EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

07.23.10

Microsoft Hides Security Flaws, Then Brags About Transparency

Posted in Microsoft, Security, Windows at 8:10 am by Dr. Roy Schestowitz

Armour

Summary: Security news from Microsoft and the facts Microsoft carries on hiding

MICROSOFT’S practice of silent patching (fixing security bugs without ever telling anyone about it) does not prevent the company from lying about disclosure [1, 2] and even bragging about “transparency”. What a nerve they have when they produce reports that daemonise Red Hat based on incomplete data which Microsoft itself is knowingly hiding.

Today we look at some recent security problems, starting with one which was covered before:

Microsoft’s problems with Token Kidnapping [.pdf] on the Windows platform aren’t going away anytime soon.

“Microsoft gives up on Windows security flaw,” says the headline of another report.

DEVELOPER OF INSECURE SOFTWARE Microsoft has seemingly given up on finding a solution to a security vulnerability that takes advantage of the way Windows uses shortcuts.

As The INQUIRER reported on Monday, just about every operating system released by the Vole in the past decade is affected by the security flaw, which allows hackers to remotely execute code on Windows systems. Microsoft was relatively quick to admit to the problem, saying that the fault lies with the fact that “Windows incorrectly parses shortcuts”.

The risk was increased by removable and network storage mechanisms such as USB memory drives, which can be ‘autoplayed’ when connected. Due to a dodgy digital certificate in a driver, users would be none the wiser as control of their system was being outsourced to someone else.

From Slashdot (the summary):

Microsoft Has No Plans To Patch New Flaw

“Microsoft has acknowledged the vulnerability that the new malware Stuxnet uses to launch itself with .lnk files, but said it has no plans to patch the flaw right now. The company said the flaw affects most current versions of Windows, including Vista, Server 2008 and Windows 7 32- and 64-bit. Meanwhile, the digital certificate that belonging to Realtek Semiconductor that was used to sign a pair of drivers for the new Stuxnet rootkit has been revoked by VeriSign. The certificate was revoked Friday, several days after news broke about the existence of the new malware and the troubling existence of the signed drivers.”

Glyn Moody explains that “after all, with all the others [flaws], who will notice?”

Dell is now shipping computers with a hardware trojan that only affects Microsoft Windows. The New Scientist does not call out Windows, but the malware name is self explanatory.

Further information posted on Dell’s community forum reveals that the trojan in the affected motherboards is stored in onboard flash memory rather than firmware ROMs. And the malware at issue is called w32.spybot.worm, which normally spreads using file-sharing networks and an internet chat client.

Social networks are now being blamed for merely carrying messages that are used to control Microsoft Windows botnets. One should say “Windows botnet” and “Windows malware”, not just “malware”; these things are not universal. They specifically exploit Microsoft’s bad engineering. “Time to Get Rid of That Other OS,” argues Pogson.

The latest outrage is an attack that exploits another form of “autorun” for shortcuts/links on USB drives. That other OS lets the malware walk right in even if the user does not click on any of the links. That other OS tries to be so helpful…

The original article does name Windows as the problem (also in the headline).

Hackers have developed malware that spreads via USB sticks using a previously unknown security weakness involving Windows’ handling of shortcut files.

“Don’t Call the Police,” Pogson concludes.

There is no limit to how bad malware can be. It can range all the way from sending spam e-mail from your machines to selling all customer lists and sabotaging data by rot over a long period of time so that by the time you catch it weeks of work could go down the drain. The worst case is killing your operation through lawsuits charging negligence in allowing disaster to happen when reasonable people know you do not allow malware to run on your systems.

Running Windows is truly a liability. Windows was never designed to be secure.

“There was no strategic direction from Bill and Ballmer about these two things. It was like, ‘Well we have these two things, DOS and Windows, and do we have to run on top of this new multitasking DOS? Are we running on top of DOS 3.0 and we just ignore those guys?’ That went on for a year, this lack of strategic direction. And we just made our own decisions.”

Steve Wood, one of the first Microsoft developers

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New


  1. Microsoft's Abduction of the Voice of Its Opposition Highlights the Urgency of the Movement/Campaign to Delete GitHub

    Microsoft understands that by entrapping FOSS and GNU/Linux inside proprietary software platforms like GitHub and Azure it can utilise the false perception that it somehow speaks on behalf of both (whilst attacking both)



  2. IRC Proceedings: Sunday, November 10, 2019

    IRC logs for Sunday, November 10, 2019



  3. SUEPO Protests Against Management of the European Patent Office Brought Back Discussions About Corruption

    The atmosphere at the second-largest institution in Europe has long been toxic; now it is becoming a lot more visible again and comments highlight the reasons for the cover-up (gross misuse of billions of euros)



  4. Links 11/11/2019: Linux 5.4 RC7, HandBrake 1.3.0 and Analysis of XFCE

    Links for the day



  5. Links 10/11/2019: digiKam 6.4.0, OpenMandriva Lx 4.1 Alpha and OpenZFS Plans

    Links for the day



  6. Video: Dutch Media on EPO Protest

    The new video added by SUEPO on Saturday in order to show Dutch media coverage of last week's protest in The Hague



  7. Politics in the Workplace Are Not Paradoxical and Outside the Workplace They Are Free Speech

    The safest space is one in which no other human (or creature) exists, but in reality we must make compromises and accept that not everyone will agree with us 100% of the time (so we must learn to live with that)



  8. IRC Proceedings: Saturday, November 09, 2019

    IRC logs for Saturday, November 09, 2019



  9. Thick Skin Makes Strong Communities

    Learning to coexist with people who don't agree on everything is a strength and successful societies encourage that (the alternative is blind conformity on all matters)



  10. Training (Proprietary Software) Versus Teaching (Free Software)

    Education necessitates software freedom — a fact that companies like Adobe, Apple and Microsoft try hard to distract from



  11. The Linux Foundation Brought as Keynote Speakers People Vastly Worse Than Those Whom It Now 'Cancels' for Purely Political Reasons

    A lot of people are very upset about the Linux Foundation's alleged 'witch-hunt' and even press coverage has caught up with the outrage; but our position is that it distracts from vastly bigger Linux Foundation scandals



  12. An Open Letter to Richard Stallman

    "It's past the time for the official cornerstones of the Free software movement to return to their full operational capacity, and to take the gear out of neutral."



  13. Links 9/11/2019: Linux Journal Goes Dark (Offline), KStars 3.3.7, OpenSUSE Name Change Aborted

    Links for the day



  14. Think Tanks, Bristows, 'Simmons' and 'Birds' Can Only Ever Lie to Us About the Dead Unified Patent Court (UPC)

    The UPC is a dead bird, but lobbyists of the litigation giants would have us believe otherwise, in “In-depth Analysis” which is anything but (it's just propaganda with the veneer of officialism)



  15. The EPO's Management is Trying Really Hard to Distract the Media From EPO Unrest (and It Has Been Partly Successful)

    We take a look at the profoundly bad situation at the EPO (examiners unable to do their job properly because of rogue leadership); we also reexamine how media covered — or rather refused to cover — this urgent issue



  16. Microsoft's 'Safe Spaces'

    The 'new' and 'ethical' Microsoft that offers us all a 'safe space'



  17. 'Artificial Intelligence' (AI) Will Only Doom Patent Offices If It's Used to Stamp Millions of Invalid Patents (IPs)

    The Artificial Intelligence (AI) craze is being used as an excuse or as a pretext for granting loads of patents on mathematics and statistics (maths and stats aren't permissible or eligible for patent coverage); by calling just about everything "Artificial Intelligence" (or AI, or "hey hi!") they hope to mislead examiners, who are also being presented with new guidelines full of these buzzwords



  18. Need More Questions

    Pedophilia-centric scandals associated with Bill Gates or people working for Bill Gates don't interest the media anymore; people shy away from the possibility of 'embarrassing' the so-called 'philanthropist', celebrated by the media he is sponsoring



  19. IRC Proceedings: Thursday, November 07, 2019

    IRC logs for Thursday, November 07, 2019



  20. Helps to Have Connections and Operate at a Loss Just to Drive the Competition Out of the Market

    Microsoft still uses the same anticompetitive tactics and outright illegal tactics such as bribery, but we're supposed to think Microsoft is run like a charity



  21. Startpage Shows Sheer Hypocrisy After Selling Out and Betraying Privacy (Corrected)

    After more than half a decade of using and advocating Startpage I've come to realise it's a spying operation and Startpage hopes nobody will notice



  22. Former Mayor of Munich Explains How Microsoft Hates Linux

    Christian Ude speaks in a new interview about what Microsoft did in Munich and elsewhere in Europe in order to undermine GNU/Linux and impose Microsoft Windows on everybody, together with all the spyware Microsoft provides for it (likely violation of privacy laws)



  23. Linux Journal is Offline, But the Articles Will Come Back

    Linux Journal may be offline (since just before the weekend), but the articles will come back one way or another



  24. Links 8/11/2019: Ubuntu MATE 19.10 Reviewed, FreeBSD Migrating to OpenZFS

    Links for the day



  25. Nobody Should Believe Bill Gates and the Media He 'Sponsors' (Bribes) Anymore

    No matter how hard Bill Gates and his legion of lawyers/PR people try to divert the media's attention away from his Epstein scandal, it keeps coming back



  26. IRC Proceedings: Thursday, November 07, 2019

    IRC logs for Thursday, November 07, 2019



  27. System1 (Company Behind Startpage, Dogpile, WebCrawler, MetaCrawler and More) Calls Surveillance “Privacy”

    Surveillance seems to have become so fashionable that its purveyors and intermediaries (sending one's data to Microsoft, Google and so on) have a sense of humour strong enough or sufficient to call that "privacy"



  28. Links 8/11/2019: Rust 1.39.0 and KDE Applications 19.08.3

    Links for the day



  29. MIT Suggestions

    Sometimes things are too ugly to talk oneself out of; so a distraction is urgently needed



  30. Quick Mention: Some Dutch Media Covers Dutch EPO Protest

    Signs that the EPO's attempts to distract the media (or from the media) aren't 100% effective; workers get their voice heard by some Dutch people


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts