Summary: Microsoft faces new challenges as security problems continue to be found even in the latest version of Windows and a UK High Court ruling indicates that Microsoft is now liable

NOW that one in two Windows PCs is believed to be a zombie PC Microsoft becomes a national and international problem. The latest Vista 7 vulnerability is a sign that things are not improving and Microsoft will start working privately/secretly with government in its disclosure of vulnerabilities [1, 2, 3, 4]. Will hidden/silent patches also be shared with governments? Last week there was an erroneous suspicion in Slashdot citing a blog with a semi-false alarm about a new security hole.

If you're relying on the password encryption in Microsoft Dynamics GP -- formerly Great Plains -- to meet your PCI requirements, stop what you're doing and listen up. It's been revealed that its encryption algorithm is about as simple as it can be: a substitution cypher.

Look at the original source to see how Microsoft responded to the blogger by spinning and having the blogger state: "I must correct this and clarify. By default, GP gives the user access to the DYNAMICS database but the user CANNOT login to the SQL server using SQL Enterprise Manager. Here’s what happened: I reset the LESSONUSER’s passwords with SQL Enterprise Manager and afterward I was able to login to SQL Enterprise Manager with the LESSONUSER’s credentials. Some flag most have been updated when I reset the password – I need to investigate this further (this was all done in a Test environment). This was a BIG oversight on my part and I apologize for this. I really should have tested this out more before posting that statement. (Thank you Mark and others that pointed this out to me)."

Other known flaws are being addressed.

Microsoft, the software giant based in Redmond (USA), released two critical security updates on May 11, 2010, patching vulnerabilities within its e-mail applications as well as the Visual Basic for Applications designed to implement software programming language built into Microsoft Office.

"New Exploit Resists Windows Security Software," reports IDG:

"This is definitely very serious," said Alfred Huger, vice president of engineering at Immunet, a Palo Alto, Calif.-based antivirus company. "Probably any security product running on Windows XP can be exploited this way." Huger added that Immunet's desktop client is not vulnerable to the argument-switch attacks because the company's software uses a different method to hook into the Windows kernel.

According to Matousec, nearly three-dozen Windows desktop security titles, including ones from Symantec, McAfee, Trend Micro, BitDefender, Sophos and others, can be exploited using the argument-switch tactic. Matousec said it had tested the technique on Windows XP SP3 and Vista SP1 on 32-bit machines.

Here is security guru Bruce Schneier commenting on the news that Microsoft's EULA is no longer an excuse for security flaws [1, 2], at least in the UK where Schneier's employer is based.

The British High Court ruled that a software vendor's EULA -- which denied all liability for poor software -- was not reasonable.

Microsoft claims no liability [1, 2, 3, 4] in its EULA and other places. From now on it may be possible to sue Microsoft UK when its inherently-flawed software leads to big damages (as it does all the time). ⬆