Summary: Microsoft does not patch serious flaws (it only patches one "critical" flaw, even in Vista 7) and many people are knocked offline as a result of Microsoft negligence

AS Microsoft prepares to patch critical problems in Vista and Vista 7 next week, it seems apparent that:

1. Microsoft continues to be knowingly negligent when it comes to security (also see [1, 2])
2. The latest version of Windows is just as vulnerable as predecessors and some experts say it is even more vulnerable

Among the posts which demonstrate the second point:

• Cybercrime Rises and Vista 7 is Already Open to Hijackers
• Vista 7: Broken Apart Before Arrival
• Department of Homeland Security 'Poisoned' by Microsoft; Vista 7 is Open to Hijackers Again
• Vista 7 Security “Cannot be Fixed. It's a Design Problem.”
• Why Vista 7 Could be the Least Secure Operating System Ever
• Vista 7 Vulnerable to Latest “Critical” Flaws
• Vista 7 Seemingly Affected by Several More “Critical” Flaws This Month
• Reason #1 to Avoid Vista 7: Insecurity
• Vista 7 Left Hijackable Again (Almost a Monthly Recurrence)
• Vista 7 as Insecure as Predecessors, Shows Sophos

Here is the latest demonstration of the first point -- that Microsoft is being negligent. From The Register:

Microsoft won't fix vulnerabilities in the latest versions of Internet Explorer or Windows during its regularly scheduled patch release on Tuesday, meaning users will have to wait at least another month to get updates that correct the security risks.

[..]

That may lighten the load on IT admins, but it also means potentially serious vulnerabilities known to affect Internet Explorer 8 and Windows 7 will be allowed to fester for at least another 28 days.

As reported previously by El Reg, the IE 8 bug can enable attacks against people browsing websites that are otherwise safe to view. The flaw can be exploited to introduce XSS, or cross-site scripting, exploits on webpages, allowing attackers to inject malicious content and code. Ironically, it resides in a feature Microsoft added to harden the browser against that very type of attack.

[...]

Also remaining unfixed is a bug that allows an attacker to completely lock up systems running windows 7 and Windows 2008R2. The flaw, which resides in the OSes' SMB, or server message block, can be triggered remotely by sending malformed traffic that specifies incoming packets that are smaller or larger than they actually are. SMB is a network protocol used to provide shared access to files and printers.

More at IDG:

Microsoft Won't Fix Windows 7 Crash Bug Next Week

[...]

However, the company acknowledged that it does not yet have a fix for a crippling bug in Windows 7 that went public nearly two months ago.

The expected update will patch a vulnerability rated "critical" -- Microsoft 's most serious rating in its four-step scoring system -- in Windows 2000. The bug also affects Windows XP, Vista and Windows 7, as well as Windows Server 2003, Server 2008 and Server 2008 R2, but is tagged as "low" for those editions.

And more from the British news:

Websense warns on Microsoft rogue AV

Searches redirect to malicious sites

Here again is the latest consequence of having hundreds of millions of Windows zombie PCs out there.

About 30,000 customers of the Cheshire-based ISP Vispa were forced offline for almost 12 hours today by a DDOS attack traced to the Baltic state of Latvia.

That would be a whole day's work/leisure lost for approximately 30,000 customers (some of whom are entire families). What would the cost of this DDOS attack? Either way, Microsoft UK is profiteering from this (also outside the UK), almost always at the expense of taxpayers (externalities to them). ⬆