Poor man's ballot?
THE BROWSER BALLOT has already been through many changes since it was first introduced. Microsoft kept cheating or simply left some self-serving bugs in tact. We wrote about the subject in:
A few weeks ago I wrote about Microsoft’s “browser choice” ballot page in Europe, which in its debut used a flawed algorithm when attempting to perform a “random shuffle” of the browser choices, a feature specifically called for in their agreement with the EU. This bug was fixed soon after it was reported. But I recently received an email from a correspondent going by the name “Skoon” who reported a more serious bug, but one that is seen only in the Polish-language translation of the ballot choice screen.
The cross-site scripting filter that ships with Microsoft’s Internet Explorer 8 browser can be abused by attackers to launch cross-site scripting attacks on websites and web pages that would otherwise be immune to this threat.
According to a presentation at this year’s Black Hat Europe conference, the issue introduces security problems at several high-profile websites, including Microsoft’s own Bing.com (screenshot), Google.com, Wikipedia.org, Twitter.com (screenshot) and just about any site that lets IE 8 users create profiles.
I saw this promo piece in the BBC about the launch of Microsoft's new Fix-it service and a few things spring to mind. The first is that Microsoft have a long track record of causing more problems than they fix when applying updates. They set Windows to download and apply all critical updates without user intervention. So when a user goes to shut down their PC they have no idea if they have to hang around for 15 mins so that Windows can apply it's updates or not. Similarly they have no idea if those updates will cause a problem when they next start up their PC.
The second is that Microsoft have a history of abusing the term "critical" and slipping in programs like the Orwellian titled WGA (Windows Genuine Advantage). This was apparently a feature a large number of their customers were screaming out for and Microsoft being a listening, concerned company felt they had no choice but to provide; if you believe Micorosoft's PR about it. WGA checks regularly if the copy of Windows it's running on is licensed or unlicensed. If it deems that install of Windows to be unlicensed it causes no end of hassle for the user by disabling services, rebooting, nagware messages about "please contact Microsoft to buy a Windows product key". It's no advantage to customers, only to Microsoft. Yet this has been defined by Microsoft as a "critical" update. To me "critical" means "your PC is at immediate risk without this update".