EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

07.23.10

Microsoft Hides Security Flaws, Then Brags About Transparency

Posted in Microsoft, Security, Windows at 8:10 am by Dr. Roy Schestowitz

Armour

Summary: Security news from Microsoft and the facts Microsoft carries on hiding

MICROSOFT’S practice of silent patching (fixing security bugs without ever telling anyone about it) does not prevent the company from lying about disclosure [1, 2] and even bragging about “transparency”. What a nerve they have when they produce reports that daemonise Red Hat based on incomplete data which Microsoft itself is knowingly hiding.

Today we look at some recent security problems, starting with one which was covered before:

Microsoft’s problems with Token Kidnapping [.pdf] on the Windows platform aren’t going away anytime soon.

“Microsoft gives up on Windows security flaw,” says the headline of another report.

DEVELOPER OF INSECURE SOFTWARE Microsoft has seemingly given up on finding a solution to a security vulnerability that takes advantage of the way Windows uses shortcuts.

As The INQUIRER reported on Monday, just about every operating system released by the Vole in the past decade is affected by the security flaw, which allows hackers to remotely execute code on Windows systems. Microsoft was relatively quick to admit to the problem, saying that the fault lies with the fact that “Windows incorrectly parses shortcuts”.

The risk was increased by removable and network storage mechanisms such as USB memory drives, which can be ‘autoplayed’ when connected. Due to a dodgy digital certificate in a driver, users would be none the wiser as control of their system was being outsourced to someone else.

From Slashdot (the summary):

Microsoft Has No Plans To Patch New Flaw

“Microsoft has acknowledged the vulnerability that the new malware Stuxnet uses to launch itself with .lnk files, but said it has no plans to patch the flaw right now. The company said the flaw affects most current versions of Windows, including Vista, Server 2008 and Windows 7 32- and 64-bit. Meanwhile, the digital certificate that belonging to Realtek Semiconductor that was used to sign a pair of drivers for the new Stuxnet rootkit has been revoked by VeriSign. The certificate was revoked Friday, several days after news broke about the existence of the new malware and the troubling existence of the signed drivers.”

Glyn Moody explains that “after all, with all the others [flaws], who will notice?”

Dell is now shipping computers with a hardware trojan that only affects Microsoft Windows. The New Scientist does not call out Windows, but the malware name is self explanatory.

Further information posted on Dell’s community forum reveals that the trojan in the affected motherboards is stored in onboard flash memory rather than firmware ROMs. And the malware at issue is called w32.spybot.worm, which normally spreads using file-sharing networks and an internet chat client.

Social networks are now being blamed for merely carrying messages that are used to control Microsoft Windows botnets. One should say “Windows botnet” and “Windows malware”, not just “malware”; these things are not universal. They specifically exploit Microsoft’s bad engineering. “Time to Get Rid of That Other OS,” argues Pogson.

The latest outrage is an attack that exploits another form of “autorun” for shortcuts/links on USB drives. That other OS lets the malware walk right in even if the user does not click on any of the links. That other OS tries to be so helpful…

The original article does name Windows as the problem (also in the headline).

Hackers have developed malware that spreads via USB sticks using a previously unknown security weakness involving Windows’ handling of shortcut files.

“Don’t Call the Police,” Pogson concludes.

There is no limit to how bad malware can be. It can range all the way from sending spam e-mail from your machines to selling all customer lists and sabotaging data by rot over a long period of time so that by the time you catch it weeks of work could go down the drain. The worst case is killing your operation through lawsuits charging negligence in allowing disaster to happen when reasonable people know you do not allow malware to run on your systems.

Running Windows is truly a liability. Windows was never designed to be secure.

“There was no strategic direction from Bill and Ballmer about these two things. It was like, ‘Well we have these two things, DOS and Windows, and do we have to run on top of this new multitasking DOS? Are we running on top of DOS 3.0 and we just ignore those guys?’ That went on for a year, this lack of strategic direction. And we just made our own decisions.”

Steve Wood, one of the first Microsoft developers

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New


  1. Links 18/1/2019: Mesa 18.3.2, Rust 1.32.0

    Links for the day



  2. Links 17/1/2019: ZFS Debate Returns, AWS Pains Free Software

    Links for the day



  3. US Patent Lawyers Will Need to Change Profession or End up Becoming Abundantly Redundant, Unemployed

    In the age of Patent Trial and Appeal Board (PTAB) inter partes reviews (IPRs) and 35 U.S.C. § 101 it’s too risky to sue with dodgy patents; moreover, the Federal Circuit‘s growing adoption of Alice means that no recent cases have given hope to patent maximalists and litigation frequency has fallen again (at double-digit rates)



  4. Links 16/1/2019: Deepin 15.9 Released and Mozilla Fenix

    Links for the day



  5. Brexit Has Failed, But So Has the Unitary Patent (UPC)

    Even though all signs indicate that the Unified Patent Court (UPC) will never become a reality spin is to be expected from Team UPC, still looking to profit from more litigation and expanded scope



  6. IBM, Which Will Soon be Buying Red Hat, is Promoting Software Patents in Europe

    Even days apart/within confirmation of IBM's takeover of Red Hat IBM makes it clear that it's very strongly in favour of software patents, not only in the US but also in Europe



  7. Team UPC on Dead UPC: Choosing Gowns for Corpses

    The campaign of lies, long waged by Team UPC in order to manipulate politicians and courts, hasn’t stopped even in 2019 (IAM threw in the towel, but some of Team UPC is still ‘embalming’ UPCA)



  8. Links 15/1/2019: MX Linux MX-18 Continuum Reviewed, Mageia 7 Artwork Voting

    Links for the day



  9. Council of Europe (CoE) Recognises There's No Justice at the EPO

    It’s now the Council of Europe‘s turn to speak out about the grave state of international organisations that exist in Europe but aren’t subjected to European law (which they routinely violate with impunity)



  10. Dominion Harbor -- Armed by Microsoft's Biggest Patent Troll -- Goes After the World's Biggest Android OEMs, Huawei and Samsung

    Dominion Harbor, the patent troll that gets bucketloads of patents from Intellectual Ventures (a patent troll strongly connected to Microsoft and Bill Gates), is still suing using shell entities



  11. Links 14/1/2019: Linux 5.0 RC2 and DXVK 0.95 Released

    Links for the day



  12. Only the Higher Courts -- Not Trump's 'Poster Child' -- Can Bring Back Software Patents

    Software patents are not making a "comeback" as some like to claim; in fact, the latest court cases and notably their outcomes suggest that nothing has changed



  13. “Uniloc is a Lawsuit Factory”

    Apple is a very secretive company, so it is hard to know what goes on with the patent troll Uniloc



  14. European Patent Office a Textbook Example of Lawless, Rogue Institutions

    The tyrannical nature of the EPO is still being demonstrated by the sad fate of Patrick Corcoran; technical judges at the EPO are feeling intimidated by nontechnical politicians and bankers



  15. No, Software Patents Are Not Poised to Make a Comeback Under New US Patent Office Rules

    Poor understanding of the difference between patent courts and patent offices is to blame for widely-spread misinformation from Ars Technica (part of Condé Nast)



  16. IP Kat Has Turned From EPO Critic (to the Point of Being Blocked by the EPO) to EPO Whitewasher That Gags EPO Whistleblowers

    The EPO tried to forcibly gag (block) IP Kat like it blocks Techrights (since 2014); failing that, the EPO got the blog to just act as a whitewashing operation for Team Campinos (more or less the same as Team Battistelli)



  17. Linspire 'Reborn' is Still Working for Microsoft and Facilitating Surveillance on GNU/Linux Users

    GNU/Linux spyware scandals may be back (and it's not about Canonical and Amazon but Linspire and Microsoft); Microsoft is meanwhile exposing innocent kids to pedophiles and it refuses to explain or defend this



  18. Links 12/1/2019: Wine 4.0 RC6, X-Plane 11.30, SuperTuxKart 0.10 Beta, LibreOffice 6.2 RC2

    Links for the day



  19. The EPO's Low Patent Quality Can Kill the European Software Industry and Kill People Too

    The patents granted by the EPO are often invalid as per courts' decisions, which means that fake/illegitimate European Patents saturate the market and discourage development (e.g. of software and life-saving drugs)



  20. The Fiction That Spain (or Italy) Can Salvage the UPC

    The proponents/lobbyists of the Unified Patent Court (UPC), firms that make money from patent litigation (we collectively call these "Team UPC"), are nowadays backpedaling, having come to grips with the death of the UPC, realising it's time to save face by pretending everything they said in the past wasn't a lie



  21. Links 11/1/2019: IBM-Red Hat Obstacle Cleared, Toyota Chooses Linux

    Links for the day



  22. EPO President “Campinos is Wasting His Credibility With “Sweet” Communiqués Full of Hot Air and Storytelling”

    EPO insiders insist if not demand that all those responsible for the corruption and the abuses be removed; Campinos has done the opposite by promoting those who caused harm and turning his overseer into his subordinate



  23. The Emptiness of the Linux Foundation's Commitment to Linux and Its True Openness... to Corporate Cash (in Exchange for Influence)

    Like Pence and Moreno, who exchange a political refugee for loans, the Linux Foundation abandons its commitment to GNU/Linux in exchange for maximisation of financial contributions



  24. Links 10/1/2019: Linux 4.20.1, GNOME 3.31.4 Released

    Links for the day



  25. Links 9/1/2019: Qubes OS 4.0.1, Bash 5.0

    Links for the day



  26. European Patent Office Saga in 2019: “95% of the People Responsible for the Misery Are Still in Place and Have Not Even Been Rebuked”

    No signs of reformation at Europe's second-largest institution, which still suffers from justice deficit and blatant corruption



  27. Links 8/1/2019: Godot 3.1 Reaches Beta, Tidelift Gets Money

    Links for the day



  28. EPO Corruption is Helping Patent Maximalists in the United States

    The law firms that promote abstract patents in the United States (in the face of growing opposition from courts) adopt the EPO as a sort of 'poster child' because quality of European Patents keeps decreasing and lawlessness is increasing



  29. Links 7/1/2019: Linux 5.0 RC1

    Links for the day



  30. Words to Avoid: Cloud, Serverless, Microservices and More

    The marketing industry is hijacking press coverage and journalism has turned into a laughable mash-up of buzzwords; technical people ought to push back


CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts