Bonum Certa Men Certa

FUD Alert: Microsoft's Jeff Jones Aims His Lying Pistol at Firefox (Updated)

More lies reveal new fears

Jim Powers wrote to point out this bit from Glyn Moody:

So, Microsoft refers to a report that just happens to be written by one of its employees, but without mentioning that fact.


This isn't exactly new (Matt Asay pointed this out a couple of days ago), but it connects nicely to our observation that Microsoft uses its internal people and various hired 'analysts' to deceive the public. More on that in a moment, but first, here's Asay's take.

It's a convenient fiction that buying everything from one vendor makes life easier. It may make installation and integration between programs easier, but that ease leads to single points of failure. Hijacking a browser is nice, but using the browser to dig deep into the OS, to have that hijacking facilitated by a too-close tie between the browser and the OS? Even better.


For reasons that were briefly mentioned a couple of days ago, Microsoft likes to hide its patches (or simply not patch at all) in order to keep up appearance. There are some recent examples of this, e.g.:

1. Skeletons in Microsoft’s Patch Day closet

This is the first time I’ve seen Microsoft prominently admit to silently fixing vulnerabilities in its bulletins — a controversial practice that effectively reduces the number of publicly documented bug fixes (for those keeping count) and affects patch management/deployment decisions.


2. Beware of undisclosed Microsoft patches

Forget for a moment whether Microsoft is throwing off patch counts that Microsoft brass use to compare its security record with those of its competitors. What do you think of Redmond’s silent patching practice?


Then, consider the invalidity of patch count.

Sorry, but Microsoft's self-evaluating security counting isn't really a good accounting.

[...]

The point: Don't count on security flaw counting. The real flaw is the counting.


Only days ago, the weaknesses of Internet Explorer security were mentioned in the following article.

When Didier Stevens recently took a closer look at some Internet Explorer malware that he had found, something surprised him somwehat. He discovered that the IE-targeted malware had been obfuscated with null-bytes (0x00) and when run against VirusTotal, he found that fewer than half of the products identified the sample as malware (15 of 32). When all null-bytes were removed, the chances of successful detection improved, though not as much as would normally be expected (25 of 32 detections).


Going further back you'll find that IE7 has already been the victim of quite a lot of "critical" flaws (the highest level of severity, which compromises the operating system remotely, with or without user intervention). Examples include:

1. Code posted for Internet Explorer attack

"This type of vulnerability has been very popular with malicious attacks in the past, and we expect to see its usage increase substantially, now that exploit code is publicly available," security vendor Websense. warned in a note published Monday.


2. Microsoft probes possible IE 7 phishing hole

The vulnerability relates to the message IE displays when Web page loading is aborted, Raff wrote. An attacker can rig the message by creating a malicious link. The message will offer a link to retry loading the page; hitting it brings up the attacker's page, but showing an arbitrary Web address, he wrote.


3. Critical IE Graphics Flaw Resurfaces

It's bad enough when crooks exploit bugs to ruin a home computer, but the consequences of a successful attack can be much worse. A substitute teacher in Norwich, Connecticut, found that out when a computer she was using in her classroom suddenly started showing pornographic pop-up ads to everyone in the class. She now faces up to 40 years in prison after being convicted of willfully showing her students the images. A security expert hired by her defense, however, says he found malicious software on the PC.


4. Monthly Microsoft Patch Hides Tricky IE 7 Download

Opinion: Microsoft used the January 2007 security update to induce users to try Internet Explorer 7.0 whether they wanted to or not. But after discovering they had been involuntarily upgraded to the new browser, they next found that application incompatibility effectively cut them off from the Internet.


5. Attack code out for 'critical' Windows flaw

All recent versions of Windows are vulnerable when all recent versions of IE, including IE 7, are in use, according to Microsoft.


6. IE7 'critical update' causes headaches for managed desktop environments

As many organisations may not feel compelled to turn off automatic updates, they should be prepared to face this is issue when Internet Explorer 7 is downloaded and installed automatically.


7. IE 7 bugs abound

"But browser testers may already be at risk, according to security researcher Tom Ferris. Late Tuesday, Ferris released details of a potential security flaw in IE 7. An attacker could exploit the flaw by crafting a special Web page that could be used to crash the browser or gain complete control of a vulnerable system, Ferris said in an advisory on his Web site. Microsoft had no immediate comment on Ferris' alert."


8. Information disclosure bug blights IE7 release

The flaw stems from error in the handling of redirections for URLs with the "mhtml:" URI handler. Security notification firm Secunia reports that the same bug was discovered six months ago in IE6 but remains unresolved.


9. IE Used to Launch Instant Messaging and Questionable Clicks

First of all, you need to visit an infection site using Internet Explorer - this exploit doesn't work in Firefox, for example.


10. IE Exploit Could Soon Be Used By 10,000-plus Sites

First reported by Florida-based Sunbelt Software Tuesday, the bug has already been used to compromise PCs and load them with scores of adware and spyware programs, as well as other malicious code. Users surfing with IE 6 and earlier can be infected simply by viewing the wrong site.


11. Russian sites using new IE bug to install spyware

This is the second unpatched flaw found in IE over the past week. On Sept. 14, researchers posted code that could be used to exploit a different vulnerability in a multimedia component of the Web browser. Microsoft is still investigating that flaw and is not saying whether it too will be patched next month.


12. Seen in the wild: Zero Day exploit being used to infect PCs

The exploit uses a bug in VML in Internet Explorer to overflow a buffer and inject shellcode. It is currently on and off again at a number of sites.

Security researchers at Microsoft have been informed.


13. Attack code targets new IE hole

Computer code that could be used to hijack Windows PCs via a yet-to-be-patched Internet Explorer flaw has been posted on the Net, experts have warned.


Then, come to consider some comparisons, e.g.:

1. Which Is Safer: Internet Explorer 7 or Firefox 2.0

In the SmartWare test, Microsoft's Internet Explorer 7 blocked 690 known phishing sites, or 66.35 percent of the total. In contrast, Firefox blocked 78.85 percent when using a local antiphishing database and 81.54 percent when using the online database.


2. Firefox Still Tops IE for Browser Security

"Mozilla is forthcoming about vulnerabilities," Levy said, whereas "it takes Microsoft far longer to acknowledge vulnerability."

How much longer? "In the last reporting period, the second half of last year, Microsoft had acknowledged 13 vulnerabilities. We've now revised it to 31. The difference is that now Microsoft has acknowledged these vulnerabilities."

[...]

"Mozilla can turn around on a dime," Levy said. "Open-source programmers can recognize a problem and patch it in days or weeks."

And as for Microsoft?

"If a vulnerability is reported to Microsoft, Microsoft doesn't acknowledge it for at least a month or two. There's always a certain lag between knowing about a bug and acknowledging it," Levy said.


Other recent articles state that Firefox may have its weak points, but often they are the result of attempts to mimic IE functionality on Windows, which means that the fragile layer is the operating system, not just the Web browser. On operating systems security, consider the following articles from the past year:



The great value of GNU/Linux is something that Microsoft itself cannot deny. In fact, it wasn't long ago that it was 'caught' praising it. Microsoft's campus is full of Linux devices that the company is happy with.

What the press statement didn't mention is that Aruba mobility controllers run the Linux operating system which Microsoft has aggressively targeted as being inferior to Windows as part of its "Get the Facts" marketing campaign.

[...]

Pandey's appraisal of Aruba's technology is in stark contrast to Microsoft's "Get the Facts" rhetoric which places Windows as a more secure, and higher-performing choice over Linux.


Let's not forget that for many years, Microsoft has run its Web sites behind the Akamai clusters that are all GNU/Linux. As evidence, consider this recent blog post that contains a screenshot.

Microsoft has also bought companies whose entire infrastructure is based on GNU/Linux and Free software. Examples include the recent acquisition of Newsvine:

The funny thing is, The site is hosted on Debian Linux...


There is also the $6 billion acquisition of aQuantive:

This month's announcement by Microsoft to acquire digital marketing services firm aQuantive has revealed little on how the companies will integrate their IT, but inside information indicates the deal may be Redmond's largest commitment to free software.

[...]

Whether the businesses are complementary or not, Microsoft's integration work will no doubt involve a lot of open source software used by aQuantive.

Information available from Atlas' Web site indicates the Internet software company employs extensive use of open source software including Linux, Apache, MySQL, and Solaris.

Software engineers at Atlas' Raleigh office do client/server development in C and C++, software maintenance and "scripting", and developing and maintaining custom reporting capabilities.


Remember Hotmail, which ran a BSD for several years after Microsoft had acquired it? There are many more examples, but they would make this post extremely long.

”While Microsoft controls the media, buys the media, and even buys voices on the Internet, nobody can be trusted.“As promised, returning to the original point of this post, Microsoft can deny the truth all it wants, but we ought to judge things for ourselves. While Microsoft controls the media, buys the media, and even buys voices on the Internet, nobody can be trusted. The antitrust exhibit known as "Effective Evangelism" [PDF] shows that Microsoft has for a long time intended to hire analyst whose output only appears to be independent. One need only look a month back for a live demonstration.

Going a year into the past, Redmond Kool-Aid seems likely to have played a role in another story which turned out to be an anti-Firefox lie. It did a lot of damage even after it was called a lie, by admission of the claim's own so-called 'hacker'. More information here.

Lately, I read the headline: "Open Source browser Firefox is so critically flawed that it is impossible to fix, according to two hackers." Further on, in the ZDNet article I read: "The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding onto the bugs."

Since that sounds suspicious, I decided to start searching for connections with MS. Easy enough, here it is...


So, as you can see, the anti-Mozilla Firefox crusade has roots in the past. It remains to be seen how the media will respond to Microsoft's latest attempt to spread Firefox FUD.

Update: A Mozilla senior, who is also a former Microsoft employee, spills the beans on Microsoft and reveals more information about the deception mentioned above.

This is a small subset of all the vulnerabilities, because the vulnerabilities that are found through the QA process and the vulnerabilities that are found by the security folks they engage as contractors to perform penetration testing are fixed in service packs and major updates. For Microsoft this makes sense because these fixes get the benefit of a full test pass which is much more robust for a service pack or major release than it is for a security update.


Recent Techrights' Posts

EPO Staff Representatives Say It Has Gotten Very Hard to Get Promoted (Forget About Getting Rewarded for Hard Work)
This has long been a problem
Occupational Health, Safety and Ergonomics Committee (LOHSEC) at the European Patent Office (EPO)
nobody in EPO management ever gets punished for crimes, no matter how severe
Microsoft is Actually Quite Worthless, Its Valuation is Based on Lies and Consistently Defrauding Shareholders
Microsoft's future is not what Wall Street "tells" us
The Final Demise of Social Control Media May be Upon Us (It Ought to be Collectively Abandoned for Society's Sake)
If it keeps going down, prospects of a turnaround or rebound are slim
The Latest NDAA Amendment Can (or Should) Allow the United States to Remove Microsoft Even Faster From Its Infrastructure (Which Routinely Gets Cracked Completely by Russia and China, Thanks to Microsoft)
It's time to move!
 
Links 12/07/2024: EU/China Tensions and Ukraine War Updates
Links for the day
EPO Staff Reps: "Until now, Mr Campinos is still leaving the appellants in the dark about the exact content of the opinion of the Appeals Committee on the EPO salary adjustment procedure."
Campinos chooses to lawyer up rather than listen up
[Meme] That Time EPO Workers Were Panicking Because the Elevators Kept Getting Stuck
Many people forgot that
[Video] Julian Assange's Brother Gabriel Shipton on How the Convoy to the Airport Was Arranged, Being at the Beach With Julian Assange After Release (He's Doing Well), and How Taylor Swift Has 'Helped' Julian
At the airport he was greeted by many press crews, but they were not there for him. They were there because of Taylor Swift.
[Meme] Financial Disinformation From Chatbots Controlled by the Manipulator (Rigger)
ChatGPT, the media is starting to say you're all hype...
Links 12/07/2024: Nations That Already Ban TikTok and Russia's 'Shadow War' Online
Links for the day
Gemini Links 12/07/2024: Changing and the WIPO Lunacy
Links for the day
Let's Encrypt Continues to Collapse in Geminispace and That's Good News for Free Speech (Among Other Things)
due to the way modern Web browsers work, many sites have no option but to use Let's Encrypt or pay for some other CA to issue some worthless-but-glorified bytes
Microsoft Falls Below 20% in Montenegro - Plunging to All-Time Low
sharp drop
[Meme] The Free Speech Absolutist From Apartheid South Africa
What will it take for all sensible people to quit X/Twitter?
Linux is Displacing Microsoft and Replacing Windows in Germany (Android Surge and New Highs for ChromeOS+GNU/Linux in Germany)
Germany is upgrading to GNU/Linux, not to latest Windows
Reorganising for Better Efficiency and More Publication (Original Material)
XBox "journalism" these days is mostly slop (chatbot spew disguised as news), so studying this matter isn't easy
Software Freedom is Still the FSF
At the moment the best advocacy group for Software Freedom is the FSF
Links 12/07/2024: XBox in Trouble, Crackdowns in UAE
Links for the day
Gemini Links 12/07/2024: Make Tea Not War, Considering Guix
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, July 11, 2024
IRC logs for Thursday, July 11, 2024
Links 11/07/2024: Intuit Layoffs, Companies Keep Bricking Products
Links for the day
Gemini Links 11/07/2024: Switch to a Dumbphone and Development Frustrations
Links for the day
Starting in 5 Minutes: Stella Assange on the Latest...
We might update this page with a WebM copy (local) if there is something important
The Race to GNU/Linux in Moldova
12 years ago Microsoft was still measured at 99%
EPO: Special Permission Needed to be Ill or Care for the Ill When Issuing Monopolies to Foreign Corporations is a Paramount Priority
It's 'production' 'production' 'production'!
[Meme] A Special Patent Office, the EPO
"I have no death certificate yet"
Links 11/07/2024: Internet Phone Book and Intense Mind Control/Censorship by Social Control Media
Links for the day
Andreas Tille, Chris Lamb & Debian sexism, not listening to real female developers
Reprinted with permission from Daniel Pocock
GNU/Linux Expanding in Russia, But Not Exactly Invading the Market
Russian spies work at Microsoft
[Meme] GPL is Still an Alien Concept to the Boardroom of IBM
stomp all over copyleft while blackmailing the FSF into inaction
ChromeOS and GNU/Linux Also Leapfrog and Surpass Apple in Kenya
ChromeOS is at about 1% there, so 6% total (more than Apple)
[Meme] Pay Cash, Avoid Hidden Fees
Cashless society means a less free society
5 Weeks Have Passed Since the Edward Brocklesby (ejb) Scandal or 'Gate' Started. Debian Has Not Yet Responded in Any Way Whatsoever (to Quell Concerns/Fears).
still an ongoing series
The Media Cannot Use the B Word (Bribe) Anymore?
That might "offend" Microsoft
99 More to Go (in 9 Days)
Unless the FSF extends the 'cutoff' date as it usually does
Microsoft Windows in Bulgaria: From 99% to Barely a Quarter
Only 15 years ago it seemed like Windows had cemented its 'lead'
[Meme] Changing How We Think of Patents
they're only about serving and protecting powerful people
Our Most Productive Summer Since We Started (2006)
We have over 10,000 lines of written notes and drafts
Compare WIPO to ADR Forum
it is "rude" not to hire lawyers
[Meme] GPL Circumvention by IBM (Red Hat)
"GPL? All mine!"
GNU/Linux and ChromeOS in Costa Rica: Over 4% Now
Desktop (or Laptop) & Tablet & Mobile combined would be about 50% "Linux"
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, July 10, 2024
IRC logs for Wednesday, July 10, 2024
Links 11/07/2024: Space Programs, Education, and Mass Layoffs
Links for the day
Fellowship indexing pages by person
Reprinted with permission from the Free Software Fellowship
US State Department admitted General Hugh S. Johnson went off-topic, Andreas Tille called for punishments
Reprinted with permission from Daniel Pocock
Gemini Links 11/07/2024: Shifting Interests and It's All Books Now
Links for the day
IBM (Red Hat) is Burning Away Its Investment in GNU and Linux
IBM will have nothing left but smoke
Emma Irwin, from Mozilla to Microsoft & Debian harassment rumors: the hidden report into Open Labs Hackerspace, Albania
Reprinted with permission from the Free Software Fellowship
Let's Encrypt in a Freefall in Geminispace (More Capsules 'Get' It)
Getting a "cert" from a CA says nothing about legitimacy; any malicious site or malware author can get a 'free' one these days. It's like 'Trophy Of Participation' (where merely attending guarantees an award).
Statement on Daniel Pocock is Free Publicity for Daniel Pocock (Streisand Effect)
Since April when a new Debian Project Leader was elected...
Links 10/07/2024: War, Environment, and End of ICQ
Links for the day
What Microsoft Hopes Nobody Noticed During Independence Day Week/Weekend
Microsoft violated California's Fair Employment and Housing Act and the Americans with Disabilities Act
Gemini Links 10/07/2024: Recalling St.GIGA, smol.pub Tricks
Links for the day
Anti-Linux Sites, Powered by Microsoft to Generate False Text Under a Domain Like LinuxSecurity.com
They need to be named and shamed for doing this
Red Hat Developer (developers.redhat.com), Brought to You by Microsoft Staff to Promote Microsoft Proprietary Software That Doesn't Run on GNU/Linux
Yesterday at redhat.com
OSI Blog Posts From Salaried Microsoft Writers, Promoting Microsoft Proprietary Software and GPL-Violating Code Prison
OSI attacking its very own (original) mission
Apple's Main Competition Isn't Microsoft But Low-Cost Chromebooks and GNU/Linux Distros
Case of Dominica
[Meme] Reporting Crimes to the Police, to the Public, to the Media
people who are committing crimes try to accuse those who expose them as the "real" criminals
Microsoft Has Already Lost the Cash Cow in Jamaica
we're looking at around 7% for GNU/Linux
[Meme] Then They Call Their Volunteers 'Fascists' (or Even Worse Labels)
They want the public to think that people who resigned in protest were in fact "expelled" and that moreover they are "conservative" or something to that effect
Sven Luther & Debian forged expulsion after resignation, now with Wind River Software, DebConf24 platinum sponsor
Reprinted with permission from Daniel Pocock
Pop Weekend in Schagen, Netherlands & Debian Day
Reprinted with permission from Daniel Pocock
IBM/Red Hat Racism and Imperialism: Not a New Problem
Especially in that region
In Cuba, Android Surges to New Records, Only About 3% of Web Users Are on Vista 11
only about 15% are traced back to Windows
Colombia: Windows Falls to All-Time Low (26%)
We might be looking at a community of over 1 million GNU/Linux users in that one country
Microsoft "are still in their Extend phase and have been for some time. They know how to play the long game. It's anyone's guess when their Extinguish phase will begin."
It's reassuring to see recognition of the threat
Links 10/07/2024: Microsoft Burns Users of Office 365 connectors in Teams
Links for the day
[Video/Audio] John Shipton's Speech at Julian Assange's (His Son's) Birthday Last Week
We assume someone who was at the event uploaded the recording of this speech (Julian Assange was not there)
In Brunei and Malaysia GNU/Linux Gains Some More, All-Time High Approached in Indonesia
Further gains in southeast Asia are more of the norm these days
[Meme] War is Peace and Antitrust Means Trust
Checking if Microsoft 'trusts' your OS is the same as security???
[Video] The Fake Security Complex (and Why You Should Not Trust Canonical)
"tech world" is full of fake security
Egypt (Population 115 Million) Climbing Towards 7% GNU/Linux Usage, Says statCounter
Egypt is one of Africa's largest populations
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, July 09, 2024
IRC logs for Tuesday, July 09, 2024
Debian harassment: verbal and textual references to abuse every bit as bad as deepfake and AI generated images of women
Reprinted with permission from Daniel Pocock
Six Percent of Maharlika
Microsoft has not been getting good news there in recent years
[Meme] When You Do Mass Layoffs in the United States a Day Before July 4th (Independence Day)
Microsoft still hasn't said how many people it fired