EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

07.23.10

Microsoft Hides Security Flaws, Then Brags About Transparency

Posted in Microsoft, Security, Windows at 8:10 am by Dr. Roy Schestowitz

Armour

Summary: Security news from Microsoft and the facts Microsoft carries on hiding

MICROSOFT’S practice of silent patching (fixing security bugs without ever telling anyone about it) does not prevent the company from lying about disclosure [1, 2] and even bragging about “transparency”. What a nerve they have when they produce reports that daemonise Red Hat based on incomplete data which Microsoft itself is knowingly hiding.

Today we look at some recent security problems, starting with one which was covered before:

Microsoft’s problems with Token Kidnapping [.pdf] on the Windows platform aren’t going away anytime soon.

“Microsoft gives up on Windows security flaw,” says the headline of another report.

DEVELOPER OF INSECURE SOFTWARE Microsoft has seemingly given up on finding a solution to a security vulnerability that takes advantage of the way Windows uses shortcuts.

As The INQUIRER reported on Monday, just about every operating system released by the Vole in the past decade is affected by the security flaw, which allows hackers to remotely execute code on Windows systems. Microsoft was relatively quick to admit to the problem, saying that the fault lies with the fact that “Windows incorrectly parses shortcuts”.

The risk was increased by removable and network storage mechanisms such as USB memory drives, which can be ‘autoplayed’ when connected. Due to a dodgy digital certificate in a driver, users would be none the wiser as control of their system was being outsourced to someone else.

From Slashdot (the summary):

Microsoft Has No Plans To Patch New Flaw

“Microsoft has acknowledged the vulnerability that the new malware Stuxnet uses to launch itself with .lnk files, but said it has no plans to patch the flaw right now. The company said the flaw affects most current versions of Windows, including Vista, Server 2008 and Windows 7 32- and 64-bit. Meanwhile, the digital certificate that belonging to Realtek Semiconductor that was used to sign a pair of drivers for the new Stuxnet rootkit has been revoked by VeriSign. The certificate was revoked Friday, several days after news broke about the existence of the new malware and the troubling existence of the signed drivers.”

Glyn Moody explains that “after all, with all the others [flaws], who will notice?”

Dell is now shipping computers with a hardware trojan that only affects Microsoft Windows. The New Scientist does not call out Windows, but the malware name is self explanatory.

Further information posted on Dell’s community forum reveals that the trojan in the affected motherboards is stored in onboard flash memory rather than firmware ROMs. And the malware at issue is called w32.spybot.worm, which normally spreads using file-sharing networks and an internet chat client.

Social networks are now being blamed for merely carrying messages that are used to control Microsoft Windows botnets. One should say “Windows botnet” and “Windows malware”, not just “malware”; these things are not universal. They specifically exploit Microsoft’s bad engineering. “Time to Get Rid of That Other OS,” argues Pogson.

The latest outrage is an attack that exploits another form of “autorun” for shortcuts/links on USB drives. That other OS lets the malware walk right in even if the user does not click on any of the links. That other OS tries to be so helpful…

The original article does name Windows as the problem (also in the headline).

Hackers have developed malware that spreads via USB sticks using a previously unknown security weakness involving Windows’ handling of shortcut files.

“Don’t Call the Police,” Pogson concludes.

There is no limit to how bad malware can be. It can range all the way from sending spam e-mail from your machines to selling all customer lists and sabotaging data by rot over a long period of time so that by the time you catch it weeks of work could go down the drain. The worst case is killing your operation through lawsuits charging negligence in allowing disaster to happen when reasonable people know you do not allow malware to run on your systems.

Running Windows is truly a liability. Windows was never designed to be secure.

“There was no strategic direction from Bill and Ballmer about these two things. It was like, ‘Well we have these two things, DOS and Windows, and do we have to run on top of this new multitasking DOS? Are we running on top of DOS 3.0 and we just ignore those guys?’ That went on for a year, this lack of strategic direction. And we just made our own decisions.”

Steve Wood, one of the first Microsoft developers

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New


  1. Links 19/9/2018: Chromebooks Get More DEBs, LLVM 7.0.0 Released

    Links for the day



  2. Links 18/9/2018: Qt 5.12 Alpha , MAAS 2.5.0 Beta, PostgreSQL CoC

    Links for the day



  3. Today's European Patent Office (EPO) Works for Large, Foreign Pharmaceutical Companies in Pursuit of Patents on Nature, Life, and Essential/Basic Drugs

    The never-ending insanity which is patents on DNA/genome/genetics and all sorts of basic things that are put together like a recipe in a restaurant; patents are no longer covering actual machinery that accomplishes unique tasks in complicated ways, typically assembled from scratch by humans; some supposed 'inventions' are merely born into existence by the natural splitting of organisms or conception (e.g. pregnancy)



  4. The EPO Has Quit Pretending That It Cares About Patent Quality, All It Cares About is Quantity of Lawsuits

    A new interview with Roberta Romano-Götsch, as well as the EPO's promotion of software patents alongside CIPA (Team UPC), is an indication that the EPO has ceased caring about quality and hardly even pretends to care anymore



  5. Qualcomm's Escalating Patent Wars Have Already Caused Massive Buybacks (Loss of Reserves) and Loss of Massive Clients

    Qualcomm's multi-continental patent battles are an effort to 'shock and awe' everyone into its protection racket; but the unintended effect seems to be a move further and further away from 'Qualcomm territories'



  6. Links 17/9/2018: Torvalds Takes a Break, SQLite 3.25.0 Released

    Links for the day



  7. The Patent Trial and Appeal Board (PTAB) Helps Prevent Frivolous Software Patent Lawsuits

    PTAB with its quality-improving inter partes reviews (IPRs) is enraging patent maximalists; but by looking to work around it or weaken it they will simply reduce the confidence associated with US patents



  8. Abstract Patents (Things One Can Do With Pen and Paper, Sometimes an Abacus) Are a Waste of Money as Courts Disregard Them

    A quick roundup of patents and lawsuits at the heart of which there's little or no substance; 35 U.S.C. § 101 renders these moot



  9. “Blockchain” Hype and “FinTech”-Like Buzzwords Usher in Software Patents Everywhere, Even Where Such Patents Are Obviously Bunk

    Not only the U.S. Patent and Trademark Office (USPTO) embraces the "blockchain" hype; business methods and algorithms are being granted patent 'protection' (exclusivity) which would likely be disputed by the courts (if that ever reaches the courts)



  10. Qualcomm's Patent Aggression Threatens Rationality of Patent Scope in Europe and Elsewhere

    Qualcomm's dependence on patent taxes (so-called 'royalties' associated with physical devices which it doesn't even make) highlights the dangers now known; the patent thicket has grown too "thick"



  11. Months After Oil States the Patent Maximalists Are Still Desperate to Crush PTAB in the Courts, Not Just in Congress and the Office

    Patent Trial and Appeal Board (PTAB) inter partes reviews (IPRs) improve patent quality and are therefore a threat to those who profit from spurious feuding and litigation; they try anything they can to turn things around



  12. IAM, Watchtroll and the EPO Still Spread the Mentality of Patent Maximalism

    The misguided idea that the objective (overall) should be to grant as many monopolies as possible (to spur a lot of litigation) isn't being challenged in echo chamber 'events', set up and sponsored by think tanks and pressure groups of the litigation 'industry'



  13. Watchtroll and Other Proponents of Patent Trolls Are Trying to Change the Law Outside the Courts in Order to Bypass Patent Justice

    35 U.S.C. § 101 (Section 101) voids almost every software patent — a reality that even the most zealous patent professionals have come to grips with and their way of tackling this ‘problem’ is legislative, albeit nowhere near successful (so far)



  14. Links 16/9/2018: Windows Plays 'Nice' Again, Elisa Music Player 0.3 Beta and Latte Dock 0.8.1

    Links for the day



  15. Slamming Courts and Judges Won't Help the Patent Maximalists; It Can Only Make Things Worse

    Acorda Therapeutics sees its stock price dropping 25% after finding out that its patent portfolio isn't solid, as affirmed by the Federal Circuitn(CAFC); the only way out of this mess is a pursuit of a vastly improved patent quality, thorough patent examination which then offers legal certainty



  16. Patent Trolls Are Still Active and Microsoft is Closely Connected to Many of Them

    A roundup of patent trolls' actions in the United States; Microsoft is connected to a notably high number of these



  17. Advancements in Automobile Technology Won't be Possible With Patent Maximalism

    Advancements in the development of vehicles are being discouraged by a thicket of patents as dumb (and likely invalid) as claims on algorithms and mere shapes



  18. Battistelli “Has Deeply Hurt the Whole Patent Profession, Examiners as Well as Agents” and Also the Image of France

    A French perspective regarding Battistelli's reign at the EPO, which has not really ended but manifests itself or 'metastasises' through colleagues of Battistelli (whom he chose) and another French President (whom he also chose)



  19. António Campinos Needs to Listen to Doctors Without Borders (MSF) et al to Salvage What's Left of Public Consent for the EPO

    Groups including Doctors Without Borders/Médecins Sans Frontières (MSF) and Médecins du Monde (MdM) have attempted to explain to the EPO, with notoriously French-dominated leadership, that it’s a mistake to work for Gilead at the expense of the public; but António Campinos is just another patent maximalist



  20. The Max Planck Institute's Determination on UPC's (Unitary Patent) Demise is Only “Controversial” in the Eyes of Rabid Members of Team UPC

    Bristows keeps lying like Battistelli; that it calls a new paper "controversial" without providing any evidence of a controversy says a lot about Bristows LLP, both as a firm and the individuals who make up the firm (they would not be honest with their clients, either)



  21. Links 15/9/2018: Wine 3.16, Overwatch's GNU/Linux (Wine) 'Ban', New Fedora 28 Build, and Fedora 29 Beta Delay

    Links for the day



  22. Max Planck Institute Pours More Water on the Dying Unitary Patent (UPC)

    The Max Planck Institute gives another sobering reality check for Team UPC to chew on; there's still no sign of any progress whatsoever for the UPC because even Team UPC appears to have given up and moved on



  23. EPO Seals Many Death Sentences With Acceptance of EP 2604620

    Very disappointing news as EP 2604620 withstands scrutiny, assuring that a lot of poor people will not receive much-needed, life-saving treatments



  24. Links 13/9/2018: Compiz Comeback, 'Life is Strange: Before the Storm'

    Links for the day



  25. Now We Have Patents on Rooms. Yes, Rooms!

    The shallow level of what nowadays constitutes "innovation" and merits getting a patent for a couple of decades



  26. EPO Granted a Controversial European Patent (Under Battistelli) Which May Literally Kill a Lot of People

    The EPO (together with CIPA) keeps promoting software patents; patents that are being granted by the EPO literally put lives at risk and have probably already cost a lot of lives



  27. Links 13/9/2018: Parrot 4.2.2, Sailfish OS Nurmonjoki, Eelo Beta

    Links for the day



  28. Patents on Life at the EPO Are a Symptom of Declining Patent Quality

    When even life and natural phenomena are deemed worthy of a private monopoly it seems clear that the sole goal has become patenting rather than advancement of science and technology; media that's controlled by the patent 'industry', however, fails to acknowledge this and plays along with privateers of nature



  29. Defending the World's Most Notorious Patent Trolls in an Effort to Smear the Patent Trial and Appeal Board (PTAB) is an Utterly Poor Strategy

    The 'case' for patent maximalism is very weak; those who spent years if not decades promoting patent maximalism have resorted to attacks on judges, to defense of trolls like Intellectual Ventures, defense of patent scams, and ridiculous attempts to call victims of patent trolls "trolls"



  30. The Belated Demise of Propaganda Sites of the Litigation 'Industry'

    Sites that promote the interests of Big Litigation (patent trolls, patent law firms etc.) are ebbing away; in the process they still mothball the facts and push propaganda instead


CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts