EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

07.23.10

Microsoft Hides Security Flaws, Then Brags About Transparency

Posted in Microsoft, Security, Windows at 8:10 am by Dr. Roy Schestowitz

Armour

Summary: Security news from Microsoft and the facts Microsoft carries on hiding

MICROSOFT’S practice of silent patching (fixing security bugs without ever telling anyone about it) does not prevent the company from lying about disclosure [1, 2] and even bragging about “transparency”. What a nerve they have when they produce reports that daemonise Red Hat based on incomplete data which Microsoft itself is knowingly hiding.

Today we look at some recent security problems, starting with one which was covered before:

Microsoft’s problems with Token Kidnapping [.pdf] on the Windows platform aren’t going away anytime soon.

“Microsoft gives up on Windows security flaw,” says the headline of another report.

DEVELOPER OF INSECURE SOFTWARE Microsoft has seemingly given up on finding a solution to a security vulnerability that takes advantage of the way Windows uses shortcuts.

As The INQUIRER reported on Monday, just about every operating system released by the Vole in the past decade is affected by the security flaw, which allows hackers to remotely execute code on Windows systems. Microsoft was relatively quick to admit to the problem, saying that the fault lies with the fact that “Windows incorrectly parses shortcuts”.

The risk was increased by removable and network storage mechanisms such as USB memory drives, which can be ‘autoplayed’ when connected. Due to a dodgy digital certificate in a driver, users would be none the wiser as control of their system was being outsourced to someone else.

From Slashdot (the summary):

Microsoft Has No Plans To Patch New Flaw

“Microsoft has acknowledged the vulnerability that the new malware Stuxnet uses to launch itself with .lnk files, but said it has no plans to patch the flaw right now. The company said the flaw affects most current versions of Windows, including Vista, Server 2008 and Windows 7 32- and 64-bit. Meanwhile, the digital certificate that belonging to Realtek Semiconductor that was used to sign a pair of drivers for the new Stuxnet rootkit has been revoked by VeriSign. The certificate was revoked Friday, several days after news broke about the existence of the new malware and the troubling existence of the signed drivers.”

Glyn Moody explains that “after all, with all the others [flaws], who will notice?”

Dell is now shipping computers with a hardware trojan that only affects Microsoft Windows. The New Scientist does not call out Windows, but the malware name is self explanatory.

Further information posted on Dell’s community forum reveals that the trojan in the affected motherboards is stored in onboard flash memory rather than firmware ROMs. And the malware at issue is called w32.spybot.worm, which normally spreads using file-sharing networks and an internet chat client.

Social networks are now being blamed for merely carrying messages that are used to control Microsoft Windows botnets. One should say “Windows botnet” and “Windows malware”, not just “malware”; these things are not universal. They specifically exploit Microsoft’s bad engineering. “Time to Get Rid of That Other OS,” argues Pogson.

The latest outrage is an attack that exploits another form of “autorun” for shortcuts/links on USB drives. That other OS lets the malware walk right in even if the user does not click on any of the links. That other OS tries to be so helpful…

The original article does name Windows as the problem (also in the headline).

Hackers have developed malware that spreads via USB sticks using a previously unknown security weakness involving Windows’ handling of shortcut files.

“Don’t Call the Police,” Pogson concludes.

There is no limit to how bad malware can be. It can range all the way from sending spam e-mail from your machines to selling all customer lists and sabotaging data by rot over a long period of time so that by the time you catch it weeks of work could go down the drain. The worst case is killing your operation through lawsuits charging negligence in allowing disaster to happen when reasonable people know you do not allow malware to run on your systems.

Running Windows is truly a liability. Windows was never designed to be secure.

“There was no strategic direction from Bill and Ballmer about these two things. It was like, ‘Well we have these two things, DOS and Windows, and do we have to run on top of this new multitasking DOS? Are we running on top of DOS 3.0 and we just ignore those guys?’ That went on for a year, this lack of strategic direction. And we just made our own decisions.”

Steve Wood, one of the first Microsoft developers

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New


  1. Links 19/11/2018: Linux 4.20 RC3, New Fedora ISO, GNU OrgaDoc 1.0

    Links for the day



  2. A Fresh Look at Recent 35 U.S.C. § 101 Cases Reveals Rapid Demise of Software Patents Even in District (Lower) Courts

    Contrary to narratives that are being spread by the patents and litigation 'industry', there's anything but a resurgence of patents on algorithms; in the United States they're almost always rejected by courts at all levels



  3. All the Usual Suspects Are Still Working Hard to Harm the Legitimacy if Not Existence of Patent Quality Control

    With David Ruschke out of his role and other former judges leaving the Office one wonders if the new Office leadership is just scheming to hide a decline in patent quality by simply removing quality assessors



  4. The U.S. Patent and Trademark Office Must Be Based on Justice, Not Profits

    With obviousness grounds, prior art and tests for how abstract ideas may be, there's no excuse left for patent maximalism; will patent offices listen to courts or defy caselaw (in pursuits of fulfilling greed)?



  5. The European Patent Office is Attracting Patent Trolls

    Enforcement of software patents in Europe by the large patent troll (disguised as a pool) MPEG-LA means that European software developers cannot develop software with full multimedia support (not without sudden disruption to their peace)



  6. Patent Maximalists Are Still Upset at the US Supreme Court (Over Alice) and the US Patent Office Carries on As Usual

    In spite of the courts’ continued rejection of software patents — perfectly in line with what the high courts are saying — abstract ideas are still being covered by newly-granted patents



  7. Links 18/11/2018: Cucumber Linux 2.0 Alpha and Latest Outreachy

    Links for the day



  8. The European Patent Office Comes up With a Plethora of New Buzzwords by Which to Refer to Software Patents

    The permissive attitude towards software patents in Europe is harmful to software developers in Europe; the officials, who never wrote a computer program in their entire life, pretend this is not the case by adopting marketing techniques and surrogate terms



  9. Patent Maximalists in Europe Keep Mentioning China Even Though It Barely Matters to European Patents

    EPO waves a "white flag" in the face of China even though Chinese patents do not matter much to Europe (except when the goal is to encourage low patent quality, attracting humongous patent trolls)



  10. Team UPC Has Been Reduced to Lies, Lies, and More Lies about the Unified Patent Court Agreement

    With the Unified Patent Court Agreement pretty much dead on arrival (an arrival that is never reached, either) the UPC hopefuls -- those looking to profit from lots of frivolous patent litigation in Europe -- resort to bald-faced lying



  11. Links 17/11/2018: Mesa 18.3 RC3, Total War: WARHAMMER II, GNOME 3.31.2

    Links for the day



  12. Links 16/11/2018: Red Hat Enterprise Linux 8 Beta, Mesa 18.2.5, VirtualBox 6.0 Beta 2

    Links for the day



  13. Berkheimer or No Berkheimer, Software Patents Remain Mostly Unenforceable in the United States and the Supreme Court is Fine With That

    35 U.S.C. § 101, which is based on cases like Alice and Mayo, offers the 'perfect storm' against software patents; it doesn't look like any of that will change any time soon (if ever)



  14. Ignoring and Bashing Courts: Is This the Future of Patent Offices in the West?

    Andrei Iancu, who is trying to water down 35 U.S.C. § 101 while Trump ‘waters down’ SCOTUS (which delivered Alice), isn’t alone; António Campinos, the new President of the EPO, is constantly promoting software patents (which European courts reject, citing the EPC) and even Australia’s litigation ‘industry’ is dissenting against Australian courts that stubbornly reject software patents



  15. Patent Maximalists Are Still Trying to Figure Out How to Stop PTAB or Prevent US Patent Quality From Ever Improving

    Improvements are being made to US patents because of the Patent Trial and Appeal Board (PTAB), which amends/culls/pro-actively rejects (at application phases) bad patents; but the likes of Andrei Iancu cannot stand that because they're patent maximalists, who personally gain from an over-saturation of patents



  16. Links 15/11/2018: Zentyal 6.0, Deepin 15.8, Thunderbird Project Hiring

    Links for the day



  17. A Question of Debt: António Campinos, Lexology, Law Gazette, and Sam Gyimah

    Ineptitude in the media which dominates if not monopolises UPC coverage means that laws detrimental to everyone but patent lawyers are nowadays being pushed even by ministers (not just those whose clandestine vote is used/bought to steal democracy overnight)



  18. Science Minister Sam Gyimah and the EPO Are Eager to Attack Science by Bringing Patent Trolls to Europe/European Union and the United Kingdom

    Team UPC has managed to indoctrinate or hijack key positions, causing those whose job is to promote science to actually promote patent trolls and litigation (suppressing science rather than advancing it)



  19. USF Revisits EPO Abuses, Highlighting an Urgent Need for Action

    “Staff Representation Disciplinary Cases” — a message circulated at the end of last week — reveals the persistence of union-busting agenda and injustice at the EPO



  20. Links 14/11/2018: KDevelop 5.3, Omarine 5.3, Canonical Not for Sale

    Links for the day



  21. Second Day of EPOPIC: Yet More Promotion of Software Patents in Europe in Defiance of Courts, EPC, Parliament and Common Sense

    Using bogus interpretations of the EPC — ones that courts have repeatedly rejected — the EPO continues to grant bogus/fake/bunk patents on abstract ideas, then justifies that practice (when the audience comes from the litigation ‘industry’)



  22. Allegations That António Campinos 'Bought' His Presidency and is Still Paying for it

    Rumours persist that after Battistelli had rigged the election in favour of his compatriot nefarious things related to that were still visible



  23. WIPO Corruption and Coverup Mirror EPO Tactics

    Suppression of staff representatives and whistleblowers carries on at WIPO and the EPO; people who speak out about abuses are themselves being treated like abusers



  24. Links 13/11/2018: HPC Domination (Top 500 All GNU/Linux) and OpenStack News

    Links for the day



  25. The USPTO and EPO Pretend to Care About Patent Quality by Mingling With the Terms “Patent” and “Quality”

    The whole "patent quality" propaganda from EPO and USPTO management continues unabated; they strive to maintain the fiction that quality rather than money is their prime motivator



  26. Yannis Skulikaris Promotes Software Patents at EPOPIC, Defending the Questionable Practice Under António Campinos

    The reckless advocacy for abstract patents on mere algorithms from a new and less familiar face; the EPO is definitely eager to grant software patents and it explains to stakeholders how to do it



  27. The U.S. Chamber of Commerce is Working for Patent Trolls and Patent Maximalists

    The patent trolls' propagandists are joining forces and pushing for a patent system that is hostile to science, technology, and innovation in general (so as to enable a bunch of aggressive law firms to tax everybody)



  28. Team UPC, Fronting for Patent Trolls From the US, is Calling Facts “Resistance”

    The tactics of Team UPC have gotten so tastelessly bad and its motivation so shallow (extortion in Europe) that one begins to wonder why these people are willing to tarnish everything that's left of their reputation



  29. The Federal Circuit Bar Association (FCBA) Will Spread the Berkheimer Lie While Legal Certainty Associated With Patents Remains Low and Few Lawsuits Filed

    New figures regarding patent litigation in the United States (number of lawsuits) show a decrease by about a tenth in just one year; there's still no sign of software patents making any kind of return/rebound in the United States, contrary to lies told by the litigation 'industry' (those who profit from frivolous lawsuits/threats)



  30. Links 12/11/2018: Linux 4.20 RC2, Denuvo DRM Defeated Again

    Links for the day


CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts