03.10.10

Microsoft and Insecurity: Vulnerabilities, Botnets, and a Whole Lot of Nerve

Posted in Apple, Free/Libre Software, GNU/Linux, Microsoft, Security, Windows at 4:29 am by Dr. Roy Schestowitz

Summary: Windows insecurity a matter of persistence, Windows botnets a lost cause, and Microsoft’s staff interferes with security policy

From One Critical Vulnerability to Another

THE security problems in Windows are a never-ending problem. Those patches that we mentioned last week arrived on Patch Tuesday, as usual. Here are some of last week’s articles about it [1, 2, 3, 4] and indication that Microsoft may be silencing researchers again:

Microsoft Exploits Talk Dropped From RSA Agenda

An RSA Conference presentation on Microsoft (NSDQ:MSFT) application hacks and exploits that was originally slated for Tuesday was canceled, although it’s unclear why.

An RSA Conference spokesperson told Channelweb.com on Tuesday that the session appears to have been canceled in early January, but didn’t offer a reason for the cancellation. A Microsoft spokesperson declined to comment on whether the session was canceled at Microsoft’s behest.

Whether Microsoft was behind this or not, the company definitely had been doing such things before. There’s security through obscurity and security through gagging. And in other news, “Microsoft resumes XP patch distribution; says rootkit remover coming soon”

In mid-February, Microsoft halted automatic distribution of one of its Windows patches, blaming the interaction of the patch with already-present malware on users’ systems for a rash of blue-screen-of-death reports among XP users.

Microsoft would love to just blame “a rootkit”, but this was caused by lack of security in the first place. It is a circular trap that still has Microsoft deserving at least some of the blame. This problem was also covered in [1, 2].

In other news, we soon learn that “patchy Windows patching leaves users insecure,” according to Secunia.

Windows users need to patch their systems an average of every five days to stay ahead of security vulnerabilities, according to a study this week.

The numbers come from a company called Secunia which just happens to be developing an all-in-one patching tool to reduce update headaches for consumers.

Stats from the two million existing users of Secunia’s free Personal Software Inspector tool show the average home user needs an average of 75 patches from 22 different vendors to be fully secure. The complexity of patching means that most users are not even in the race, meaning that hackers hoping to exploit software vulnerabilities to infect vulnerable systems stay well ahead of the game.

Matters are further complicated by the variety of different update mechanisms applied by differing suppliers.

Secunia says that “The core of this patching issue is that the software industry has, so far, failed to come up with a unified patching solution that can help home users on a large scale; that is, encompassing all software programs” and as our reader put it, “Doesn’t Linux have a one-stop-shop for the distro? As long as you stick with the official “repository”, everything can be automatically updated, including the apps.”

From One Windows Botnet to Another

Microsoft has a new zero-day vulnerability in its hands and the attempt to suspend Windows botnets is of course futile. There are just too many Windows botnets out there.

Spamhaus: Microsoft’s botnet cull had little effect

Microsoft’s takedown of the Waledac botnet has not been effective, according to some security researchers.

The throttling of Waledac, which Microsoft claimed to have achieved by means of legal action last week, has led to no appreciable reduction of junk mail coming from the botnet, anti-spam organisation Spamhaus told ZDNet UK on Tuesday.

We wrote about the Waledac takedown in [1, 2, 3]. Here is more new information about it:

Well, criticism has come from two main areas: Firstly, as Jose Nazario of Arbor Networks Inc. , a security solutions provider, told The Wall Street Journal, the Internet addresses that Microsoft’s lawsuit brought down could be a small percentage of those used by hackers to control the network. “The botnet will survive in many cases,” said Nazario.

And Richard Cox, the chief information officer at anti-spam service Spamhaus told ComputerWorld: “If this did affect spam, we haven’t noticed… Waledac was not a high threat; it’s less than 1% of spam traffic.”

On the face of it, Microsoft Windows may rely on Free software to secure the Web from itself.

From Microsoft to Apple

Apple is suing Linux (we covered this in [1, 2, 3, 4, 5]). Apple becomes more of a fighting company (an aggressor), not a pacifier.

Apple is also hiring from Microsoft, based on this report about Window Snyder.

Window Snyder’s first day at Apple was Monday, according to PC World. While it noted that Apple was the “third browser-maker in the past five years that has employed Snyder,” it did not indicate whether she would work on the Safari browser or some other technology for the Cupertino, Calif., company.

Microsoft was spreading lies about Firefox (and sometimes GNU/Linux too), but even Snyder, who had worked for Microsoft, told them off for it^*. It all happened when she worked for Mozilla, but she luckily left after using her Mozilla hat to praise Microsoft. She is going to Apple now.

From US DOJ to Microsoft

Microsoft’s fairly new hire from the US DOJ is upsetting many people. Scott Charney’s remarks [1, 2, 3] led to some strong reactions. “Blow me,” says this one article from iStockAnalyst to Microsoft:

In short, these machines are infested (not infected, infested) because their operating system has historically been full of security holes (this has improved, especially in Windows 7, to be fair.)

So what does Microsoft propose?

So who would foot the bill? “Maybe markets will make it work,” Charney said. But an Internet usage tax might be the way to go. “You could say it’s a public safety issue and do it with general taxation,” he said.

That’s nice.

Sell an insecure operating system and then get someone else to pay a tax because they bought an arguably-defective product you sold?
How about this instead Microsoft?

For each computer infested, the publisher of the operating system sold to that user is assessed a fine of US $100,000 by the Department of Justice.

Here is what The Atlantic argues:

Most opponents of a tax would say that software companies should be responsible for paying, since it’s their responsibility to develop a safe product. Indeed, some criticize Microsoft for advocating a tax as an excuse to spend less of their own money developing safer software.

Also see:

• Microsoft’s Ideas for Making PCs Safer

• Microsoft’s Scott Charney Calls For Disrupting Cybercrime Activities

• Microsoft Security Chief proposes taxes to protect the Internet

• Microsoft moots digital healthcare tax

• Microsoft’s Ideas for Making PCs Safer

• Microsoft and the Incredible ‘Internet Usage Tax’

• Say It Ain’t So, Microsoft

Maybe Microsoft Vice President for Trustworthy Computing Scott Charney wanted to see if his audience was really awake. Maybe he entered a time warp and thought it was April 1st. Maybe someone gave him a funny cookie. Or maybe he really didn’t think it would be sheer lunacy to suggest levying an Internet tax on Americans to pay for cybersecurity.

[...]

What Were You Thinking, Scott?

Not satisfied with blaming and seeking to punish the victim, Charney then went on to suggest the imposition of a tax on Internet users to ensure cybersecurity.

“You could say it’s a public safety issue and do it with general taxation,” he said.

Really, Scott? Why should we the users pay for the ineptness of software vendors? And please, don’t give me that tired routine about the bad guys being out there always looking for flaws.

Let’s take an analogy from real life. When you’re a kid your parents tell you the rules for living safely. Don’t talk to strangers or take candy from them. Look both ways before you cross the street. Don’t walk down dark streets or alleys at night. Never walk between a parked van and the wall, especially at night. Keep your doors locked.

Even some Microsoft boosters disagree with Microsoft on this, whereas most are unable to sincerely criticise it [1, 2, 3]. █
______
^* Microsoft hates real numbers, so it manufactures its own.

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.

Permalink Mail Send this to a friend

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New

Links 12/7/2020: KDE Plasma 5.20 Preview and Elive 3.8.14 Beta

Links for the day
[Humour] The 'Orange One' Does Not Respect Judges Either

More than two years after taking over the European Patent Office (EPO) António Campinos has done absolutely nothing to restore judicial independence of the Boards of Appeal of the EPO
The Systemd Song

Speak out about IBM's strategy before we're all using GNU/Linux distros 'barcoded' with systemd
Monopoly (or Vendor Lock-in) is Not Modularity

IBM cannot totally control the kernel, Linux; IBM's control over GNU/Linux may be worth even more than what it paid for Red Hat as that's the key to overpriced support contracts and the general direction of development (important trends such as file systems and various low-level stacks)
The Internet Archive Doesn't Forget, Whereas the Internet and the Web Forget Very Fast

World Wide Web history is grossly undervalued and preservation of such history (e.g. by the Wayback Machine) is taken for granted by far too many people; the robber barons of today benefit the most from erosion of collective memory as they get to rewrite the past to suit their present and future interests
Environmentalism and Free Software Can be Viewed as Closely Connected and Help One Another

Modest lifestyles are an overlapping pattern in the Free software community and green activists; there's room for alliances and collaboration, bettering society by reducing consumption and discouraging voyeurism
Free (as in Freedom) Software + Social Control Media ≠ Free Speech

Speaking through middlemen and private platforms is bad enough (that gives others unjust power over speech); to claim that because the underlying platform is free/libre software it therefore becomes a non-issue is also dishonest
António Campinos: President or Quasi-Autocratic Corporate Puppet?

The culture of oppression — and censorship of evidence of oppression — is what today’s EPO is all about; the EPO learned how to better avoid (or block) negative publicity without actually changing its ways; and due to unprecedented speech restrictions you won’t hear that from SUEPO
The Media Continues to Ignore Corruption of António Campinos

António Campinos has Croatian scandals on his lap; the obedient media, however, refuses to even talk about it (or uses COVID as an excuse to write nothing on the subject, as some journalists have told us)
A Call for Patent Sanity

The public's call for reform is motivated by improved understanding of today's debased patent system and how out-of-order (detached from its original mission statement) it has gotten; patent maximalism, if it does not completely unravel this whole system, severely discredits it
Declassified US Army Field Manuals Explain Microsoft's Public Relations Strategy (Similar to Selling Imperialism to the Occupied)

The misuse of public broadcast to brainwash the public is well understood and thoroughly exploited by both Microsoft and the Gates Foundation (which sells this ridiculous lie that the world’s richest people speak for and fight for the poorest, i.e. those impoverished by endless greed)
IRC Proceedings: Friday, July 10, 2020

IRC logs for Friday, July 10, 2020
Links 11/7/2020: Slackel 7.3 Openbox, Kiwi TCMS 8.5, Librem 5 Dogwood Update 3

Links for the day
Education Without Free Software is Training or Indoctrination

Kids need to decide for themselves what they want to do and what they wish to use when they grow up; schools need to provide general tools and the mental capacity to make good decisions (rather than make these decisions for the kids, sometimes at the behest of foreign monopolists)
Links 10/7/2020: Wayland-Info, diffoscope 151 and Tor 0.4.4.2-alpha

Links for the day
European FRAND (Related to SEP) Proponent and Famed Programmer Comes to Realise That It's Actually a “Scam”

Even people who have long promoted the practice of mandatory "licensing" (in effect patent tax one is unable to work around) are apparently changing their minds and their tune
Not Even a Single Corporate Journalist Has Written Anything About These Very Important Bits of News (Updated)

Constant propaganda from patent maximalists has long infested the media, which is sometimes controlled and even bribed to set the tone and the agenda; important developments are being tucked away and require very deep digging for ordinary citizens to find
IRC Proceedings: Thursday, July 09, 2020

IRC logs for Thursday, July 09, 2020
Racism in Technology (and Who Typically Lectures Us About the Subject)

Racism is a real problem; some approaches to tackling racism, however, can also be problematic and those who take the lead 'on behalf' of victims tend to be opportunistic and privileged few (piggybacking others' grievances to further advance their financial agenda)
Links 10/7/2020: Debian 8 Long Term Support EOL, Mobian Project, Mesa 20.1.3

Links for the day
[Humour] COVID-19 is Very, Very Afraid of Human Beings Making More Monopolies Instead of Fighting Together

The European Patent Office (EPO) to the rescue! Fighting a dangerous pandemic one profitable monopoly at a time!
The News is Never 'Slow', It's Just Journalism That's Slowing Down (and Investigative Journalism Coming Under Attack)

A mix of censorship and subtle mind control contribute to misinformed societies that shape their perception or misunderstanding of the world based on false measures of authority (where money can determine what is true and what is untrue); many topics remain completely untouched, leading to apathy in a vacuum; it's very much applicable to international organisations, which are presumed benign by virtue of being multi-national or supranational
Social Control Media is About Social Control and If It Doesn't Ban You It'll Shut Down Everyone's Account (One Day)

It’s time to leave the ‘Internet rot’ which is social control media well behind us; blogging and RSS/XML may seem like a thing of the past, but they may as well become the future (again; if we make the correct and informed choices)
Microsoft's Fingers in Every Pie: The Cult Mentality That Society Needs to Become Wary of

Microsoft and its co-founder (pretending to do his for-profit 'charity' via the Gates Foundation) are trying to control the world; in the process they've moved to control even their most potent competitor, according to Gates himself, which is GNU/Linux
Links 9/7/2020: Google’s Open Usage Commons, GNOME 3.36.4, Neptune 6.5

Links for the day
IRC Proceedings: Wednesday, July 08, 2020

IRC logs for Wednesday, July 08, 2020
Links 8/7/2020: SUSE to Acquire Rancher Labs, Btrfs as Default in Fedora, Qt Creator 4.12.4

Links for the day
Yes, Master

When the Linux Foundation tells us to tone down our language we ought to remember what kind of hypocritical stance these people have (note: the above have nothing to do with slavery, either)
Fraunhofer is Again Evergreening Software Patents to Maintain Its Codecs Cartel, Forcing Everyone to Pay to View/Stream Multimedia Files

The roller-coaster of software patents on multimedia isn't stopping; we know the culprits who can be named for perpetuating this injustice
[Humour/Meme] Focusing on the Bombings and Who's Included in the Bombings

Supremacist agenda disguised as "tolerant and inclusive" is still objectionable supremacist agenda