EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS


Microsoft Security Negligence Confirmed: Critical Internet Explorer Flaw Known and Ignored for 4 Months

Posted in Deception, Microsoft, Security, Windows at 4:12 pm by Dr. Roy Schestowitz

Summary: The newest facts show that Microsoft knowingly refused to fix flaws that led to tremendous damage; lies from Microsoft (about its competition) are refuted as well

IN MANY RECENT posts about Internet Explorer [1, 2, 3, 4, 5, 6, 7, 8], we have pointed out Microsoft’s pattern of negligence [1, 2, 3], which always passes costs (damages) to the public. Microsoft should probably be sued for it, rather than make money from it. Microsoft — like Goldman Sachs — is making a lot of money out of a crisis caused by its own risk-taking.

Here are some self-explanatory news headlines:

Microsoft lies to your face about browser security

Microsoft’s Head of Security and Privacy in the UK has told TechRadar that people who jump ship from Internet Explorer after the recent spate of bad headlines risk ending up on a less secure browser. With France and Germany both advising a move away from Internet Explorer, things are far from rosy for Microsoft’s browser [...yet] Microsoft’s UK security chief Cliff Evans insists that a non-Microsoft browser is the worse option. “The net effect of switching [from IE] is that you will end up on less secure browser,” insisted Evans. “The risk [over this specific] exploit is minimal compared to Firefox or other competing browsers… you will be opening yourself up to security issues.

Let’s fight FUD with facts…

Vulnerability Report: Mozilla Firefox 3.5.x
Unpatched: 0

Vulnerability Report: Google Chrome 3.x
Unpatched: 0

Vulnerability Report: Opera 10.x
Unpatched: 0

Vulnerability Report: Apple Safari 4.x
Unpatched: 0

Vulnerability Report: Microsoft Internet Explorer 6.x
Unpatched: 24
Most Critical Unpatched: Extremely critical

Vulnerability Report: Microsoft Internet Explorer 7.x
Unpatched: 11
Most Critical Unpatched: Extremely critical

Vulnerability Report: Microsoft Internet Explorer 8.x
Unpatched: 4
Most Critical Unpatched: Extremely critical

My recommendation if you use Windows: make sure the version of IE that’s installed (because you can’t uninstall it!) is the latest/least vulnerable (IE8) and then install at least one of the non-IE browsers listed (personally I always recommend Firefox :) and then use THAT. Of course, you could always switch to a Mac or Linux…

Microsoft patches IE, admits it knew of bug last August

As Microsoft patched the Internet Explorer (IE) vulnerability that was used to break into Google’s network, it also acknowledged that it had known of the bug since August 2009, when an Israeli security company reported the flaw.

MS knew of Aurora exploit four months before Google attacks

Microsoft first knew of the bug used in the infamous Operation Aurora IE exploits as long ago as August, four months before the vulnerability was used in exploits against Google and other hi-tech firms in December, it has emerged.

Redmond’s security gnomes finally got around to patching the exploit on Thursday. the hack attacks against Google et al targeted IE 6, a browser first released in 2001. Exploits involved tricking users of vulnerable browsers into visiting booby-trapped websites. These sites downloaded the Hydraq backdoor Trojan and other malicious components onto compromised PCs.


A quick search of Secunia’s database, via its PSI patching tool, reveals a problem with an unpatched ActiveX control that looks just as bad, for example.

Emergency IE patch goes live as exploits proliferate

Microsoft released an emergency security update for all versions of Internet Explorer on Thursday as attacks exploiting a critical vulnerability in the widely used browser spread to hundreds of websites.


While some of the sites hosting the attacks were free services that had been co-opted, others appeared to be domains of legitimate companies that had been compromised.


In an admission that’s sure to spark criticism, Microsoft said it learned of the critical bug more than three months ago.


The unscheduled bulletin fixes a memory corruption flaw in most versions of the widely used browser that allows attackers to execute malicious code simply by luring victims to a booby-trapped website. It fixes seven other privately reported vulnerabilities, some of which also made remote code execution possible, that Microsoft had been planning to issue next month during its next regularly scheduled patch release.


Systems compromised by the sites reported by Symantec were infected with a backdoor that collected registry settings and other system information and sent it to an email address that was under the control of attackers. That email address has since been disabled, Talbot said.

Widespread Attacks Exploit Newly Patched IE Bug

The first widespread attack to leverage a recently patched flaw in Microsoft’s Internet Explorer browser has surfaced.

Starting late Wednesday, researchers at antivirus vendor Symantec’s Security Response group began spotting dozens of Web sites that contain the Internet Explorer attack, which works reliably on the IE 6 browser, running on Windows XP. The attack installs a Trojan horse program that is able to bypass some security products and then give hackers access to the system, said Joshua Talbot, a security intelligence manager with Symantec.

Once it has infected a PC, the Trojan sends a notification e-mail to the attackers, using a U.S.-based, free e-mail service that Symantec declined to name.

Make the right browser update: Firefox 3.6

Neolithic Windows security hole alive and well in Windows 7

One of the reasons I’ve never liked Windows is that it was never made to deal with the security problems of working in a networked, multi-user world. As a direct result, Windows has been fundamentally insecure for more than a decade. Even so, I was surprised to find that there’s a 17-year old security hole that’s been in Windows since NT and it’s still present today in Windows 7.

Wow. Even I’m shocked by this latest example of just how rotten Windows security is. It just reminds me again though that while Microsoft keeps adding features and attempting to patch its way out of security problems to Windows, Windows’ foundation is built on sand and not on the stone of good, solid design.


Be that as it may, the code’s still in there. An attacker can trigger the vulnerability through a variety of means. The end-result is, surprise, another Windows machine that’s totally owned by the attacker. Once in charge, they can vacuum down your files, install malware, and all the other usual tricks.

Vista 7 was never secure to begin with. See the examples below.

  1. Cybercrime Rises and Vista 7 is Already Open to Hijackers
  2. Vista 7: Broken Apart Before Arrival
  3. Department of Homeland Security ‘Poisoned’ by Microsoft; Vista 7 is Open to Hijackers Again
  4. Vista 7 Security “Cannot be Fixed. It’s a Design Problem.”
  5. Why Vista 7 Could be the Least Secure Operating System Ever
  6. Journalists Suggest Banning Windows, Maybe Suing Microsoft Over DDoS Attacks
  7. Vista 7 Vulnerable to Latest “Critical” Flaws
  8. Vista 7 Seemingly Affected by Several More “Critical” Flaws This Month
  9. Reason #1 to Avoid Vista 7: Insecurity
  10. Vista 7 Left Hijackable Again (Almost a Monthly Recurrence)
Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

A Single Comment

  1. uberVU - social comments said,

    January 22, 2010 at 9:26 pm

    Social comments and analytics for this post…

    This post was mentioned on Twitter by schestowitz: Critical Internet Explorer Flaw Known and Ignored for 4 Months http://boycottnovell.com/2010/01/22/refusing-to-fix-ie-flaws/

What Else is New

  1. Links 27/10/2016: Major Changes in Unity 8, Nextcloud Targets Phones

    Links for the day

  2. 'Balkan Express' Teaser: EPO's Željko Topić, Kuterovac, Campinos, Gurry, Battistelli and the DKPTO (Kongstad)

    Various photos of Topić and Kuterovac. Some more photos with other IP "luminaries" such as Campinos of the EUIPO and Gurry of the WIPO.

  3. The United States Pressures India to Broaden Patent Scope and Other Monopolies

    The envoy of the US is trying to tell India how to run the country (stricter laws regarding copyrights, trademarks, and patents), as a condition for foreign investment by multinational corporations

  4. Budget and Finance Committee of the Administrative Council (EPO) Confirms Exile of the Boards of Appeal

    Crushing of highly-skilled staff, propaganda in the form of new press releases, and recruitment attempts that won't succeed because the world now knows what goes on inside the European Patent Office

  5. Links 26/10/2016: “softWaves” in Debian 9, Rust in GNOME

    Links for the day

  6. Leaked: EPO's Vice-President Willie Minnoye Saying the Unsayable, Then Threatening Anyone Who Keeps Record (Evidence) of It

    E-mail that would leave Vice-President Willie Minnoye bashful, as it helps show not only bad policy but also attempts at suppression of discussion about it

  7. Puff Pieces of the EPO-IPO (EPO+EUIPO) Have Begun to Appear Amid New Evidence of Brain Drain, Lowered Standards

    The grim vision of the EPO which is losing all its talent (over time), becomes more like a production line (quality does not matter), and produces propaganda for "media positioning" (or "placements") -- all under the guise of 'studies'

  8. Leaked: Minutes From the Administrative Council of the EPO Regarding the 'Reform' (Exile) of the Boards of Appeal

    Details of the relatively secret proceedings back in June (belatedly released only a short while ago), carefully abbreviated to demonstrate which delegations helped Battistelli crush the Boards of Appeal and which ones insisted on maintaining the status quo, as per the EPC

  9. No Promising Future For the EPO Under Battistelli (If Any Future At All)

    Pessimism becomes realism at the European Patent Office as units are being torn apart, patent quality discarded, "unified" patent courts dreamed of (more patent lawsuits, higher damages), and EUIPO (EU-associated, unlike Eponia) gets closer to the EPO

  10. Leaked Minutes From the EPO Reveal That Battistelli is Detached From Reality and Blames Everything on “Union Officials”

    Minutes of the Administrative Council's meeting reveal some truly bizarre rants from Battistelli, who simply refuses to accept that the European Patent Office is burning (without a future direction, only burnout and brain drain) under his poor and abusive leadership

  11. Tata/TCS is Still Pushing for Software Patents in India

    The obnoxious company that is promoting Microsoft and software patents in a country that needs neither makes the headlines again (Financial Express)

  12. Links 25/10/2016: Rackspace's Praise of FOSS, Chain Chooses the GPL(v3)

    Links for the day

  13. Links 24/10/2016: Linux 4.9 RC2

    Links for the day

  14. Battistelli Plans to Expand the Social [sic] 'Study' (Then 'Conference') Propaganda Until Next Month, Under the 'Workshop' Umbrella

    Milking his shameless propaganda (paid-for 'studies'), Battistelli wants to rewrite the record by all means possible, then pretend that EPO staff participates in it

  15. EPO and EUIPO Join Hands to Release Propaganda (for European Media to Parrot) Some Time Tomorrow

    EPO and EUIPO in collaboration for the promotion of the notion that they are both necessary (and reinforced speculations about growing overlap between them)

  16. UPC Preparatory Committee Puts the Brakes on UPC Amid Brexit and Growing Uncertainty

    The Unified Patent Court (UPC) preparatory committee recognises that the UPC isn't going anywhere (any time soon) and false job advertisements -- or advertisements for jobs that will never exist -- are withdrawn

  17. Updates Regarding EPO and BoAC: Unrest and Injustice Carry on

    Some of the latest information which is publicly and privately available to us, in particular regarding the case of a suspended judge which represents unprecedented erosion of the appeal boards' independence (and hence lack of justice in the Organisation)

  18. EPO and the “Iberian Connection”: Patricia García-Escudero Márquez - Battistelli's Pet Chinchilla on the Boards of Appeal Committee?

    Why the Boards of Appeal Committee has begun showing prominent signs that it is anything but independent and capable of standing up to Battistelli (or his circle at the Office, which includes the “Iberian Connection")

  19. Links 23/10/2016: Alcatel's New Android Smartphones, Another Honorary Doctorate for Stallman

    Links for the day

  20. Open Letter Exposing the Farce Which Was Battistelli's 'Social Conference' Coinciding With Further (New) Attacks on EPO Staff Representatives

    A detailed letter reveals legitimate concerns expressed by staff representatives at the EPO ahead of the so-called Social Conference, in which we have highlighted severe factual flaws

  21. Translation of Latest Rant From French MP Philip Cordery About Benoît Battistelli's Abuses at the EPO

    Philip Cordery crosses horns with Benoît Battistelli, who has become a source of embarrassment for France with his autocratic tendencies and misguided policies that rapidly ruin the European Patent Office (EPO)

  22. Battistelli-Commissioned PwC ‘Study’: Leaked Document Shows PwC's Dishonesty and Misrepresentation of EPO Staff

    An in-depth analysis (but not comprehensive, just preliminary) of the so-called 'study' from PwC, which basically did what it was paid for (pay to say)

  23. Links 22/10/2016: Deus Ex for GNU/Linux, Global DDoS (DNS)

    Links for the day

  24. Battistelli-Commissioned PwC ‘Study’: Survey Comparison Shows Serious Deterioration and Efforts by PwC to Disguise the Truth

    The latest output from PwC turns out to be even worse than initially thought, indicating that not only did it find a degradation in the EPO but also attempted to hide/obscure it

  25. EPO Teaser - The "Iberian Connection" - Some Photos of García-Escudero and His Royal/Government Connections

    A look at the undeniably close connections between Mr. García-Escudero and the most powerful people in Spain

  26. Disruption to Site's Service

    A technical note about why Techrights has not been publishing many articles recently

  27. Links 21/10/2016: MPV 0.21, Mad Max for GNU/Linux

    Links for the day

  28. EPO Caricature: Battistelli's High Five

    Another cartoon about the sad state of the EPO

  29. Battistelli Ruins Not Only the EPO But Also the Whole of Europe By Ushering in Software Patents That Patent Trolls Love So Much

    Battistelli's bad leadership at the EPO threatens to bring to Europe all the ills and menaces of the patent system in the United States

  30. EPO Spokesman Lies to IP Watch in Order to Save Face and Save the King (Battistelli)

    Rewriting history (revisionism) regarding Battistelli and what was demanded amidst abusive behaviour from him


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time


Recent Posts