03.06.10

Microsoft Angers the World by Asking for a Form of Security Bailout, More Fundamental Windows Flaws Found

Posted in GNU/Linux, Microsoft, Security, Windows at 4:08 am by Dr. Roy Schestowitz

Screaming

Summary: Microsoft’s recommendation of “Internet tax” for removing Windows botnets/zombies doesn’t fly; Windows DEP (data execution prevention) is busted

EARLIER in the week we wrote about Microsoft’s Charney suggesting that everyone — UNIX and Linux users included — should pay [1, 2] to compensate for Microsoft’s own negligence [1, 2, 3]. Many people already pay for the damage collectively; for instance, if banks lose money due to zombie Windows PCs that compromise accounts, then interest rates will be lessened. These are some of the hidden costs everyone pays for Microsoft’s incompetence. In Germany, it's hardly even hidden anymore.

“Microsoft’s Laugh-a-Minute Show Continues,” says Glyn Moody regarding Microsoft’s arrogant suggestion.

Can you believe it? Microsoft’s lousy programming has caused *billions* of pounds worth of damage to the global economy in terms of downtime, lost files (and probably blood pressure problems) and it has the bare-faced cheek to suggest there should be an “Internet usage tax” on *everyone* (including GNU/Linux users) to pay for the rectification of *its* mistakes? No wonder Scott Charney has the humorous and manifestly self-contradictory title of “Microsoft Corporate Vice President for Trustworthy Computing”….

Here is another response: “Taxing every citizen for Microsoft Windows problems? Are we insane?”

Just when you think you’ve heard everything, something new arrives. Two years ago, we heard that half a million computers are infected with malicious bots every day (a “bot” is a software program that enters your computer from the Internet or inside infected files, then runs in the background to steal your data, send spam or wreak havoc in some other way).

This is a huge problem both because we depend on digital data in too many ways to explain them here (but you may read about them in the Open Government Book) and because of environmental reasons. According to a McAfee report published in May 2009 the amount of energy used every year to transmit, process and filter spam would be enough to power 2.4 million homes, with the same Greenhouse Gas emissions as 3.1 million passenger cars.

On March 2nd, 2010, Microsoft Corporate Vice President for Trustworthy Computing Scott Charney spoke at a computer security conference about this very theme, that is how to fight the damages caused by computers infected by bots (or “malware”).

According to the summary published on ComputerWorld, Mr Charney started correctly. He pointed out that, just as there are quarantine programs for people with infective diseases, the same thing should happen with people who have computers infected by malware but, for any reasons, won’t fix them up as soon as possible: such people should not be allowed to go online until their computer is clean and safe.

Windows is insecure not because people are negligent; Microsoft itself is extremely negligent and there are many examples of this. “Typical Windows user patches every 5 days,” says this new report from IDG (quoting Secunia).

75 Microsoft, third-party patch events each year are a burden most users can’t bear, says Secunia

Here is Berend-Jan Weve finding another security problem in Windows. From SJVN:

Honest to God I don’t go around trying to pick on Windows for its security problems, but the hackers keep finding new ways to break into it. And, this time, they’ve found a doozie. Berend-Jan Wever, aka “Skylined,” a Google security software engineer has busted DEP (data execution prevention), one of the few significant security improvements Microsoft has made to Windows.

DEP, which was added to Windows back in August 2004 in XP SP2. It addressed the very common hacking technique of buffer overflows. In a buffer overflow attack, a malicious program tries to overwrite the buffer, the amount of memory a program has been allocated for running its code in. By so doing, a buffer overflow overwrites memory that may or may not have been allocated to other programs. In either case, it can then use this overwritten memory for its own purposes. Usually this means running malware or even taking over the computer itself.

[...]

Unfortunately, Wever, using a variation of a hacking technique he helped perfect called heap-spraying has busted DEP. In heap-spraying, the attack code made an educated guess at where vulnerable memory that could be used to execute unapproved programs could be found. In Wever’s latest trick, the attacking code looks for clues on where to find memory that’s allowed by DEP to run programs. Once armed with this information, the attack code can then successfully plant itself in the system.

While the attack code isn’t ready to go for any script-kiddie, as Wever himself points out, he has given enough information on how to defeat DEP that it’s only a matter of time before a competent cracker uses the code to start enabling new attacks.

[...]

In short, if you’re running 32-bit Windows of any sort-XP, Vista, 7, Server 2008-you can look ‘forward’ to being even more vulnerable to attacks. Have I mentioned lately that I tend to do most of my desktop computing with Linux? Well, I am. This exploit opens up a new and huge hole in Windows’ already vulnerable defenses.

For some of its better enhancements to security, Microsoft relies on Free software in the form of firewalls, even virus scanners.

The open source ClamAV project is often used on servers as a way to scan and secure e-mail gateways and Windows file shares. Now ClamAV is coming to the Windows desktop too, by way of the cloud.

Vista 7 is not a solution because it’s not secure either. See the links below.

  1. Cybercrime Rises and Vista 7 is Already Open to Hijackers
  2. Vista 7: Broken Apart Before Arrival
  3. Department of Homeland Security ‘Poisoned’ by Microsoft; Vista 7 is Open to Hijackers Again
  4. Vista 7 Security “Cannot be Fixed. It’s a Design Problem.”
  5. Why Vista 7 Could be the Least Secure Operating System Ever
  6. Journalists Suggest Banning Windows, Maybe Suing Microsoft Over DDoS Attacks
  7. Vista 7 Vulnerable to Latest “Critical” Flaws
  8. Vista 7 Seemingly Affected by Several More “Critical” Flaws This Month
  9. Reason #1 to Avoid Vista 7: Insecurity
  10. Vista 7 Left Hijackable Again (Almost a Monthly Recurrence)
  11. Trend Micro: Vista 7 Less Secure Than Vista
  12. Vista 7 Less Secure Than Predecessors? Remote BSoD Now Possible!
Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

A Single Comment

  1. Needs Sunlight said,

    March 6, 2010 at 10:03 am

    Gravatar

    So this is another Windows vulnerability?

    http://www.vupen.com/english/advisories/2010/0529

    If that’s the case, then Vista and Vista7 are probably defective in the same way as XP. Wait a week or two until the so-called security sites that make their money from Windows are allowed to post about Vista and Vista7.

What Else is New

  1. Links 30/11/2020: GhostBSD 20.11.28, Nitrux 1.3.5, Linux 5.10 RC6, GNOME Circle, Microsoft Collapses Again in Web Server Share

    Links for the day

  2. Alternatives to the World Wide Web, to HTML, to HTTP/S, and to the Internet

    Looking around the Web (yes, the Web) for alternatives to the Web (and the stack underneath the Web), we're finding that IPFS is mature and robust enough for our needs

  3. Management of the EPO Dragged to the International Labour Organisation Over Its Assault on the Right to Strike

    Opinion on strikes challenged by the Central Staff Committee of Europe's second-largest organisation; if strike rights are almost abolished there, what hope is there for the rest of Europe?

  4. [Meme] Management of the EPO Cannot Let the Staff Breathe or Smell Freedom

    Working for the EPO means giving up on one’s human rights; that’s the sort of conclusion many workers have reached

  5. “ViCo” is Nothing New (Not Even the Acronym), Done on 9/11 Last Year, Been Possible as Long as the EPO Has Existed

    Contrary to what many people are led to believe, the EPO isn't embracing innovation, it's just embracing COVID-19 and leveraging lock-downs (de facto house arrest to some) to impose an illegal practice on EPO staff and EPO stakeholders

  6. Release: Early Letters and Documents About Financial Hoax Disguised as EPO 'Study'

    It was over a year ago that staff representation at the EPO expressed concerns about what would later enrage workers — seeing that based on unscientific fabrications the EPO would take away what had been promised to them

  7. IRC Proceedings: Sunday, November 29, 2020

    IRC logs for Sunday, November 29, 2020

  8. Managing IP: Puff Pieces Galore for the EPO's Dictatorship (Complete With Buzzwords and PR Stunts)

    By giving a platform to notorious patent trolls and ‘engaging’ with the EPO‘s dictator (whom only 3% of EPO staff trusts) Managing IP is sort of giving away its real agenda, which isn’t journalism but conducting or assisting misinformation campaigns

  9. Links 29/11/2020: Genode OS Framework 20.11, Linux 5.11 Kernel Changes, and Latest in KDE Itinerary

    Links for the day

  10. Sincere Thoughts About Outreachy

    Outreachy's role in the Free software community and inclusion in the FSF's High Priority Projects, as seen from the eyes of a female coder from a minority group; she used to work for the Free Software Foundation (FSF) and she expresses concerns about what Outreachy has become

  11. Free Software Under Tyranny of Codes of Conduct as the Western Equivalent of Blasphemy Law (Corporations as the New Religion/Sponsors as Deities)

    The free speech crisis in Free software communities has enabled expulsion of opinionated people whose opinions truly matter; in their place we now have companies that bomb people, sometimes even kidnapping children and sterilising women because nothing says “Ethics” like naked fascism and corporate domination everywhere

  12. Release: 4 More Documents and Letters About the Financial Siege at Europe's Second-Largest Institution

    Documents disputing the accuracy of the "hoax" from António Campinos and the Mercers

  13. One Year Ago: The Last EPO Demonstration Before COVID-19

    About a year ago staff of the EPO apparently had its last protest (in front of the Isar building) before staff got ‘herded’ into homes, where workers became more isolated and even illegally spied on

  14. [Meme] Unified Patent Court Agreement (UPCA) is an Attack on Europe and the European Businesses That Don't Do Litigation

    Litigation lawyers and patent zealots want to set Europe ablaze with legislation that they themselves crafted; thankfully, however, they face constitutional obstacles, no matter how many politicians they bamboozle and buy

  15. Reasons EPO Staff Decided to Go on Strike This Year (Before or Until Coronavirus Prevented It)

    An year-old letter from the Staff Union of the European Patent Office (SUEPO) to the President of the EPO; 7 reasons for going on strike are enumerated

  16. EPO Can Save Money by “Dropping Events Like the Inventor of the Year, Reducing the Number of Managers, Throwing Less Money at Consultants or Bringing the Boards of Appeal Back into Office Buildings.”

    Constructive suggestions from EPO staff, made just over a year ago and assembled into a letter to their EPO colleagues

  17. The Real Fate of the UPC 'Stunt' in Germany Will be Known Next Month (or Next Year) and There Are Substantial Constitutional Barriers in the Way

    Contrary to what Team UPC wants people to think, UPC(A) isn’t a “done deal” in Germany; they never actually addressed the substance of complaints and with help from Benoît Battistelli‘s friends in the Commission they’re just attempting a blatant coup

  18. Microsoft Removes Free Software From GitHub Again, This Time for Motion Picture Association (MPA)

    GitHub is proving to be more of a censorship site than a code-sharing site; with the GitHub takeover Microsoft became a 'censorship police' or force of occupation against its ideological competition; just weeks after the YouTube-DL debacle and further take-downs seeking to 'protect' broken DRM schemes (by banning code) we can see that Microsoft isn't defending developers at all; it's just protecting the interests of MPA, RIAA and other Biden circles from the interests of the general population, which sometimes circumvents perfectly circumventable 'DRM' schemes

  19. IRC Proceedings: Saturday, November 28, 2020

    IRC logs for Saturday, November 28, 2020

  20. Help Make Techrights (and Other Technology-Centric Sites) More Robust to Censorship by Setting Up More IPFS Nodes

    We’re trying to improve the site’s availability (ensuring it can never be offline) and make it more censorship-resistant; people who adopt IPFS can make that happen while tackling the “bloated Web” and “centralised Internet” issues — all at the same time

  21. Microsoft Loves Linux and Android Apps Running on Windows Instead of GNU/Linux and Android Devices

    Microsoft loves Linux, they say; but as Microsoft's former VP James Allchin put it: "If you're going to kill someone there isn't much reason to get all worked up about it and angry -- you just pull the trigger [...] We need to smile at Novell while we pull the trigger."

  22. Links 28/11/2020: RenderDoc 1.11, GNOME 40 Scrolling Horizontally

    Links for the day

  23. Nine Documents About the Financial Siege Against EPO Staff (Past, Present, and Future)

    Today we release dozens of pages of letters and documents (internal to Europe's second-largest institution); they all focus on the betrayal and skulduggery, crushing staff in spite of what was originally promised (and what workers actually signed up for)

  24. EPO Senior Management (Cabal) “Essentially Deaf to the Proposals From Staff Representatives.”

    Representatives of EPO staff feel like the management of the EPO is "deaf" and uncaring; there's hardly any meaningful progress (or none whatsoever) when it comes to truly honest dialogue with real participation

  25. EPO Management, Led by António Campinos, Attempted to Stifle or Prevent Staff From Being Surveyed

    Battistelli's cabal, which covers up a lot of fraud and corruption, is attempting to prevent the staff from expressing an opinion (for insiders and perhaps outsiders to assess) because things are really bad and autocratic measures are seen as necessary to keep the lid on issues/abuses

  26. The European Patent Office's Central Staff Committee: Office Cannot Recruit Fit-for-Purpose Patent Examiners Anymore

    One third of EPO recruits are 'locals' (Germans), 0.2% are Swiss, 1% Scandinavian; the EPO as an employer became unattractive and it's unable to attract the staff it needs (as was projected and planned when the EPC was agreed upon)

  27. IRC Proceedings: Friday, November 27, 2020

    IRC logs for Friday, November 27, 2020

  28. Links 27/11/2020: Jolla is 7, Diffoscope 162, MNT Reform Production

    Links for the day

  29. The Time Coronavirus Helped EPO Management Prevent Staff From Protesting and Going on Strike (March 26th)

    "In view of the spreading of the New Corona Virus, the planned General Assemblies have to be cancelled," the Staff Union of the European Patent Office (SUEPO) wrote in the wake of the crisis across Europe back in March (weeks ahead of a planned strike)

  30. Guarding Your Privacy With E2EE: Primer

    "As with all security, there is assumed risk no matter how careful you are. There are no security guarantees but that doesn't mean you shouldn't try."

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts