05.24.10
Microsoft Connects With Governments as More Vulnerabilities Surface, Microsoft Can Be Sued in the UK for Security Problems
Summary: Microsoft faces new challenges as security problems continue to be found even in the latest version of Windows and a UK High Court ruling indicates that Microsoft is now liable
NOW that one in two Windows PCs is believed to be a zombie PC Microsoft becomes a national and international problem. The latest Vista 7 vulnerability is a sign that things are not improving and Microsoft will start working privately/secretly with government in its disclosure of vulnerabilities [1, 2, 3, 4]. Will hidden/silent patches also be shared with governments? Last week there was an erroneous suspicion in Slashdot citing a blog with a semi-false alarm about a new security hole.
If you’re relying on the password encryption in Microsoft Dynamics GP — formerly Great Plains — to meet your PCI requirements, stop what you’re doing and listen up. It’s been revealed that its encryption algorithm is about as simple as it can be: a substitution cypher.
Look at the original source to see how Microsoft responded to the blogger by spinning and having the blogger state: “I must correct this and clarify. By default, GP gives the user access to the DYNAMICS database but the user CANNOT login to the SQL server using SQL Enterprise Manager. Here’s what happened: I reset the LESSONUSER’s passwords with SQL Enterprise Manager and afterward I was able to login to SQL Enterprise Manager with the LESSONUSER’s credentials. Some flag most have been updated when I reset the password – I need to investigate this further (this was all done in a Test environment). This was a BIG oversight on my part and I apologize for this. I really should have tested this out more before posting that statement. (Thank you Mark and others that pointed this out to me).”
Other known flaws are being addressed.
Microsoft, the software giant based in Redmond (USA), released two critical security updates on May 11, 2010, patching vulnerabilities within its e-mail applications as well as the Visual Basic for Applications designed to implement software programming language built into Microsoft Office.
“New Exploit Resists Windows Security Software,” reports IDG:
“This is definitely very serious,” said Alfred Huger, vice president of engineering at Immunet, a Palo Alto, Calif.-based antivirus company. “Probably any security product running on Windows XP can be exploited this way.” Huger added that Immunet’s desktop client is not vulnerable to the argument-switch attacks because the company’s software uses a different method to hook into the Windows kernel.
According to Matousec, nearly three-dozen Windows desktop security titles, including ones from Symantec, McAfee, Trend Micro, BitDefender, Sophos and others, can be exploited using the argument-switch tactic. Matousec said it had tested the technique on Windows XP SP3 and Vista SP1 on 32-bit machines.
Here is security guru Bruce Schneier commenting on the news that Microsoft’s EULA is no longer an excuse for security flaws [1, 2], at least in the UK where Schneier’s employer is based.
The British High Court ruled that a software vendor’s EULA — which denied all liability for poor software — was not reasonable.
Microsoft claims no liability [1, 2, 3, 4] in its EULA and other places. From now on it may be possible to sue Microsoft UK when its inherently-flawed software leads to big damages (as it does all the time). █
Needs Sunlight said,
May 24, 2010 at 2:01 pm
Liability lies with the jerks who knowingly deploy Microsoft products, not with Microsoft. The company has made poor products for many years, and those that haven’t learned or act like they haven’t are a real problem. The issue of manslaughter needs to be brought up with them in mind.
The burden of software liability is something that M$ wants. It’s a variation of the usual extortion or ‘indemnification’ marketing. Like any other tool, the burden is on the user. Or in this case, the user is not the end-user who sits at the screen trying to get some other job done but the IT departments or consulting.
Few other tools require liability worries by the maker — except in the case of standards. The failure with standards is also small part of the failure with security. However, there is a model already for regular tools to have liability requirements to comply with specific industry standards.
Forget suing Microsoft for these security failures. It’s products acting as they have been designed: buggy, bloated, and fatally insecure. Sue the socks off of the managers that signed off on the Microsoft roll outs and the ‘IT’ staff that went along with it.