Summary: Security holes -- some of which highly critical -- continue to be found in Microsoft software; Justification of skepticism when it comes to new 'research' from former Microsoft staff, based on Microsoft-supplied data

OVER the past few days we have gathered more evidence to show that security problems only affect/target Windows and that those who flatter Windows for security are often tied to Microsoft (Window Snyder is just one example).

Windows-only Threats

Download Squad has this new post which compares Norton's Security Scan to malware (it sure takes up a lot of resources). Those who think it's bizarre should check out this minor piece of FUD and the rebuttal from The Source.

Right, so the Murphy’s Law headline is “Stop Supporting Open-Source Bloat“, where the author goes on to decry shady tactics of several programs, like:

* Revo Uninstaller * Digsby * ImgBurn

…NONE OF WHICH ARE OPEN SOURCE

Ignorance or deliberate deception? Either way, it looks bad for Maximum PC. Windows problems are now being described as "Open-Source" for no apparent reason.

TechDirt shows how copyright scare is being used to install malware/back-doors on people's Windows machines. This relies on the infamous click-to-execute mentality that's so prevalent in the Windows world. Actually, Microsoft software also tends to execute arbitrary code when one just visits a Web page (Active X is notorious for this reason).

Microsoft Emergency

The security flaws are so serious that Microsoft has just released an "emergency" patch for no less than 10 holes in Internet Explorer (which Microsoft neglected to patch for many months, leading to otherwise-preventable chaos [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12]).

From The Inquirer:

SOFTWARE INSECURITY SISYPHUS Microsoft has released an out-of-cycle patch for users lazy or ignorant enough to still be using an old version of Internet Explorer.

It's generally rare that threats are deemed serious enough for Microsoft to not wait until its next Patch Tuesday, which would be April 13th now, but a vulnerability hit Internet Explorer 6 and 7 that left them open to potential remote code execution.

More at CNET:

Microsoft issued an emergency security update on Tuesday to plug 10 holes in Internet Explorer, including a critical vulnerability that has been exploited in attacks in the wild.

The cumulative update, which Microsoft announced on Monday, resolves nine privately reported flaws and one that was publicly disclosed. The most severe vulnerabilities could lead to remote code execution and a complete takeover of the computer if a user were to view a malicious Web site using IE, Microsoft said in the bulletin summary.

Internet Explorer 8 is also affected.

BeyondTrust is Hard to Trust

Judging by previous incidents, past Microsoft employees who become 'researchers' typically produce output that's biased in Microsoft's favour. That's why we decided to take a careful look at BeyondTrust. Their web site is all Microsoft stack-based (showing the lower probability that they understand security) and their CEO "spent seven years at Microsoft Corporation in a variety of executive sales and marketing positions," according to the company's own pages. "Sales and marketing," eh? Now, we have already covered security problems Vista 7 suffers from, in a wide range of posts including:

• Cybercrime Rises and Vista 7 is Already Open to Hijackers
• Vista 7: Broken Apart Before Arrival
• Department of Homeland Security 'Poisoned' by Microsoft; Vista 7 is Open to Hijackers Again
• Vista 7 Security “Cannot be Fixed. It's a Design Problem.”
• Why Vista 7 Could be the Least Secure Operating System Ever
• Journalists Suggest Banning Windows, Maybe Suing Microsoft Over DDoS Attacks
• Vista 7 Vulnerable to Latest “Critical” Flaws
• Vista 7 Seemingly Affected by Several More “Critical” Flaws This Month
• Reason #1 to Avoid Vista 7: Insecurity
• Vista 7 Left Hijackable Again (Almost a Monthly Recurrence)
• Trend Micro: Vista 7 Less Secure Than Vista
• Vista 7 Less Secure Than Predecessors? Remote BSoD Now Possible!

“Statistics must not depend on Microsoft's own data and presented in a favourable way by design.”This brings us back to BeyondTrust (wow, what a name!). Their latest promotion of Windows for security is quoted a lot by Microsoft boosters like Emil this week. They are measuring the wrong thing by wrongly assuming that Microsoft tells the truth about its patches. Microsoft is patching its software secretly a lot of the time. We saw that many times before and thus we urge people to be skeptical. Statistics must not depend on Microsoft's own data and presented in a favourable way by design. Remember that there are "lies, damned lies, and statistics," according to Benjamin Disraeli and others. There may also be reason for bias here.

Speaking of potential connections to Microsoft, an anonymous reader told us to "beware that TurboHercules might be financed by Microsoft". This reader has not produced evidence to show what led to such suspicions (it may give away the identity), but as we recently showed, TurboHercules did join a Microsoft front. It aligned itself with Microsoft and companies/campaigns that are partly owned by Microsoft. ⬆