09.10.10

Gemini version available ♊︎

Reader’s Article: Microsoft Windows Hoses Homeland Security

Posted in Microsoft, Security, Windows at 2:03 am by Dr. Roy Schestowitz

Geodesic dome
Pentagons

Summary: DHS and Windows – affair revisited

WINDOWS CONTINUES to be a sordid, insecure mess. We will give some examples within days, but in the mean time, here is a new flaw in Internet Explorer 8, which Microsoft loves to pretend is secure:

“A nasty vulnerability exists in the latest Internet Explorer 8,” Evans wrote. “I have been unsuccessful in persuading the vendor to issue a fix.”

“The bug permits — for example — an arbitrary web site to force the victim to make tweets,” he added.

The vulnerability may exist in other versions of IE and appears to be an extension of a cross-browser cross domain theft first documented by Evans via his scarybeastsecurity blog last December. Evans claims Microsoft has been aware of the bug since 2008, producing a harmless proof-of-concept exploit to illustrate his concerns.

A reader of ours has also just contributed the following short article: “Slashdot is running another story that fails to call out Windows. To be fair, neither did the Wired article or the Department of Homeland Security report itself. The last omission is inexcusable because DHS had all the information and should help US citizens make informed decisions by publishing instead of shielding Microsoft by obfuscating.

“There are tantalizing clues in the report and a damning indictment of Windows. The report The US Department of Homeland Security found more than a thousand serious vulnerabilities on their own network. Almost all of the holes were in applications run on Windows and flaws in Windows itself:

Overall, we identified 1,085 instances of high-risk vulnerabilities on the MOE [Mission Operating Environment]; 202 were unique across 174 MOE computers scanned. The majority of the high-risk vulnerabilities involved application [94%] and operating system [6%] and security software patches that had not been deployed …The application vulnerabilities identified in our scans of the MOE, which NCSD uses for email service and access to NCPS Einstein data, include those involving Microsoft applications, Adobe Acrobat, and Sun Java. … more exploitation attempts are recorded on application programs, especially email attacks that exploit vulnerabilities in commonly used software and programs such as Adobe and Microsoft Office. Though application attacks are on the rise, operating system … Though application attacks are on the rise, operating system attacks are still a security concern; more than 90% of operating system attacks involve buffer overflow vulnerabilities against Windows operating systems.

“When someone says “email attacks” they are usually talking about a particular Windows client. Because the DHS did not break down applications by OS, readers are left guessing what they are talking about. Why bother to give the breakdown for the minority problem, OS, while leaving the majority of problems, applications, nebulous?

“We do know from the report that DHS is a Windows shop and that causes most of the problems. The agency flagellates itself for not following Federal Information Security Management Act (FISMA) requirements or their own policies and recommends they, “Implement a software management solution that will automatically deploy operating system and application security patches and updates on all MOE computer systems to mitigate current and future vulnerabilities.” If they were using GNU/Linux, they would already have such a thing because every distribution comes with a package manager.

“Updates are nearly impossible on Windows but trivial with GNU/Linux. Updates for Windows are spread far and wide on vendor sites, often behind javascript and other barriers to automated discovery. Many vendors have auto update tools but many resemble spyware, introduce security problems of their own and running them all at once drains system resources. Worse, Microsoft is notorious for breaking Windows and other applications with their updates, and every large organization and software vendor ends up doing their own set of tests before they can roll out anything to users. This is an enormous duplication of effort not found in the cooperative world of GNU/Linux. Free software has no such barriers to discovery or copy, so all of the heavy lifting gets done by distributions’ package manager that is already automated.

Does it not seem reasonable to suggest that DHS should abandon Windows? Sadly, it has former Microsoft seniors in house.

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

DecorWhat Else is New


  1. IRC Proceedings: Wednesday, January 19, 2022

    IRC logs for Wednesday, January 19, 2022



  2. Links 20/1/2022: Linuxfx 11.1 WxDesktop 11.0.3 and FreeIPMI 1.6.9 Released

    Links for the day



  3. Links 19/1/2022: XWayland 22.1 RC1 and OnlyOffice 7.0 Release

    Links for the day



  4. Links 19/1/2022: ArchLabs 2022.01.18 and KDE's 15-Minute Bug Initiative

    Links for the day



  5. When Twitter Protects Abusers and Abuse (and Twitter's Sponsors)

    Twitter is an out-of-control censorship machine and it should be treated accordingly even by those who merely "read" or "follow" Twitter accounts; Twitter is a filter, not a news/media platform or even means of communication



  6. IRC Proceedings: Tuesday, January 18, 2022

    IRC logs for Tuesday, January 18, 2022



  7. Links 19/1/2022: Wine 7.x Era Begins and Istio 1.12.2 is Out

    Links for the day



  8. Another Video IBM Does Not Want You to Watch

    It seems very much possible that IBM (or someone close to IBM) is trying to purge me from Twitter, so let’s examine what they may be trying to distract from. As we put it 2 years ago, "Watson" is a lot more offensive than those supposedly offensive words IBM is working to purge; think about those hundreds of Red Hat workers who are black and were never told about ethnic purges of blacks facilitated by IBM (their new boss).



  9. What IBM Does Not Want You to Watch

    Let's 'Streisand it'...



  10. Good News, Bad News (and Back to Normal)

    When many services are reliant on the integrity of a single, very tiny MicroSD card you're only moments away from 2 days of intensive labour (recovery, investigation, migration, and further coding); we've learned our lessons and took advantage of this incident to upgrade the operating system, double the storage space, even improve the code slightly (for compatibility with newer systems)



  11. Someone Is Very Desperate to Knock My Account Off Twitter

    Many reports against me — some successful — are putting my free speech (and factual statements) at risk



  12. Links 18/1/2022: Deepin 20.4 and Qubes OS 4.1.0 RC4

    Links for the day



  13. Links 18/1/2022: GNOME 42 Alpha and KStars 3.5.7

    Links for the day



  14. IRC Proceedings: Monday, January 17, 2022

    IRC logs for Monday, January 17, 2022



  15. Links 17/1/2022: More Microsoft-Connected FUD Against Linux as Its Share Continues to Fall

    Links for the day



  16. The GUI Challenge

    The latest article from Andy concerns the Command Line Challenge



  17. Links 17/1/2022: digiKam 7.5.0 and GhostBSD 22.01.12 Released

    Links for the day



  18. IRC Proceedings: Sunday, January 16, 2022

    IRC logs for Sunday, January 16, 2022



  19. Links 17/1/2022: postmarketOS 21.12 Service Pack 1 and Mumble 1.4 Released

    Links for the day



  20. [Meme] Gemini Space (or Geminispace): From 441 Working Capsules to 1,600 Working Capsules in Just 12 Months

    Gemini space now boasts 1,600 working capsules, a massive growth compared to last January, as we noted the other day (1,600 is now official)



  21. [Meme] European Patent Office Space

    The EPO maintains a culture of illegal surveillance, inherited from Benoît Battistelli and taken to a whole new level by António Campinos



  22. Gemini Rings (Like Webrings) and Shared Spaces in Geminspace

    Much like the Web of 20+ years ago, Gemini lets online communities — real communities (not abused tenants, groomed to be ‘monetised’ like in Facebook or Flickr) — form networks, guilds, and rings



  23. Links 16/1/2022: Latte Dock 0.11 and librest 0.9.0

    Links for the day



  24. The Corporate Cabal (and Spy Agencies-Enabled Monopolies) Engages in Raiding of the Free Software Community and Hacker Culture

    In an overt attack on the people who actually did all the work — the geeks who built excellent software to be gradually privatised through the Linux Foundation (a sort of price-fixing and openwashing cartel for shared interests of proprietary software firms) — is receiving more widespread condemnation; even the OSI has been bribed to become a part-time Microsoft outsourcer as organisations are easier to corrupt than communities



  25. EPO's Web Site Constantly Spammed by Lies About Privacy While EPO Breaks the Law and Outsources Data to the United States

    The António Campinos-led EPO works for imperialism, it not only protects the rich; sadly, António’s father isn’t alive anymore and surely he would blast his son for doing what he does to progress his career while lying to staff and European citizens



  26. Links 16/1/2022: Tsunami and Patents

    Links for the day



  27. IRC Proceedings: Saturday, January 15, 2022

    IRC logs for Saturday, January 15, 2022



  28. Links 16/1/2022: Year of the GNU/Linux Desktop and Catch-up With Patent Misinformation

    Links for the day



  29. Patrick Breyer, Unlike Most German Politicians, Highlights the Fact That Unified Patent Court (UPC) and Unitary Patent Are Incompatible With EU Law

    A longtime critic of EPO abuses (under both Benoît Battistelli and António Campinos leadership), as well as a vocal critic of software patents, steps in to point out the very obvious



  30. Links 15/1/2022: Flameshot 11.0 and Libvirt 8.0

    Links for the day


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts