08.08.10
Microsoft Security Worse Than Ever, All Windows Users Still Vulnerable
Summary: Code red for Microsoft as just days after an “emergency” patch comes the largest-ever patchset and all versions of Windows still seem to be left open for attackers
LAST WEEK was an emergency week for Windows users [1, 2, 3], all of whom were left vulnerable to hijacking due to Microsoft’s incompetence. Here is just one more article about it:
An emergency Windows software update will close a loophole in Microsoft’s operating system that makes it easy for hackers to take control of a computer using shortcuts
Have things truly improved after this emergency patch? Don’t bet on it. Microsoft is breaking new records in this Tuesday’s security update, which is said to plug 34 holes:
Microsoft will issue 14 security bulletins on Tuesday to plug 34 holes, including eight that are critical, in Windows, Office, Internet Explorer, SQL and Silverlight, the company said on Thursday.
There is a lot more coverage about this [1, 2, 3, 4, 5, 6, 7, 8, 9] as “Microsoft [is] to issue record number of security bulletins next Tuesday” [via].
For those who think that 34 holes is the correct number, think again. Microsoft is patching its software silently and unethically so as to fake numbers that its employees decrease by hiding some of the applied fixes. In other words, Microsoft is knowingly lying and giving fake numbers. Previously we wrote about how Microsoft also spurned researchers who had warned about security flaws in Windows [1, 2, 3]. Microsoft is trying to make up after the Microsoft-Spurned Researcher Collective had been created and “TippingPoint’s ZDI sets a 6-month deadline on vendors to encourage faster patching,” according to this report. There is more information about it here.
Microsoft’s problems are not over and all Windows users continue to be vulnerable to attacks (even after Patch Tuesday) because:
1. Unpatched kernel-level vuln affects all Windows versions
Researchers have identified a kernel-level vulnerability in Windows that allows attackers to gain escalated privileges and may also allow them to remotely execute malicious code. All versions of the Microsoft OS are affected, including the heavily fortified Windows 7.
2. Microsoft probes new Windows kernel bug
3. Unpatched Vulnerability in All Windows Versions Claimed
4. Kernel-level Vulnerabilities Hit All Windows Versions
Microsoft on Friday announced to have launched an investigation into kernel-level vulnerability hitting Windows. As per reports, all versions of the Microsoft OS have been engulfed by the bug, including the heavily fortified Windows 7.
We wrote about this in a previous post. Rather than security improving over time, Microsoft seems to be getting worse and the number of holes is increasing. █
Andrew Macabe said,
August 8, 2010 at 11:02 pm
…heavily fortified Windows 7. Topnews & the register are into humor now?
twitter Reply:
August 9th, 2010 at 9:28 am
Windows 7/Vista are fortified against users for the sake of advertisers and Microsoft. In ordinary security, the user is the owner and everything else is a threat. In the Microsoft world, user control is the primary threat and all else is disregarded.
Microsoft has benefitted from the insecurity of their software for as long as I can tell. The MSDOS 5.x install from 1993 flashes messages about new technology to keep data safe from crashes and users safe from viruses. Everytime Microsoft wants to sell a new version of Windows, stories about “computer viruses” suddenly show up in the Microsoft friendly press. After nearly a decade of useless, often malicious patch Tuesdays, most people are starting to understand that Windows will never be secured. Software that has owners does what the owners want not the user.
Dr. Roy Schestowitz Reply:
August 9th, 2010 at 10:00 am
The issue is that upgrades are not free either (upgrade treadmill is the business mode), which means that many users are left less secure due to financial means. GNU/Linux does not have this problem, or very rarely has.