Bonum Certa Men Certa

Microsoft Hides Security Flaws, Then Brags About Transparency

Armour



Summary: Security news from Microsoft and the facts Microsoft carries on hiding

MICROSOFT'S practice of silent patching (fixing security bugs without ever telling anyone about it) does not prevent the company from lying about disclosure [1, 2] and even bragging about "transparency". What a nerve they have when they produce reports that daemonise Red Hat based on incomplete data which Microsoft itself is knowingly hiding.



Today we look at some recent security problems, starting with one which was covered before:

Microsoft’s problems with Token Kidnapping [.pdf] on the Windows platform aren’t going away anytime soon.


"Microsoft gives up on Windows security flaw," says the headline of another report.

DEVELOPER OF INSECURE SOFTWARE Microsoft has seemingly given up on finding a solution to a security vulnerability that takes advantage of the way Windows uses shortcuts.

As The INQUIRER reported on Monday, just about every operating system released by the Vole in the past decade is affected by the security flaw, which allows hackers to remotely execute code on Windows systems. Microsoft was relatively quick to admit to the problem, saying that the fault lies with the fact that "Windows incorrectly parses shortcuts".

The risk was increased by removable and network storage mechanisms such as USB memory drives, which can be 'autoplayed' when connected. Due to a dodgy digital certificate in a driver, users would be none the wiser as control of their system was being outsourced to someone else.


From Slashdot (the summary):

Microsoft Has No Plans To Patch New Flaw



"Microsoft has acknowledged the vulnerability that the new malware Stuxnet uses to launch itself with .lnk files, but said it has no plans to patch the flaw right now. The company said the flaw affects most current versions of Windows, including Vista, Server 2008 and Windows 7 32- and 64-bit. Meanwhile, the digital certificate that belonging to Realtek Semiconductor that was used to sign a pair of drivers for the new Stuxnet rootkit has been revoked by VeriSign. The certificate was revoked Friday, several days after news broke about the existence of the new malware and the troubling existence of the signed drivers."


Glyn Moody explains that "after all, with all the others [flaws], who will notice?"

Dell is now shipping computers with a hardware trojan that only affects Microsoft Windows. The New Scientist does not call out Windows, but the malware name is self explanatory.

Further information posted on Dell's community forum reveals that the trojan in the affected motherboards is stored in onboard flash memory rather than firmware ROMs. And the malware at issue is called w32.spybot.worm, which normally spreads using file-sharing networks and an internet chat client.


Social networks are now being blamed for merely carrying messages that are used to control Microsoft Windows botnets. One should say "Windows botnet" and "Windows malware", not just "malware"; these things are not universal. They specifically exploit Microsoft's bad engineering. "Time to Get Rid of That Other OS," argues Pogson.

The latest outrage is an attack that exploits another form of “autorun” for shortcuts/links on USB drives. That other OS lets the malware walk right in even if the user does not click on any of the links. That other OS tries to be so helpful…


The original article does name Windows as the problem (also in the headline).

Hackers have developed malware that spreads via USB sticks using a previously unknown security weakness involving Windows' handling of shortcut files.


"Don’t Call the Police," Pogson concludes.

There is no limit to how bad malware can be. It can range all the way from sending spam e-mail from your machines to selling all customer lists and sabotaging data by rot over a long period of time so that by the time you catch it weeks of work could go down the drain. The worst case is killing your operation through lawsuits charging negligence in allowing disaster to happen when reasonable people know you do not allow malware to run on your systems.


Running Windows is truly a liability. Windows was never designed to be secure.

"There was no strategic direction from Bill and Ballmer about these two things. It was like, 'Well we have these two things, DOS and Windows, and do we have to run on top of this new multitasking DOS? Are we running on top of DOS 3.0 and we just ignore those guys?' That went on for a year, this lack of strategic direction. And we just made our own decisions."

--Steve Wood, one of the first Microsoft developers



Recent Techrights' Posts

Why We're Revealing the Ugly Story of What Happened at Libre-SOC
Aside from the fact that some details are public already
Why Virtually All the Wikileaks Copycats, Forks, and Rivals Basically Perished
Cryptome is like the "grandpa" of them all
In the United Kingdom Google Search Rises to All-Time High, Microsoft Fell Nearly 1.5% Since the LLM Hype Began
Microsoft is going to need actual products or it will gradually vanish from the market
 
Libre-SOC Insiders Explain How Libre-SOC and Funding for Libre-SOC (From NLNet) Got 'Hijacked' or Seized
One worked alongside my colleagues and I in 2011
Removing the Lid Off of 'Cancel Culture' (in Tech) and Shutting It Down by Illuminating the Tactics and Key Perpetrators
Corporate militants disguised as "good manners"
FSF, Which Pioneered GNU/Linux Development, Needs 32 More New Members in 2.5 Days
To meet the goal of a roughly month-long campaign
Lupa Statistics, Based on Crawling Geminispace, Will Soon Exceed Scope of 4,000 Capsules
Capsules or unique capsules or online capsules are in the thousands and growing
Links 24/07/2024: Many New Attacks on Journalists, "Private Companies Own The Law"
Links for the day
Gemini Links 24/07/2024: Face à Gaïa, Emacs Timers for Weekly Event, Chromebook Survives Water Torture
Links for the day
A Total Lack of Transparency: Open and Free Technology Community (OFTC) Fails to Explain Why Over 60% of Users Are Gone (Since a Week Ago)
IRC giants have fallen
Trying to Put Out the Fire at Microsoft
Microsoft is drowning in debt while laying off loads of staff, hoping it can turn things around
GNU/Linux Growing at Vista 11's Expense
it's tempting to deduce many people who got PCs with Vista 11 preinstalled are deleting it, only to replace it with GNU/Linux
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, July 23, 2024
IRC logs for Tuesday, July 23, 2024
[Meme] Was He So Productive He Had to be Expelled Somehow? (After He Was Elected and Had Given Many Years of Work to Earn a Board Seat)
Things like these seem to lessen the incentive to devote one's life to Free software projects
GNOME Foundation is Causing Itself More Embarrassment With Secrecy Than With Full Transparency
It also arouses suspicion and hostility towards Codes of Conduct, which gave rise to 'secret courts' governed by large corporations
Links 23/07/2024: NetherRealm Layoffs and Illegitimate Patent 'Courts' (Illegal)
Links for the day
Gemini Links 23/07/2024: AM Radio, ngIRCd, and Munin
Links for the day
A Lot of GNU/Linux Growth on the Client Side is Owing to India (Where GNU/Linux Has Reached 16%)
A lot of this happened in recent years
Insulting Free Software Users in Social Control Media (Proprietary, Bloated With Opaque JavaScript) is Like Insulting Amish on TV
Why bother? Don't take the bait.
When Wikileaks Sources Were Actually Murdered and Wikileaks Was Still a Wiki
when Wikileaks was a young site and still an actual wiki
statCounter: Dutch GNU/Linux Usage Surged 1% in Summer
Microsoft is running out of things to actually sell
Microsoft's "Results" Next Week Will be Ugly (But It'll Lie About Them, as Usual)
Where can Microsoft find income rather than losses as its debt continues to grow and layoffs accelerate?
Julian Assange is Still Being Dehumanised in Media Whose Owners Wikileaks Berated (With Underlying Facts or Leaks)
Wikileaks and Free software aren't the same thing. Nevertheless, the tactics used to infiltrate or discredit both ought to be understood.
A Month Later
We're optimistic on many fronts
Links 23/07/2024: Downsizing and Microsoft and Still Damage Control
Links for the day
Gemini Links 23/07/2024: Friends and Solitaire
Links for the day
Why the Media is Dying (It Sucks, No Mentally Healthy People Will Tolerate This for Long)
linking to actual news articles helps fuel the spam, too
Censorship in Eklektix's Linux Weekly News (LWN)
Medieval system of speech, where the monarchs (Linux Foundation) dictate what's permissible to say
10 Years of In-Depth EPO Coverage at Techrights (Many Others Have Abandoned the Topic)
Listen to staff
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, July 22, 2024
IRC logs for Monday, July 22, 2024
[Meme] The Latest in the Microsoft Windows Blame Game
Microsoft found the culprit and came to everyone's rescue!
Links 22/07/2024: Overworking and Performance Issues From Europe
Links for the day
Microsoft Eliminates 67% of the Building Occupancy - That's Some Truly Massive Layoffs
Half a dozen floors? Microsoft cuts that down to two.
[Meme] Signs of a Dying Patent Office
"Bribe the media to say you excel"
This Month's General Consultative Committee (GCC) Webchat ('Meeting') Covered the European Patent Office's Attacks on Its Own Interpreters
The Central Staff Committee is currently circulating a report with appendices about the GCC meeting [sic] (webchat) that took place less than a fortnight ago
A Byzantine European Patent Office Where Staff Must Beg for Help With Contraception (Worse Than the Rest of Europe)
The Central Staff Committee (EPO staff representation) has just circulated a report
[Teaser] EPO Run by Children
"Daddy, why was I born?"
Let's Encrypt About to Fall Below 100 (Capsules) in Geminispace, It's Basically in a Freefall
The "self-signed" portion keeps growing
Gemini Links 22/07/2024: Spacewalk Dies and Old Computer Challenge in the Rear View
Links for the day
For the First Time Since May Linux.com (Linux Foundation) Published Something. It's All Spam.
Can we trust the Linux Foundation to look after anything at all? Look what it turned this once-thriving site into.
Honduras: Windows Down, Android Peaking Again
Honduras does not have many stakes in Microsoft
[Meme] Twitter (X) Will Reject the Concept of a Female President
Twitter (X) is controlled by misogynists, who socially control (or socially-engineer) their fake concept of "media"
Second Family Photo of Julian Assange Since His Release (First Since His Birthday)
His wife shows the 4 of them for the first time (2 hours ago)
Protesters in Kenya Need Software That is Free (Libre) and Supports Real Encryption in Order to Avoid Capture and Torture (Sometimes Execution)
There's more to fight over than economic issues
The Ludicrous Idea That GNU/Linux is a "Poor Man's" Operating System
Seeing the trends in countries such an Norway, it ought to be abundantly clear that adoption of GNU/Linux has nothing to do with poverty
Links 22/07/2024: Internet Optimism and Kamala Harris Policies Debated
Links for the day
Something is Happening at OFTC
It looks like it shrank by 20,000 users
GNU/Linux Usage in Guadeloupe Rises Closer to International Average, Based on Web Data Collected by statCounter
It should be noted that the estimates of GNU/Linux usage are now in 4.5% territories
The Impact of OFTC's Latest Changes on the Perceived Scale of IRC Globally
IRC is still one of the more potent alternatives to the social control media conglomerates
New: Why They Really Went After Assange
Uploaded by Chris Hedges
Links 21/07/2024: Health, Politics, and Kamala Harris in Focus
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, July 21, 2024
IRC logs for Sunday, July 21, 2024
A Drop in Half (From 208 to 104): Sharp Decline in Number of Gemini Capsules That Use Let's Encrypt CA Since December
Gemini is increasing its independence from Certificate Authorities (CAs)