EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

01.22.10

Microsoft Security Negligence Confirmed: Critical Internet Explorer Flaw Known and Ignored for 4 Months

Posted in Deception, Microsoft, Security, Windows at 4:12 pm by Dr. Roy Schestowitz

Summary: The newest facts show that Microsoft knowingly refused to fix flaws that led to tremendous damage; lies from Microsoft (about its competition) are refuted as well

IN MANY RECENT posts about Internet Explorer [1, 2, 3, 4, 5, 6, 7, 8], we have pointed out Microsoft’s pattern of negligence [1, 2, 3], which always passes costs (damages) to the public. Microsoft should probably be sued for it, rather than make money from it. Microsoft — like Goldman Sachs — is making a lot of money out of a crisis caused by its own risk-taking.

Here are some self-explanatory news headlines:

Microsoft lies to your face about browser security

Microsoft’s Head of Security and Privacy in the UK has told TechRadar that people who jump ship from Internet Explorer after the recent spate of bad headlines risk ending up on a less secure browser. With France and Germany both advising a move away from Internet Explorer, things are far from rosy for Microsoft’s browser [...yet] Microsoft’s UK security chief Cliff Evans insists that a non-Microsoft browser is the worse option. “The net effect of switching [from IE] is that you will end up on less secure browser,” insisted Evans. “The risk [over this specific] exploit is minimal compared to Firefox or other competing browsers… you will be opening yourself up to security issues.

Let’s fight FUD with facts…

Vulnerability Report: Mozilla Firefox 3.5.x
Unpatched: 0

Vulnerability Report: Google Chrome 3.x
Unpatched: 0

Vulnerability Report: Opera 10.x
Unpatched: 0

Vulnerability Report: Apple Safari 4.x
Unpatched: 0

Vulnerability Report: Microsoft Internet Explorer 6.x
Unpatched: 24
Most Critical Unpatched: Extremely critical

Vulnerability Report: Microsoft Internet Explorer 7.x
Unpatched: 11
Most Critical Unpatched: Extremely critical

Vulnerability Report: Microsoft Internet Explorer 8.x
Unpatched: 4
Most Critical Unpatched: Extremely critical

My recommendation if you use Windows: make sure the version of IE that’s installed (because you can’t uninstall it!) is the latest/least vulnerable (IE8) and then install at least one of the non-IE browsers listed (personally I always recommend Firefox :) and then use THAT. Of course, you could always switch to a Mac or Linux…

Microsoft patches IE, admits it knew of bug last August

As Microsoft patched the Internet Explorer (IE) vulnerability that was used to break into Google’s network, it also acknowledged that it had known of the bug since August 2009, when an Israeli security company reported the flaw.

MS knew of Aurora exploit four months before Google attacks

Microsoft first knew of the bug used in the infamous Operation Aurora IE exploits as long ago as August, four months before the vulnerability was used in exploits against Google and other hi-tech firms in December, it has emerged.

Redmond’s security gnomes finally got around to patching the exploit on Thursday. the hack attacks against Google et al targeted IE 6, a browser first released in 2001. Exploits involved tricking users of vulnerable browsers into visiting booby-trapped websites. These sites downloaded the Hydraq backdoor Trojan and other malicious components onto compromised PCs.

[...]

A quick search of Secunia’s database, via its PSI patching tool, reveals a problem with an unpatched ActiveX control that looks just as bad, for example.

Emergency IE patch goes live as exploits proliferate

Microsoft released an emergency security update for all versions of Internet Explorer on Thursday as attacks exploiting a critical vulnerability in the widely used browser spread to hundreds of websites.

[...]

While some of the sites hosting the attacks were free services that had been co-opted, others appeared to be domains of legitimate companies that had been compromised.

[...]

In an admission that’s sure to spark criticism, Microsoft said it learned of the critical bug more than three months ago.

[...]

The unscheduled bulletin fixes a memory corruption flaw in most versions of the widely used browser that allows attackers to execute malicious code simply by luring victims to a booby-trapped website. It fixes seven other privately reported vulnerabilities, some of which also made remote code execution possible, that Microsoft had been planning to issue next month during its next regularly scheduled patch release.

[...]

Systems compromised by the sites reported by Symantec were infected with a backdoor that collected registry settings and other system information and sent it to an email address that was under the control of attackers. That email address has since been disabled, Talbot said.

Widespread Attacks Exploit Newly Patched IE Bug

The first widespread attack to leverage a recently patched flaw in Microsoft’s Internet Explorer browser has surfaced.

Starting late Wednesday, researchers at antivirus vendor Symantec’s Security Response group began spotting dozens of Web sites that contain the Internet Explorer attack, which works reliably on the IE 6 browser, running on Windows XP. The attack installs a Trojan horse program that is able to bypass some security products and then give hackers access to the system, said Joshua Talbot, a security intelligence manager with Symantec.

Once it has infected a PC, the Trojan sends a notification e-mail to the attackers, using a U.S.-based, free e-mail service that Symantec declined to name.

Make the right browser update: Firefox 3.6

Neolithic Windows security hole alive and well in Windows 7

One of the reasons I’ve never liked Windows is that it was never made to deal with the security problems of working in a networked, multi-user world. As a direct result, Windows has been fundamentally insecure for more than a decade. Even so, I was surprised to find that there’s a 17-year old security hole that’s been in Windows since NT and it’s still present today in Windows 7.

Wow. Even I’m shocked by this latest example of just how rotten Windows security is. It just reminds me again though that while Microsoft keeps adding features and attempting to patch its way out of security problems to Windows, Windows’ foundation is built on sand and not on the stone of good, solid design.

[...]

Be that as it may, the code’s still in there. An attacker can trigger the vulnerability through a variety of means. The end-result is, surprise, another Windows machine that’s totally owned by the attacker. Once in charge, they can vacuum down your files, install malware, and all the other usual tricks.

Vista 7 was never secure to begin with. See the examples below.

  1. Cybercrime Rises and Vista 7 is Already Open to Hijackers
  2. Vista 7: Broken Apart Before Arrival
  3. Department of Homeland Security ‘Poisoned’ by Microsoft; Vista 7 is Open to Hijackers Again
  4. Vista 7 Security “Cannot be Fixed. It’s a Design Problem.”
  5. Why Vista 7 Could be the Least Secure Operating System Ever
  6. Journalists Suggest Banning Windows, Maybe Suing Microsoft Over DDoS Attacks
  7. Vista 7 Vulnerable to Latest “Critical” Flaws
  8. Vista 7 Seemingly Affected by Several More “Critical” Flaws This Month
  9. Reason #1 to Avoid Vista 7: Insecurity
  10. Vista 7 Left Hijackable Again (Almost a Monthly Recurrence)
Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

A Single Comment

  1. uberVU - social comments said,

    January 22, 2010 at 9:26 pm

    Social comments and analytics for this post…

    This post was mentioned on Twitter by schestowitz: Critical Internet Explorer Flaw Known and Ignored for 4 Months http://boycottnovell.com/2010/01/22/refusing-to-fix-ie-flaws/

What Else is New


  1. Nothing Has Truly Changed Since Netscape and Antitrust

    The same old crimes persist, as well as the blatantly anticompetitive behaviour



  2. When the Monopolists and the Patent Litigation Industry Hijack the News They Control the Narrative

    Money buys perception and litigation firms have certainly 'bought' the media coverage, which fails to convey the issue at stake and instead paints a rational court decision as tragedy for "innovation" (by "innovation" they mean monopolies on nature and on life)



  3. Links 25/1/2020: OPNsense 20.1 RC1 and DXVK 1.5.2

    Links for the day



  4. The Linux Kernel is No Longer Free Software?

    Gardiner Bryant, the creator of The Linux Gamer as well as The Off Topical Podcast, reacts to our articles about DRM in Linux (he even pronounced my name correctly)



  5. Sometimes Proprietary Software is Proprietary (Secret) Simply Because It is Not Good and Obfuscation Helps Hide Just How Ugly It Is

    Why nonfree (or proprietary) software generally fails to catch up with Free/libre software — at least on technical grounds — and then makes up for it with marketing and FUD offensives (discrediting perfectly-functioning things, based on their perceived cost)



  6. IRC Proceedings: Friday, January 24, 2020

    IRC logs for Friday, January 24, 2020



  7. Links 24/1/2020: GNU/Linux in Russia and More New Openings

    Links for the day



  8. When EPO Press Coverage Boils Down to Lobbying, Press Releases, EPO Lies, and Bribery

    Any attempts to properly assess and explain what happens in Europe's patent landscape are being drowned out by EPO-bribed and law firms-connected media; to make matters worse, the EPO's bribes have expanded to academia, so even scholarly work in this domain is corrupted by money of special interest groups



  9. IRC Proceedings: Thursday, January 23, 2020

    IRC logs for Thursday, January 23, 2020



  10. Links 23/1/2020: Qubes OS 4.0.3, EasyOS 2.2.5, GhostBSD 20.01

    Links for the day



  11. Passion of the Microsoft

    A rough timeline of Microsoft’s interactions with Linux and the Linux Foundation since 2015



  12. The Patent Microcosm is Really Panicking as European Patents on Life and Other Spurious Junk (Invalid Patents) Are Successfully Rejected

    European Patents (EPs) may be revoked en masse if what we're seeing is the gradual emergence of 'European Mayo' (and maybe soon 'European Alice')



  13. Distractions From Microsoft's Gigantic Tax Evasion and Contribution to Denial of Climate Science

    Microsoft (connected to oil companies) wants us to think of it as a "green" company; not only does it contribute to climate denial but it also evades tax, which is a serious crime that costs tens of billions of dollars (the public pays this money instead)



  14. Confirmation: System1/Startpage Offered Pay to People Who Pushed for (Re)Listing in Privacy Directories

    The debate is now settled; those arguing in favour of listing Startpage as privacy-respecting are in fact secretly 'compensated' by Startpage (in other words, they're Startpage 'shills')



  15. Vandana Shiva: “Bill Gates is Continuing the Work of Monsanto”

    A recent interview on what Bill Gates is really up to in that sham ‘charity’ of his



  16. IRC Proceedings: Wednesday, January 22, 2020

    IRC logs for Wednesday, January 22, 2020



  17. Extending Linux With DRM, Azure and exFAT

    An insufficiently 'conservative' Linux ceases to be freedom-respecting



  18. Linux Foundation (LF) Now Dominated by Lots of Microsoft People and LF Chiefs Join Microsoft in Smearing GPL/Copyleft

    We continue to see additional evidence which serves towards reinforcing our view that the so-called 'Linux' Foundation is actually hostile towards many things that are associated with Linux (unlike those looking to exploit/hijack Linux for proprietary ends)



  19. Links 22/1/2020: Wayland 1.18 Alpha, ODF 1.3 Approved

    Links for the day



  20. IRC Proceedings: Tuesday, January 21, 2020

    IRC logs for Tuesday, January 21, 2020



  21. Poor Excuses for Granting Poor (and Often Illegal/Invalid) Patents

    A quick look at some of the latest examples of software patents advocacy (not by actual software professionals, obviously) and why it's deeply misguided (or guided solely by greedy law firms)



  22. A Simple Plan For a Universal Free Software Community

    "For software to be free as in freedom, we need more people to care personally about software freedom."



  23. Links 21/1/2020: Wine 5.0 and Red Hat Enterprise Linux 8.2 Beta

    Links for the day



  24. Startpage/System1 Almost Definitely Pay for People to Lie About Their Surveillance

    A longterm investigation suggests that there are forces in the debate that aren't objective and are being super evasive and dodgy; this typically happens only when somebody has much to hide



  25. The Internet is an Appalling Medium for News and It Has Only Gotten Worse

    Something ought to change in the way people gather and assess news; at the moment — as proper journalism runs out of steam (and budget) — things only deteriorate and quality suffers; this rapidly exacerbates as people come to rely on — and then relay — hearsay, not fact-checked bodies of work



  26. Media Reactions to the EPO Coming to Grips With Fake Patents That It Granted (Spoiler: the Media is Controlled by Lawyers of Monopolists and EPO Partners)

    Appalling quality of reporting and truly awful bias in the media, primarily owing to the fact that it is dominated/manned not by actual reporters but the firms looking to patent life itself; they use their lawyers and operatives who are literally funded by these lawyers (wearing "journalist" badges to mislead)



  27. Links 21/1/2020: EarlyOOM Fedora Decision and AMD Zen 3 Microcode

    Links for the day



  28. IRC Proceedings: Monday, January 20, 2020

    IRC logs for Monday, January 20, 2020



  29. Links 20/1/2020: MNT Reform, Linux 5.5 RC7, KMyMoney 5.0.8

    Links for the day



  30. Mansion of Pedophilia – Addendum: Accessing and Assessing Court Documents

    How anyone out there can do the job the media failed to do (after an apparently unprecedented arrest at the home of Bill Gates)


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts