03.12.10

Microsoft’s Latest Harms to the Web and Shallow Press Coverage That Neglects to Name Culprits

Posted in Microsoft, Security, Windows at 3:40 pm by Dr. Roy Schestowitz

Duck gossip

Summary: Coverage about security issues is abundant, but the cause of many of these issues is simply not named

MANY companies in the West had their security measures superseded and breached due to an Internet Explorer hole that Microsoft had knowingly ignored for 5 months [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12]. Microsoft is now warning that Internet Explorer is under another attack:

In an advisory, the company warned that a new vulnerability was being targeted in attacks against Internet Explorer 6 and 7. IE 8 is not believed to be affected. According to Microsoft, the vulnerability is due to an invalid pointer reference being used within IE and can be exploited by tricking users into visiting a malicious or compromised Web page.

This is a Windows problem because Internet Explorer is a part of Windows, which therefore inherits all the weaknesses of one piece of software that ought to have been isolated. The consequences of Windows’ insecurity can also be seen in the following news:

1. Vodafone ships malware infested mobiles

Upon further investigation, the phone was found to be infected with not one but three nasties, including the Conficker worm, a Mariposa bot client and a Lineage password divulger. The firm found that the Mariposa bot client was calling home to receive further instructions.

With a “password divulger”, banks are at risk:

2. Online banking fraud losses rise 14%”

Number of ‘phishing’ attacks have risen to 51,000 from just 1,700 five years ago, according to the UK Cards Association

Also:

3. Twitter Fights Phishing, Malware with Link Scanning Service

Twitter has announced it will begin scanning links posted by users to thwart phishing attacks and the spread of malware on the site.

Notice how the articles typically neglect to say that such malware only affects Windows users. On we move to:

4. 10 Reasons Why Security Problems Persist at Microsoft

News Analysis: As much as Microsoft would like security problems to just go away, they won’t. The chances of Microsoft eliminating most of the software flaws that invite new attacks are slim to nil. But there are many things that Microsoft should do to improve the situation. We take a look at why security issues continue to haunt the software giant and what Microsoft can do about it.

[...]

2. Windows is an easy target

Windows is a nightmare when it comes to security. The operating system is filled with holes that, over the years, have been patched with varying degrees of success. Windows 7 is the most secure operating system Microsoft has released to date, but it’s probably rife with flaws that Microsoft hasn’t heard of yet. And no doubt hackers are ceaselessly searching for them. Unless Microsoft does something drastic with the next iteration of Windows, its operating system woes will likely continue.

We do not agree with the article as a whole, but it does raise some important points. The security weaknesses of Windows produce botnets rather easily:

5. Zeus botnets suffer mighty blow after ISP taken offline

At least a quarter of the command and control servers linked to Zeus-related botnets have suddenly gone quiet, continuing a recent trend of takedowns hitting some of the world’s most nefarious cyber operations.

This is a Windows botnet (but it doesn’t even say “Windows botnet”). What’s sickening is that Microsoft is only mentioned in this article where it’s given credit. It says: “Late last month, Microsoft was able to disrupt the Waledac botnet by obtaining a court-issued order against scores of domains associated with the spam-spewing menace.”

Giving Microsoft credit for the Waledac takedown [1, 2, 3, 4] is like giving DuPont credit for some minimal cleanup after the Bhopal disaster. Microsoft employees are given credit for fighting a problem that they themselves created. It’s truly amazing, especially given that those Windows botnets are costing huge amounts of money that is hard to estimate (dependent upon definitions and methods).

Here is the EFF discussing Microsoft’s takedown of an important Web site, not a Windows botnet.

We often criticize DMCA takedown abuse here at EFF, but last week’s Cryptome snafu highlights another facet of the problem: how a DMCA takedown for one item can result in the removal of lots of lawful material.

To recap, Cryptome posted Microsoft’s global criminal compliance manual. Microsoft sent a DMCA takedown notice to Cryptome’s domain name registrar and web hosting provider, Network Solutions, alleging that the post infringed copyright. Under the DMCA, a web hosting provider is protected from copyright infringement liability if, among other things, it “expeditiously” disables access to material properly identified in a DMCA takedown notice. Network Solutions asked Cryptome to remove the Microsoft compliance manual. Cryptome refused explaining that the document was posted in order to help the public better understand Microsoft’s practices, and followed up with a DMCA counternotice. Network Solutions promptly shut down the entire Cryptome website. Thus, a complaint about a single document caused significant collateral damage to the perfectly legal material on Cryptome.

We have already covered this in another post. Microsoft can stop people who leak evidence of its warrantless spying, whereas those who empty bank accounts through compromised Windows PCs are not a priority. There are hundreds of millions of them.

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

A Single Comment

  1. your_friend said,

    March 13, 2010 at 4:02 pm

    Gravatar

    Reporters should not let Microsoft and banks get away with blaming the victim. I’ve been hearing this kind of thing for about a decade.

    “Fraudsters are now relying on the weakest link in the chain, and that is online banking customers themselves,” a spokesman for the UK Cards Association said. “Banks would never approach customers by email asking for their bank details, but people still fall for this scam.”

    Banks like to blame their customers so that they can make customers eat losses. People familiar with bank transactions know that the system is easy to defraud. People familiar with Windows know that half of Windows PCs are part of a botnet which all have the ability to log passwords. It would be surprising if a majority of credit fraud was the result of anything customers did, other than bank and use Windows.

What Else is New


  1. End-to-End Encryption and Facebook Cannot Coexist

    Projects that promise us privacy but take money (and sometimes staff) from Facebook and Google are sending or beaming the wrong signal



  2. Twitter is Hiding Techrights and Partly Shadowbans Yours Truly

    Based on many systematic (and reproducible) tests, Twitter has taken up yet another notch its covert censorship regime, which optimises — based on some vague criteria — what people can see and cannot see



  3. IRC Proceedings: Wednesday, January 27, 2021

    IRC logs for Wednesday, January 27, 2021



  4. Links 28/1/2021: Stable Kernels and Sudo Bugfixes

    Links for the day



  5. Showing Solidarity With FSFE Survivors

    What does justice look like?



  6. IBM is Throwing Away Red Hat's 'de Facto Standard' Status in Servers, Wrongly Assuming People Can't (or Won't) Go Elsewhere

    This new video is over half an hour long and it’s a discussion of IBM’s self-harming (shot-in-the-foot) move, which it already seems to regret



  7. Why 6 Screens and 6 Virtual Desktops

    An explanation of how I use computers and how I distribute tasks (across screens and across virtual desktops)



  8. Red Hat Developer Network Promoting Microsoft's Proprietary Software, Sometimes by Mass-Mailing People

    Red Hat is doing a disservice to people who subscribe to E-mail newsletters; those people are almost never into Microsoft's proprietary software, which they want to get away from



  9. IRC Proceedings: Tuesday, January 26, 2021

    IRC logs for Tuesday, January 26, 2021



  10. Links 26/1/2021: Mozilla Firefox 85.0, Tails 4.15, Zentyal Server 7.0, GNOME 40 Alpha

    Links for the day



  11. Instead of Making Access to COVID-19 Solutions Easier Bill Gates Has Made It Harder (Patent Profits)

    Counterproductively — and at a great cost to human civilisation — Bill Gates has once again put profits and monopoly ahead of global goals such as collective health



  12. We Need More Documents Leaked to Know Intel (From the) Inside

    We invite more leaks from the belly of the beast "chipzilla", seeing that it is becoming a drone of Microsoft again, yearning for the "Wintel" days instead of moving on to a world dominated by GNU/Linux and Free/libre software



  13. Why GNU/Linux Users (and the Public at Large) Should Support Leaking/Whistleblowing Sites (Including Wikileaks)

    To demonstrate the value of "scientific journalism" (a term apparently coined by Wikileaks) we take a look at Red Hat's response to embarrassing leaks (demonstrating what a scam their certification and examination programmes really are)



  14. EPO President António Campinos is Still Not Listening, According to Internal EPO Documents

    Increasingly arrogant and unaccountable management of Europe's second-largest institution (EPO) has left staff disillusioned but still defiant; there's clearly unsuitable or unfit-for-purpose management at the EPO, self-selecting based on nepotism/loyalty so as to cover up abuses



  15. Why You Should Give Falkon (the Web Browser) a Chance on GNU/Linux, BSD, or Windows

    In this crazy new world where advertisers are the real customers and Web users ("audiences") have been reduced to mere products we need a browser that isn't controlled by a company; try Falkon



  16. Kluwer Patent Spin and Distortion of Facts (Regarding UPC and More)

    Kluwer Patent Blog disgraces the firm that puts its name on it; instead of sticking to facts they're distorting the facts and the sole/principal goal is to manipulate/mislead the public and public servants



  17. Links 26/1/2021: 4MLinux 35.1, GParted 1.2, Gnuastro 0.14

    Links for the day



  18. IRC Proceedings: Monday, January 25, 2021

    IRC logs for Monday, January 25, 2021



  19. It's Wrong to Assume Red Hat Competes With Microsoft

    The community ought to stop pretending that one monopoly seeks to replace another despite close partnerships (some would say "collusion") between the two



  20. EPO Staff Representation Complains That EPO Management Exploits Pandemic and 'House Arrests' to Overwork Staff, Lower Quality

    The EPO keeps breaking its promises to workers; not only are key employees seeing their net salary cut (inflation factored in) but pensioners too are being robbed and in the meantime the total time spent on work is increasing



  21. Fake News is Not a 'Wing' Thing

    The two-party corporate-led system (and media) would have us obsess/bicker about accuracy of news based on some binary/dual system of blind loyalty rather than underlying facts and priorities



  22. Links 25/1/2021: Huawei on GNU/Linux, NuTyX 20.12.1, Whisker Menu 2.5.3, Lutris 0.5.8.3, Linux 5.11 RC5

    Links for the day



  23. Fear, Uncertainty, and Doubt (FUD) in ZDNet is the Norm

    ZDNet continues to emit lots of garbage 'journalism', in effect Microsoft PR and what's known as "black PR" for Linux; just like Bleeping Computer, which ZDNet hired this writer from, there's no adherence to facts, just smears and innuendo



  24. Truth Tellers Aren't an Enemy of Free Software

    There's a perpetual attack on people who speak out against actors and corporations in positions of great power, however subtle and indirect those attacks may seem on the surface (they don't wish to be held accountable for defaming activists)



  25. The Linux Foundation, With Over 124 Million Dollars in Annual Revenue, is in Trouble Because of the Pandemic, So It's Trying to Reinvent Itself as Training and Certifications Outfit

    With mountains of cash and a Public Relations (PR) or marketing business model the so-called 'Linux' Foundation became reliant on travel, lodging, booths and speeches on sale; COVID-19 is a great risk to that business model



  26. IRC Proceedings: Sunday, January 24, 2021

    IRC logs for Sunday, January 24, 2021



  27. Our Move Further Away From the World Wide Web, the Browser Monopolies, HTTP, and HTML

    The World Wide Web (WWW) is going down a bad path and a clearly regressive direction; the solution isn't going 'retro' but exploring more sophisticated systems which are robust to censorship (localised or globalised) and downtime (related to censorship) while reducing surveillance by leveraging encryption at the endpoints



  28. Important Issues Not Entertained in the Community, Especially Critics of the Status Quo

    here's corporate infiltration inside communities (for oligarchy hunts volunteer, unpaid labour) and those who speak about that as a threat to our cause and objectives are painted as misguided outcasts who must be ignored



  29. Internet Origins of the Mob

    Reprinted with permission from Daniel Pocock



  30. When Proprietary Software Users Dictate the Freedom-Leaning Communities

    Fedora doesn't care about software freedom and its steward (or parent company) is sometimes imposing proprietary software on staff; they've quit caring


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts