Bonum Certa Men Certa
British Universities Under Siege Because of Microsoft Windows, One Goes Offline | How Patent Trolls Harm Free Software and How the European Parliament Plans to Make the Trolls Even Stronger

Microsoft Security Negligence Confirmed: Critical Internet Explorer Flaw Known and Ignored for 4 Months



Summary: The newest facts show that Microsoft knowingly refused to fix flaws that led to tremendous damage; lies from Microsoft (about its competition) are refuted as well

IN MANY RECENT posts about Internet Explorer [1, 2, 3, 4, 5, 6, 7, 8], we have pointed out Microsoft's pattern of negligence [1, 2, 3], which always passes costs (damages) to the public. Microsoft should probably be sued for it, rather than make money from it. Microsoft -- like Goldman Sachs -- is making a lot of money out of a crisis caused by its own risk-taking.



Here are some self-explanatory news headlines:

Microsoft lies to your face about browser security

Microsoft’s Head of Security and Privacy in the UK has told TechRadar that people who jump ship from Internet Explorer after the recent spate of bad headlines risk ending up on a less secure browser. With France and Germany both advising a move away from Internet Explorer, things are far from rosy for Microsoft’s browser [...yet] Microsoft’s UK security chief Cliff Evans insists that a non-Microsoft browser is the worse option. “The net effect of switching [from IE] is that you will end up on less secure browser,” insisted Evans. “The risk [over this specific] exploit is minimal compared to Firefox or other competing browsers… you will be opening yourself up to security issues.

Let’s fight FUD with facts…

Vulnerability Report: Mozilla Firefox 3.5.x Unpatched: 0

Vulnerability Report: Google Chrome 3.x Unpatched: 0

Vulnerability Report: Opera 10.x Unpatched: 0

Vulnerability Report: Apple Safari 4.x Unpatched: 0

Vulnerability Report: Microsoft Internet Explorer 6.x Unpatched: 24 Most Critical Unpatched: Extremely critical

Vulnerability Report: Microsoft Internet Explorer 7.x Unpatched: 11 Most Critical Unpatched: Extremely critical

Vulnerability Report: Microsoft Internet Explorer 8.x Unpatched: 4 Most Critical Unpatched: Extremely critical

My recommendation if you use Windows: make sure the version of IE that’s installed (because you can’t uninstall it!) is the latest/least vulnerable (IE8) and then install at least one of the non-IE browsers listed (personally I always recommend Firefox :) and then use THAT. Of course, you could always switch to a Mac or Linux…


Microsoft patches IE, admits it knew of bug last August

As Microsoft patched the Internet Explorer (IE) vulnerability that was used to break into Google's network, it also acknowledged that it had known of the bug since August 2009, when an Israeli security company reported the flaw.


MS knew of Aurora exploit four months before Google attacks

Microsoft first knew of the bug used in the infamous Operation Aurora IE exploits as long ago as August, four months before the vulnerability was used in exploits against Google and other hi-tech firms in December, it has emerged.

Redmond's security gnomes finally got around to patching the exploit on Thursday. the hack attacks against Google et al targeted IE 6, a browser first released in 2001. Exploits involved tricking users of vulnerable browsers into visiting booby-trapped websites. These sites downloaded the Hydraq backdoor Trojan and other malicious components onto compromised PCs.

[...]

A quick search of Secunia's database, via its PSI patching tool, reveals a problem with an unpatched ActiveX control that looks just as bad, for example.


Emergency IE patch goes live as exploits proliferate

Microsoft released an emergency security update for all versions of Internet Explorer on Thursday as attacks exploiting a critical vulnerability in the widely used browser spread to hundreds of websites.

[...]

While some of the sites hosting the attacks were free services that had been co-opted, others appeared to be domains of legitimate companies that had been compromised.

[...]

In an admission that's sure to spark criticism, Microsoft said it learned of the critical bug more than three months ago.

[...]

The unscheduled bulletin fixes a memory corruption flaw in most versions of the widely used browser that allows attackers to execute malicious code simply by luring victims to a booby-trapped website. It fixes seven other privately reported vulnerabilities, some of which also made remote code execution possible, that Microsoft had been planning to issue next month during its next regularly scheduled patch release.

[...]

Systems compromised by the sites reported by Symantec were infected with a backdoor that collected registry settings and other system information and sent it to an email address that was under the control of attackers. That email address has since been disabled, Talbot said.


Widespread Attacks Exploit Newly Patched IE Bug

The first widespread attack to leverage a recently patched flaw in Microsoft's Internet Explorer browser has surfaced.

Starting late Wednesday, researchers at antivirus vendor Symantec's Security Response group began spotting dozens of Web sites that contain the Internet Explorer attack, which works reliably on the IE 6 browser, running on Windows XP. The attack installs a Trojan horse program that is able to bypass some security products and then give hackers access to the system, said Joshua Talbot, a security intelligence manager with Symantec.

Once it has infected a PC, the Trojan sends a notification e-mail to the attackers, using a U.S.-based, free e-mail service that Symantec declined to name.


Make the right browser update: Firefox 3.6

Neolithic Windows security hole alive and well in Windows 7

One of the reasons I've never liked Windows is that it was never made to deal with the security problems of working in a networked, multi-user world. As a direct result, Windows has been fundamentally insecure for more than a decade. Even so, I was surprised to find that there's a 17-year old security hole that's been in Windows since NT and it's still present today in Windows 7.

Wow. Even I'm shocked by this latest example of just how rotten Windows security is. It just reminds me again though that while Microsoft keeps adding features and attempting to patch its way out of security problems to Windows, Windows' foundation is built on sand and not on the stone of good, solid design.

[...]

Be that as it may, the code's still in there. An attacker can trigger the vulnerability through a variety of means. The end-result is, surprise, another Windows machine that's totally owned by the attacker. Once in charge, they can vacuum down your files, install malware, and all the other usual tricks.


Vista 7 was never secure to begin with. See the examples below.

  1. Cybercrime Rises and Vista 7 is Already Open to Hijackers
  2. Vista 7: Broken Apart Before Arrival
  3. Department of Homeland Security 'Poisoned' by Microsoft; Vista 7 is Open to Hijackers Again
  4. Vista 7 Security “Cannot be Fixed. It's a Design Problem.”
  5. Why Vista 7 Could be the Least Secure Operating System Ever
  6. Journalists Suggest Banning Windows, Maybe Suing Microsoft Over DDoS Attacks
  7. Vista 7 Vulnerable to Latest “Critical” Flaws
  8. Vista 7 Seemingly Affected by Several More “Critical” Flaws This Month
  9. Reason #1 to Avoid Vista 7: Insecurity
  10. Vista 7 Left Hijackable Again (Almost a Monthly Recurrence)

Comments

British Universities Under Siege Because of Microsoft Windows, One Goes Offline | How Patent Trolls Harm Free Software and How the European Parliament Plans to Make the Trolls Even Stronger

Recent Techrights' Posts

Before Freenode Collapsed Its Staff (the People Who Now Run Libera.Chat) Were Censoring/Silencing Some Free Software Supporters
We still have this issue in the Free software community
All We Want to See is Any Form of Accountability in Europe's Largest Institutions
Because people at the top of institutions should never be above the law!
Misinformation/Disinformation Disguised as Information About GNU General Public Licenses (GNU GPL) Usage
GPL-type licences (reciprocal obligations) remain dominant
IBM Mass Layoffs This Week Not Limited to North America, Red Hat Staff Terminated
Do not relocate for a company that sees you as nothing but a number or a "human resource"
 
The Register MS, Payroll First
GNU/Linux is a growing platform
Links 07/11/2025: US Government Shutdown Imperils Critical Functions, Slop in "AI" Clothing Debunked Some More, Bubble's Implosion Ongoing/Imminent According to Experts
Links for the day
Gemini Links 07/11/2025: No Goodbyes, Homelab, Mouse Keys / Pointer Keys
Links for the day
12 Years for Justice is Far Too Slow (and More People, Especially Women, Are Hurt)
Why do police departments and legal systems fail to protect women?
Freenode and irc.com Are Still Around
It emulates retro terminals
We Don't Compete, We Analyse and Report
Principles are so much better than money and they're something money can never acquire
Red Hat is Also Laying Off Staff in India
Red Hat is a dishonest company
Finding Recent Talks of Richard Stallman
We already have many pages, documents, and media files. Organising them and helping people find them is the next Big Task.
Richard Stallman First Speaker at Ethereum Cypherpunk Congress the Weekend After This Coming Weekend
He'll be speaking over the Net
Diversity at Red Hat
Remember to judge corporations by their actions, not some Web pages with words in them
First the Python Software Foundation (PSF) Attacked Its Most Productive Volunteers. Now It Attacks Its Funding Sources.
The U.S. National Science Foundation (NSF) rejected by PSF
News of Substance About the EPO's Substance Abuse (Cocaine)
EPO Cocaine Chronicles - link to archived BILD article and photos
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, November 06, 2025
IRC logs for Thursday, November 06, 2025
On Midlife Crises
Focus on the sabotage, not politics
Hallmark of Fake News: "Single-digit" (Percentage) and 1% Isn't the Same Thing
apparently "rebalancing" is the new layoffs euphemism
Links 07/11/2025: Patent Trolls Target Germany, Celebrities Visit Ukraine
Links for the day
Slopwatch: LinuxSecurity, Brian Fagioli, and Google News Boosting WebProNews (All Slopfarms)
Those slopfarms just saturate the Web with misinformation and mindless chaff
Techrights and Tux Machines at Over 40
19 years of Techrights and 21+ years of Tux Machines
Coming Soon: More Proof of Cocaine Use at Europe's Second-Largest Institution
Stay tuned
Entering Our 20th Year
...and still looking for answers
Mailing lists vs Discourse forums: open source communities or commodities?
Reprinted with permission from Daniel Pocock
Links 06/11/2025: "Component Abuse Challenge", Google Play Store Deemed Too Monopolistic
Links for the day
Microsoft and Microsoft GitHub (and Rust @ Microsoft GitHub) the Future of Ubuntu, They Want the Same for Debian
Ubuntu is not the place to find freedom
Richard Stallman Was Right About LLM-based Chatbots
the passing fad, LLM-based chatbots
IBM Has Not Been Good for IBM's Red Hat (Which Microsoft Also Attempted to Buy)
GAFAM or GIAFAM are not a force for good
Taking Back Control Over Technology We Purchase (Study, Modify, Enhance, and More)
"The war on general-purpose computing continues
Links 06/11/2025: EFF Wants New Executive Director, Microsoft's Azure Falls Over Again
Links for the day
All Set for Tomorrow
Techrights waves
The Corporate Media Carries on With Patently Phony and Misleading Narrative About IBM's Mass Layoffs
Instead of rightly alleging business failure or commercial (leadership's) weakness it is offloading blame to some mindless buzzwords
IBM Isn't Hiring Based on Age Groups. It Still Hires Based on Salary Expectations.
It is not about the skills available, it's about the expected cost of labour
Estimating the Scale of IBM's Mass Layoffs This Week
there is no denying that the IBM layoffs are vast
Telling Our Story as Victims of Online Abuse
This post will not mention any names
Claim That EPO Quotas Brought Corruption and Mischief to Europe's Second-Largest Institution
Nowadays corruption is the norm at the EPO and there is even rampant substance abuse among the people who run the Office
Rust's "Memory Safety" Talking Point Ought to be Discarded in Light of Fil-C
new memory-safe C/C++ compiler
Claim That IBM Has Another 8 Days to Lay Off 'Expensive' Staff
The consensus in comments we see is, IBM is a terrible place to work in, treatment of its workers is appalling, it's utterly foolish to relocate in an effort to retain a job at IBM, and it's foolish to join the company in the first place
Science Demands Facts, Not Dogma
Saying that restricted hardware is not secure hardware should be common sense
Site Anniversary is Tomorrow
The celebrations might delay our EPO series somewhat
Launching Techrights Search
New search interface and locally hosted back end
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, November 05, 2025
IRC logs for Wednesday, November 05, 2025
Slopwatch: linuxbsdos.com, Linux Journal, LinuxSecurity, Brian Fagioli, and WebProNews
Either Google doesn't care about the integrity of Google News or it deems slop to be acceptable
Gemini Links 05/11/2025: Affirmation, GnuPG, and While Loops
Links for the day
Links 05/11/2025: Economic Trouble in France and US Bombing All Over the World Without Declaration of War or Congress Approving
Links for the day
IBM May Well Be Laying Off Over 13,500 and Up to 27,000 Staff This Week When It Says "Single-Digit Percentage of Our Global Workforce"
It's not yet possible to know how many people IBM gets rid of
Red Hat Staff Also Impacted by Latest IBM Layoffs With Focus on North America and Software, Infrastructure
After the bluewashing never expect to see news about "Red Hat layoffs", just as "Tivoli layoffs" aren't to be expected
Early Unverified Figures About Scale of Latest IBM Layoffs
the real scale of the RAs will remain elusive
Coming Soon: Part 4 About the EPO's Substance Abuse (Breaking Laws to Fake 'Production' and Profiting From Unlawful Monopolies)
Notice how quiet the EPO's management has been lately
How Techrights Search Works
Hopefully bots won't use it
For the Record: We Never Named Staff of the Law Firm That's Attacking Us, Except the One the Firm is Named After!
Just to affirm and be sure, I've used our new search facility
Techrights Became a Lot More Productive as a Result of Attacks on It
By default, it's safe to assume anything on the Web is garbage, especially in social control media
Unverified Rumours: IBM Cuts Will Continue Another ~10 Days, Managers Will Invite Those Impacted for 1-on-1 Meetings
Right now IBM likes diversity because with adoption of low-paid demographies it gets to pay workers less for the same work
Links 05/11/2025: Medicare Privatisation and "Breaker Box Economy"
Links for the day
Techrights Search Will Come Early
Maybe tomorrow
It Seems Like GNOME/IBM Don't Like Women and When Budget is Limited Only Women Take the Fall
Seems like a very patriarchal, GAFAM-controlled Foundation
"Last Day" as in "IBM Sacked Me" (Cruel Euphemisms)
"The entire design and research technical leadership at IBM was laid off in the past year, including this round"
analytics.usa.gov: Vista 11 Scarcely Used, GNU/Linux Increasingly Dominant (Microsoft Loses "Goodwill", Depletes Cash Equivalents, and Debt Soars)
"Total current assets" fell by more than 2 billion dollars in the past 3 months
Shadow Crew and Ads Disguised as Articles
That The Register MS runs articles that are paid-for fluff isn't unprecedented
Vista 11 "Market Share" Has Fallen This Month, Based on statCounter
The US government's own data shows the same thing this month
This is How Mainstream Media, Boosted or Parroted by Slopfarms, Spins IBM's Commercial Failure and Mass Layoffs as "AI"
Some say "software focus", but most just resort to buzzwords and blame-shifting hype
Resisting Misogynists
Rianne has already added close to 100,000 pages to this site
Starting November on a Strong Note
All in all, this month started well for us as we have good, accurate publications with considerable impact
Fake Retirements Help IBM Keep the Layoff Figures Down
Yesterday we read that it was quite cruel how IBM (or Red Hat) compelled staff to pretend to be happily leaving or "retiring" when the reality was, they had been pushed out with some "package"
Cocaine at the European Patent Office Now a Subject in YouTube, Media Will Revisit the Topic
"The Cocaine Patent Office" is no joking matter
Gemini Links 05/11/2025: "Wuthering Heights" and "Winter is Coming"
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, November 04, 2025
IRC logs for Tuesday, November 04, 2025
2 Days Until Site Anniversary Party, Search Likely to Launch Same Day
We're now just two days away from the nineteenth anniversary of the site
Not Only Mass Layoffs at IBM But Complete Shutdowns "Amid A.I. Boom"
apparently about 10,000 layoffs, not counting those who got pushed out by PIPs and other means