EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

05.24.10

Microsoft Connects With Governments as More Vulnerabilities Surface, Microsoft Can Be Sued in the UK for Security Problems

Posted in Courtroom, Europe, Law, Microsoft, Security, Windows at 8:29 am by Dr. Roy Schestowitz

The White House

Summary: Microsoft faces new challenges as security problems continue to be found even in the latest version of Windows and a UK High Court ruling indicates that Microsoft is now liable

NOW that one in two Windows PCs is believed to be a zombie PC Microsoft becomes a national and international problem. The latest Vista 7 vulnerability is a sign that things are not improving and Microsoft will start working privately/secretly with government in its disclosure of vulnerabilities [1, 2, 3, 4]. Will hidden/silent patches also be shared with governments? Last week there was an erroneous suspicion in Slashdot citing a blog with a semi-false alarm about a new security hole.

If you’re relying on the password encryption in Microsoft Dynamics GP — formerly Great Plains — to meet your PCI requirements, stop what you’re doing and listen up. It’s been revealed that its encryption algorithm is about as simple as it can be: a substitution cypher.

Look at the original source to see how Microsoft responded to the blogger by spinning and having the blogger state: “I must correct this and clarify. By default, GP gives the user access to the DYNAMICS database but the user CANNOT login to the SQL server using SQL Enterprise Manager. Here’s what happened: I reset the LESSONUSER’s passwords with SQL Enterprise Manager and afterward I was able to login to SQL Enterprise Manager with the LESSONUSER’s credentials. Some flag most have been updated when I reset the password – I need to investigate this further (this was all done in a Test environment). This was a BIG oversight on my part and I apologize for this. I really should have tested this out more before posting that statement. (Thank you Mark and others that pointed this out to me).”

Other known flaws are being addressed.

Microsoft, the software giant based in Redmond (USA), released two critical security updates on May 11, 2010, patching vulnerabilities within its e-mail applications as well as the Visual Basic for Applications designed to implement software programming language built into Microsoft Office.

“New Exploit Resists Windows Security Software,” reports IDG:

“This is definitely very serious,” said Alfred Huger, vice president of engineering at Immunet, a Palo Alto, Calif.-based antivirus company. “Probably any security product running on Windows XP can be exploited this way.” Huger added that Immunet’s desktop client is not vulnerable to the argument-switch attacks because the company’s software uses a different method to hook into the Windows kernel.

According to Matousec, nearly three-dozen Windows desktop security titles, including ones from Symantec, McAfee, Trend Micro, BitDefender, Sophos and others, can be exploited using the argument-switch tactic. Matousec said it had tested the technique on Windows XP SP3 and Vista SP1 on 32-bit machines.

Here is security guru Bruce Schneier commenting on the news that Microsoft’s EULA is no longer an excuse for security flaws [1, 2], at least in the UK where Schneier’s employer is based.

The British High Court ruled that a software vendor’s EULA — which denied all liability for poor software — was not reasonable.

Microsoft claims no liability [1, 2, 3, 4] in its EULA and other places. From now on it may be possible to sue Microsoft UK when its inherently-flawed software leads to big damages (as it does all the time).

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

A Single Comment

  1. Needs Sunlight said,

    May 24, 2010 at 2:01 pm

    Gravatar

    Liability lies with the jerks who knowingly deploy Microsoft products, not with Microsoft. The company has made poor products for many years, and those that haven’t learned or act like they haven’t are a real problem. The issue of manslaughter needs to be brought up with them in mind.

    The burden of software liability is something that M$ wants. It’s a variation of the usual extortion or ‘indemnification’ marketing. Like any other tool, the burden is on the user. Or in this case, the user is not the end-user who sits at the screen trying to get some other job done but the IT departments or consulting.

    Few other tools require liability worries by the maker — except in the case of standards. The failure with standards is also small part of the failure with security. However, there is a model already for regular tools to have liability requirements to comply with specific industry standards.

    Forget suing Microsoft for these security failures. It’s products acting as they have been designed: buggy, bloated, and fatally insecure. Sue the socks off of the managers that signed off on the Microsoft roll outs and the ‘IT’ staff that went along with it.

What Else is New


  1. Links 25/5/2019: Wine 4.9 Released, FreeBSD 11.3 Beta, Telegram Launches Fift

    Links for the day



  2. Links 24/5/2019: PostgreSQL 12 Beta 1 and Rust 1.35 Released

    Links for the day



  3. EPO Strikes Further Diminish Chances of UPC Ever Materialising (in Any Shape or Form)

    The EPO crumbles under the weight of its own corruption while an increasingly-insane Team UPC pretends all remains normal and a patent trolls-friendly system is ready to take off



  4. EPO Allegedly Becoming Insolvent (Pretext for Cuts), So Staff Gets Punished While Management Takes the Jackpot

    The corporate 'logic' at the EPO follows the "shareholders' value" propaganda line as if the EPO is a private company looking to maximise revenue rather than serve the public



  5. EPO President Still Not Obeying Courts' Rulings

    Federation of International Civil Service Associations (FICSA) sent a message to António Campinos yesterday (the same day SUEPO publicly made a call for strike)



  6. António Campinos Has Run Out of Time and EPO Staff is Going on Strike (Skipping Mere Protests)

    European Patent Office strikes are to resume; as SUEPO recently put it, people have come to accept that EPO leadership has not really changed and none of the underlying issues is being tackled



  7. Links 23/5/2019: Elisa 0.4.0, OpenSUSE Leap 15.1 Released

    Links for the day



  8. Links 22/5/2019: Mesa 19.0.5, Huawei and GNU/Linux, Curl 7.65.0, End of Antergos, Tails 3.14, ownCloud Server 10.2, Firefox 67.0

    Links for the day



  9. Quality of Patents is Going Down the Drain and Courts Have Certainly Noticed

    Uncertainty or lack of confidence in the patent system has reached appalling levels because heads of patent offices are just striving to grant as many patents as possible, irrespective of the underlying law



  10. EUIPO and EPO Abuses Growingly Inseparable

    'Musical chairs' at CEIPI and the EPO/EUIPO (Battistelli, Archambeau, Campinos) as well as joint reports never fail to reveal the extent to which EPO abuses are spreading



  11. Links 21/5/2019: China's GAFAM Exit, DragonFlyBSD 5.4.3

    Links for the day



  12. Links 20/5/2019: Linux 5.2 RC1, LibreOffice 6.3 Alpha, DXVK 1.2.1, Bison 3.4 Released

    Links for the day



  13. South Korea's Government Will Show If Microsoft Loves Linux or Just Attacks It Very Viciously Like It Did in Munich

    Microsoft's hatred of all things GNU/Linux is always put to the test when someone 'dares' use it outside Microsoft's control and cash cows (e.g. Azure and Vista 10/WSL); will Microsoft combat its longstanding urge to corrupt or oust officials with the courage to say "no" to Microsoft?



  14. Links 19/5/2019: KDE Applications 19.04.1 in FlatHub and GNU/Linux Adoption

    Links for the day



  15. The War on Patent Quality

    A look at the EPO's reluctance to admit errors and resistance to the EPC, which is its very founding document



  16. Watchtroll, Composed by Patent Trolls, Calls the American Patent System “Corrupt”

    Another very fine piece from Watchtroll comes from very fine patent trolls who cheer for Donald Trump as if he's the one who tackles corruption rather than spreading it



  17. Unified Patent Court Won't Happen Just Because the Litigation Microcosm Wants It

    Unified Patent Court (UPC) hopefuls are quote-mining and cherry-picking to manufacture the false impression that the UPC is just around the corner when in reality the UPC is pretty much dead (but not buried yet)



  18. Links 17/5/2019: South Korea's GNU/Linux Pivot, Linux 5.1.3

    Links for the day



  19. Q2 Midterm Weather Forecast for EPOnia, Part 4: Happy Birthday to the Kötter Group?

    This year the Kötter Group commemorates the 85th anniversary of its existence. But is it really a cause for celebration or would a less self-congratulatory approach be more fitting? And does it create the risk that a routine tendering exercise at the EPO will turn into Operation Charlie Foxtrot?



  20. Links 16/5/2019: Cockpit 194, VMware Acquires Bitnami, Another Wine Announcement and Krita 4.2.0 Beta

    Links for the day



  21. The EPO's Key Function -- Like the UPC's Vision -- Has Virtually Collapsed

    The EPO no longer issues good patents and staff is extremely unhappy; but the Office tries to create an alternate (false) reality and issues intentionally misleading statements



  22. Stanford's NPE Litigation Database Makes a Nice Addition in the Fight Against Software Patent Trolls

    As the United States of America becomes less trolls- and software patents-friendly (often conflated with plaintiff (un)friendliness) it's important to have accurate data which documents the numbers and motivates better policy; The NPE (troll) Litigation Database is a move towards that and it's free to access/use



  23. Q2 Midterm Weather Forecast for EPOnia, Part 3: “Ein kritikwürdiges Unternehmen”

    A brief account of some further controversies in which the Kötter Group has been involved and its strained relations with German trade unions such as Verdi



  24. EPO Had a Leakage Problem and Privacy of Stakeholders Was Compromised, Affecting at Least 100 Cases

    The confidentiality principle was compromised at the EPO and stakeholders weren't told about it (there was a coverup)



  25. Links 15/5/2019: More Linux Patches and More Known Intel Bugs

    Links for the day



  26. False Hope for Patent Maximalists and Litigation Zealots

    Patent litigation predators in the United States, along with Team UPC in Europe, are trying to manufacture optimistic predictions; a quick and rather shallow critical analysis reveals their lies and distortions



  27. The Race to the Bottom of Patent Quality at the EPO

    The EPO has become more like a rubber-stamper than a patent office — a fact that worries senior staff who witnessed this gradual and troublesome transition (from quality to raw quantity)



  28. Q2 Midterm Weather Forecast for EPOnia, Part 2: Meet the Kötters

    An introduction to the Kötter Group, the private security conglomerate which is lined up for the award of a juicy EUR 30 million contract for the provision of security services at the EPO



  29. Links 14/5/2019: Red Hat Satellite 6.5, NVIDIA 430.14 Linux Driver and New Security Bug (MDS)

    Links for the day



  30. Links 14/5/2019: GNU/Linux in Kerala, DXVK 1.2, KDE Frameworks 5.58.0 Released

    Links for the day


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts