with them a lot of patent trolls from all around the world (especially the United States)



  21. Microsoft Lies About Vista 10 and Increases Microsoft Surveillance (Even Beyond Vista 10 and Into Android, Vista 7/8)

    Windows surveillance expands retroactively, making its way into platforms other than Windows and also expanding to predecessors of Vista 10



  22. Another Suicide at the EPO, Fifth by Our Count

    Yet another EPO member of staff has just committed suicide, leading to the inevitable question: how many people need to die before Battistelli and his minions are out of the Office for good?



  23. Links 27/8/2015: ownCloud Desktop Client 2.0, Red Hat Downgraded

    Links for the day



  24. Microsoft-connected Mesosphere Threatens to Eliminate Free Software in the Datacentre

    Hiding behind a misleading 'open' label while actually backed by Microsoft (and based on new rumours may join Microsoft), Mesosphere wishes to eradicate Free and back doors-free software in large datacentres hosting a lot of physical and virtual servers



  25. Microsoft Aggression Against GNU/Linux Amid Vista 10's Failure

    A look at the recent assault on GNU/Linux in Munich and the likely cause for this assault (in such a timely fashion, too)



  26. Message to LinuxCon Regarding Microsoft: “It is Necessary to Get Behind Someone in Order to Stab Them in the Back.” -Sir Humphrey Appleby

    Jim Zemlin, executive director of the Linux Foundation, helps Microsoft gain influence in the Foundation after payments are received



  27. Market Share Estimates Confirm That Vista 10 Failed in a Major Way

    Confirmatory evidence that Vista 10 is failing in the market about a month after its much-hyped (paid coverage) release



  28. When Microsoft, the Master of Patent Trolls, Complains About Trolls

    Possibly the world's biggest patent abuser and monopolist, which also creates many patent trolls (including by far the biggest one), takes on a far smaller abuser in Court



  29. Letter Signed by Two German Officials Becomes a Microsoft Weapon of Propaganda

    Microsoft and its minions refuse to leave Munich alone, even though the vast majority in Munich are perfectly happy with Free/libre software



  30. Links 25/8/2015: Linux Kernel 4.2 Final RC, KDE Ships Plasma 5.4.0

    Links for the day


CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts