EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

03.06.10

Microsoft Angers the World by Asking for a Form of Security Bailout, More Fundamental Windows Flaws Found

Posted in GNU/Linux, Microsoft, Security, Windows at 4:08 am by Dr. Roy Schestowitz

Screaming

Summary: Microsoft’s recommendation of “Internet tax” for removing Windows botnets/zombies doesn’t fly; Windows DEP (data execution prevention) is busted

EARLIER in the week we wrote about Microsoft’s Charney suggesting that everyone — UNIX and Linux users included — should pay [1, 2] to compensate for Microsoft’s own negligence [1, 2, 3]. Many people already pay for the damage collectively; for instance, if banks lose money due to zombie Windows PCs that compromise accounts, then interest rates will be lessened. These are some of the hidden costs everyone pays for Microsoft’s incompetence. In Germany, it's hardly even hidden anymore.

“Microsoft’s Laugh-a-Minute Show Continues,” says Glyn Moody regarding Microsoft’s arrogant suggestion.

Can you believe it? Microsoft’s lousy programming has caused *billions* of pounds worth of damage to the global economy in terms of downtime, lost files (and probably blood pressure problems) and it has the bare-faced cheek to suggest there should be an “Internet usage tax” on *everyone* (including GNU/Linux users) to pay for the rectification of *its* mistakes? No wonder Scott Charney has the humorous and manifestly self-contradictory title of “Microsoft Corporate Vice President for Trustworthy Computing”….

Here is another response: “Taxing every citizen for Microsoft Windows problems? Are we insane?”

Just when you think you’ve heard everything, something new arrives. Two years ago, we heard that half a million computers are infected with malicious bots every day (a “bot” is a software program that enters your computer from the Internet or inside infected files, then runs in the background to steal your data, send spam or wreak havoc in some other way).

This is a huge problem both because we depend on digital data in too many ways to explain them here (but you may read about them in the Open Government Book) and because of environmental reasons. According to a McAfee report published in May 2009 the amount of energy used every year to transmit, process and filter spam would be enough to power 2.4 million homes, with the same Greenhouse Gas emissions as 3.1 million passenger cars.

On March 2nd, 2010, Microsoft Corporate Vice President for Trustworthy Computing Scott Charney spoke at a computer security conference about this very theme, that is how to fight the damages caused by computers infected by bots (or “malware”).

According to the summary published on ComputerWorld, Mr Charney started correctly. He pointed out that, just as there are quarantine programs for people with infective diseases, the same thing should happen with people who have computers infected by malware but, for any reasons, won’t fix them up as soon as possible: such people should not be allowed to go online until their computer is clean and safe.

Windows is insecure not because people are negligent; Microsoft itself is extremely negligent and there are many examples of this. “Typical Windows user patches every 5 days,” says this new report from IDG (quoting Secunia).

75 Microsoft, third-party patch events each year are a burden most users can’t bear, says Secunia

Here is Berend-Jan Weve finding another security problem in Windows. From SJVN:

Honest to God I don’t go around trying to pick on Windows for its security problems, but the hackers keep finding new ways to break into it. And, this time, they’ve found a doozie. Berend-Jan Wever, aka “Skylined,” a Google security software engineer has busted DEP (data execution prevention), one of the few significant security improvements Microsoft has made to Windows.

DEP, which was added to Windows back in August 2004 in XP SP2. It addressed the very common hacking technique of buffer overflows. In a buffer overflow attack, a malicious program tries to overwrite the buffer, the amount of memory a program has been allocated for running its code in. By so doing, a buffer overflow overwrites memory that may or may not have been allocated to other programs. In either case, it can then use this overwritten memory for its own purposes. Usually this means running malware or even taking over the computer itself.

[...]

Unfortunately, Wever, using a variation of a hacking technique he helped perfect called heap-spraying has busted DEP. In heap-spraying, the attack code made an educated guess at where vulnerable memory that could be used to execute unapproved programs could be found. In Wever’s latest trick, the attacking code looks for clues on where to find memory that’s allowed by DEP to run programs. Once armed with this information, the attack code can then successfully plant itself in the system.

While the attack code isn’t ready to go for any script-kiddie, as Wever himself points out, he has given enough information on how to defeat DEP that it’s only a matter of time before a competent cracker uses the code to start enabling new attacks.

[...]

In short, if you’re running 32-bit Windows of any sort-XP, Vista, 7, Server 2008-you can look ‘forward’ to being even more vulnerable to attacks. Have I mentioned lately that I tend to do most of my desktop computing with Linux? Well, I am. This exploit opens up a new and huge hole in Windows’ already vulnerable defenses.

For some of its better enhancements to security, Microsoft relies on Free software in the form of firewalls, even virus scanners.

The open source ClamAV project is often used on servers as a way to scan and secure e-mail gateways and Windows file shares. Now ClamAV is coming to the Windows desktop too, by way of the cloud.

Vista 7 is not a solution because it’s not secure either. See the links below.

  1. Cybercrime Rises and Vista 7 is Already Open to Hijackers
  2. Vista 7: Broken Apart Before Arrival
  3. Department of Homeland Security ‘Poisoned’ by Microsoft; Vista 7 is Open to Hijackers Again
  4. Vista 7 Security “Cannot be Fixed. It’s a Design Problem.”
  5. Why Vista 7 Could be the Least Secure Operating System Ever
  6. Journalists Suggest Banning Windows, Maybe Suing Microsoft Over DDoS Attacks
  7. Vista 7 Vulnerable to Latest “Critical” Flaws
  8. Vista 7 Seemingly Affected by Several More “Critical” Flaws This Month
  9. Reason #1 to Avoid Vista 7: Insecurity
  10. Vista 7 Left Hijackable Again (Almost a Monthly Recurrence)
  11. Trend Micro: Vista 7 Less Secure Than Vista
  12. Vista 7 Less Secure Than Predecessors? Remote BSoD Now Possible!
Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

A Single Comment

  1. Needs Sunlight said,

    March 6, 2010 at 10:03 am

    Gravatar

    So this is another Windows vulnerability?

    http://www.vupen.com/english/advisories/2010/0529

    If that’s the case, then Vista and Vista7 are probably defective in the same way as XP. Wait a week or two until the so-called security sites that make their money from Windows are allowed to post about Vista and Vista7.

What Else is New

  1. Links 17/8/2019: Unigine 2.9 and Git 2.23

    Links for the day

  2. Computer-Generated Patent Applications Show That Patents and Innovations Are Very Different Things

    The 'cheapening' of the concept of 'inventor' (or 'invention') undermines the whole foundation/basis of the patent system and deep inside patent law firms know it

  3. Concerns About IBM's Commitment to OpenSource.com After the Fall of Linux.com and Linux Journal

    The Web site OpenSource.com is over two decades old; in its current form it's about a decade old and it contains plenty of good articles, but will IBM think so too and, if so, will investment in the site carry on?

  4. Electronic Frontier Foundation Makes a Mistake by Giving Award to Microsoft Surveillance Person

    At age 30 (almost) the Electronic Frontier Foundation still campaigns for privacy; so why does it grant awards to enemies of privacy?

  5. Caturdays and Sundays at Techrights Will Get Busier

    Our plan to spend the weekends writing more articles about Software Freedom; it seems like a high-priority issue

  6. Why Techrights Doesn't Do Social Control Media

    Being managed and censored by platform owners (sometimes their shareholders) isn’t an alluring proposition when a site challenges conformist norms and the status quo; Techrights belongs in a platform of its own

  7. Patent Prosecution Highways and Examination Highways Are Dooming the EPO

    Speed is not a measure of quality; but today's EPO is just trying to get as much money as possible, as fast as possible (before the whole thing implodes)

  8. Software Patents Won't Come Back Just Because They're (Re)Framed/Branded as "HEY HI" (AI)

    The pattern we've been observing in recent years is, patent applicants and law firms simply rewrite applications to make these seem patent-eligible on the surface (owing to deliberate deception) and patent offices facilitate these loopholes in order to fake 'growth'

  9. IP Kat Pays the Price for Being a Megaphone of Team UPC

    The typical or the usual suspects speak out about the so-called 'prospects' (with delusions of inevitability) of the Unified Patent Court Agreement, neglecting to account for their own longterm credibility

  10. Links 17/8/2019: Wine 4.14 is Out, Debian Celebrates 26 years

    Links for the day

  11. Nothing Says 'New' Microsoft Like Microsoft Component Firmware Update (More Hardware Lock-in)

    Vicious old Microsoft is still trying to make life very hard for GNU/Linux, especially in the OEM channel/s, but we're somehow supposed to think that "Microsoft loves Linux"

  12. Bill Gates and His Special Relationship With Jeffrey Epstein Still Stirring Speculations

    Love of the "children" has long been a controversial subject for Microsoft; can Bill Gates and his connections to Jeffrey Epstein unearth some unsavoury secrets?

  13. Links 16/8/2019: Kdevops and QEMU 4.1

    Links for the day

  14. The EPO's War on the Convention on the Grant of European Patents 2000 (EPC 2000), Not Just Brexit, Kills the Unitary Patent (UP/UPC) and Dooms Justice

    Team UPC continues to ignore the utter failures that have led to lawlessness at the EPO, attributing the demise of the Unified Patent Court (UPC) to Brexit alone and pretending that it's not even a problem

  15. Links 15/8/2019: GNOME's Birthday, LLVM 9.0 RC2

    Links for the day

  16. 'Foundation' Hype Spreads in China

    Nonprofits seem to have become more of a business loophole than a charitable endeavour; the problem is, this erodes confidence in legitimate Free software and good causes

  17. Links Are Not Endorsements

    If the only alternative is to say nothing and link to nothing, then we have a problem; a lot of people still assume that because someone links to something it therefore implies agreement and consent

  18. The Myth of 'Professionalism'

    Perception of professionalism, a vehicle or a motivation for making Linux more 'corporate-friendly' (i.e. owned by corporations), is a growing threat to Software Freedom inside Linux, as well as freedom of speech and many other things

  19. Links 14/8/2019: Best Chromebooks, EPEL 8.0, LibreOffice 6.2.6

    Links for the day

  20. Being in Favour of Free/Libre Open Source Software Means Rejecting Software Patents

    Those who believe in Software Freedom cannot at the same time believe that software patents are desirable; we've sadly come to a point where many companies that dominate so-called 'Open Source' groups actively lobby for such patents, in effect betraying the community they claim to be a part of

  21. Links 14/8/2019: Apache Evaluated, HardenedBSD Has New Release

    Links for the day

  22. Planet Python is Being Overrun by Microsoft, Just Like PyCon and Python in General

    Microsoft is perturbing the Free/Open Source software (FOSS) world from the inside, promoting Microsoft's most malicious proprietary software from within that world while taking positions of power in powerful FOSS projects

  23. Coming Soon: The Innards of the Eric Lundgren Case That Microsoft is Desperate to Hide or Spin (by Defaming Lundgren)

    Microsoft is rather stressed about Eric Lundgren coming out of prison and telling how Microsoft put him there; right now Microsoft is mostly name-calling while seeking to control public dialogues

  24. Wrong Person in Charge of the Linux Foundation (and in Charge of Linus Torvalds)

    There are several glaring issues when it comes to the leadership of Linux's steward; for one thing, it lacks actual background in... Linux

  25. 2019 Tech Glossary

    This clavis refers to what the de facto definition may be, based on how (and when) media uses the words nowadays

  26. The Silence of the Media Lamb

    There are reasons that are perfectly legitimate to criticise media which is unable and more so unwilling to cover particular scandals for fear that coverage can be detrimental to the media's owners and sponsors

  27. LINUX.COM Managed by Apple’s MacOS Users, Open Source Managed and Covered by People Who Reject Open Source

    The narratives are being hijacked; people who we're supposed to assume speak for Linux and for Open Source support neither of these things; they're only in it for the money

  28. The Linux Foundation's Open Source Summit is a Proprietary Software Marketing Venue

    The distortion of the term Open Source and promotion of proprietary software such as GitHub shows that the foundation called after “Linux” is actually more of a front group of hostile corporations — large brands and rich people to whom Open Source represents a threat that needs to be controlled

  29. Links 13/8/2019: Mir 1.4 Released, Qt PDF Discussed

    Links for the day

  30. Links 13/8/2019: KDevelop 5.4.1 and DragonFly 5.6.2 Released

    Links for the day

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts