11.02.09
Microsoft Breaks the Law by Not Patching Windows as Per the Agreement
Summary: Microsoft’s legal obligations are hanging in the balance while Windows 2000 does not receive security patches
ABOUT a month ago we showed that Microsoft broke its contract with the customers by refusing to patch Windows XP. As it turns out, Microsoft is doing this with Windows 2000 as well.
Our reader Ryan, who is a former Microsoft MVP and an expert in this area, wrote in IRC: “You should drive home a point that you aren’t when talking about Conficker and its brethren. Windows 2000 will be TEN YEARS OLD on February 17, 2010, and still manages to get at least a dozen security patches a month, even now. It’s a good way to point out that no matter how many patches you install, there’s always more vulnerabilities. Several thousand of them have been patched in Windows 2000 and it’s still regularly patched. You would think that the patch rate would have slowed down and the OS would have more or less settled by now, but it’s going to be patched from birth to abortion. You should also mention that companies won’t necessarily throw out Windows 2000 on their systems just because it’s out of support. From Wikipedia: ‘On 8 September 2009, Microsoft skipped patching two of the five security flaws that were addressed in the monthly security update, saying that patching one of the critical security flaws was “infeasible”.[93] According to the Microsoft Security Bulletin MS09-048, “The architecture to properly support TCP/IP protection does not exist on Microsoft Windows 2000 systems, making it infeasible to build the fix for Microsoft Windows 2000 Service Pack 4 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Microsoft Windows 2000 Service Pack 4 operating system, [...] there would be no assurance that applications designed to run on Microsoft Windows 2000 Service Pack 4 would continue to operate on the updated system.”‘ Windows 2000 not only shares all the vulnerabilities in XP, Microsoft has started refusing to patch some while the damned thing is still supported (to try and force an upgrade). It’s not the first time that Microsoft has refused a security patch for operating systems still in support, they left some critical Windows 98 and Windows NT 4 vulnerabilities unpatched, with a year left on the support lifecycle.
“In other words, Microsoft can flagrantly violate the hell out of their side of the agreement, but don’t you dare to step out of line or install Windows on two systems with one license.”
–Ryan“Windows 2000 is supported until July of 2010, meaning that per their support agreement, every security patch should be delivered on until then, so they’re violating their own support agreement, but insisting that you obey your obligations under their EULA. This is kind of like the times Microsoft was found violating their side of the privacy agreement in Windows Media Player 7 (they probably still do). In other words, Microsoft can flagrantly violate the hell out of their side of the agreement, but don’t you dare to step out of line or install Windows on two systems with one license.”
Fewa responds with: “Microsoft has always been an outlaw corporation. They only obey the laws that benefit them and disregard those that would dare limit their greed of monopoly. They even wish to impose on other those laws. It’s not just that; of course having the government totally hijacked for 6 years did not help. The democrats got a majority in 2006 (in the house).”
“8 years,” insists Ryan, “and I’d argue that they still do. Obama has packed the DOJ with more RIAA mafia types.” Here is a collection of references.
Ryan is not optimistic. “They’re one of the richest companies and have hundreds of lawyers,” he says. “You could sue them, in theory, but they could just stall forever.”
To summarise, writes Ryan: “What kind of confuses me is that according to Microsoft, breaking their EULA is “illegal”, but when they break their side of the agreement it’s OK as long as they can say “It would have been too much work to close that critical patch on Windows 2000.” It would be like me saying “Well, I installed the same copy of Windows on ten computers cause it would have been too much of a strain on my finances to buy 9 more licenses”; Same defense they’re trying, too much of a strain on limited resources, so it’s OK to break the agreement.”
In other news, Microsoft’s cryptology is broken again.
Microsoft releases fix for crypto patch
[...]
The ocsasnfix.exe (direct download) program is to fix the glitch both in the client and in the server. In a knowledgebase article, Microsoft describes how to run the program and what other actions may need to be taken.
Perhaps Microsoft could not just disable the features this time around [1, 2]. █
Content is available under CC-BY-SA
Jose_X said,
November 2, 2009 at 7:51 am
>> Our reader Ryan, who is a former Microsoft MVP and an expert in this area, wrote in IRC: “…Windows 2000 will be TEN YEARS OLD on February 17, 2010, and still manages to get at least a dozen security patches a month, even now. It’s a good way to point out that no matter how many patches you install, there’s always more vulnerabilities… You would think that the patch rate would have slowed down and the OS would have more or less settled by now, but it’s going to be patched from birth to abortion….”
http://boycottnovell.com/2009/03/08/conficker-alive-vista-office-flaws/#comment-60287
> Do they “patch” one hole by moving it around to a different hiding place?
Rather than _fix_ a vulnerability, I’d almost wager that they keep the holes around but re-hide them. This would allow the holes/backdoors to keep existing but hide their location so that unauthorized sources can’t exploit them (at least not until these get rediscovered).
Or maybe Microsoft developers are simply sloppy repeatedly at infinitum. All those smart people might be too wealthy to put in solid effort. We should help them regain their mojave by contributing less money to them.
Really, perhaps it’s “too much work” to fix the vulnerabilities when a quick reshuffling would stop the current malware cold. The pressure is on to find fixes quickly. Who will know the difference anyway? Microsoft keeps the source code to themselves, and if the hole is rediscovered, it will simply appear as an new distinct vulnerability.
Maturing software? What’s that?
Alright, the hole shuffling might not be the norm. Who knows?
Either way, it is a little scary to think what will happen when Microsoft’s profits aren’t large enough for their needs. What will become of your data on your PCs on their abandoned software?
Will you get the locked proprietary data out of your systems before the virus and other malware completely decimate the host computers and everything on them?
Will Microsoft promise to meet their contract security obligations when it’s no longer extremely profitable to do so? [I'm echoing the article]
With Linux+FOSS [I have to mention this in case some readers don't know], there is a free upgrade path for life and the data is not locked. That’s at least two viable paths that can be taken no matter what (well, to an approximation since really old software source code is not looked at too much). Also, vulnerabilities (at least for important widely used software) usually aren’t simply moved around for convenience’s sake because those watching likely catch it right away and scream (or make the fixes themselves).
Yuhong Bao said,
November 2, 2009 at 11:03 am
“It’s not the first time that Microsoft has refused a security patch for operating systems still in support, they left some critical Windows 98 and Windows NT 4 vulnerabilities unpatched, with a year left on the support lifecycle.”
Yea, I told you that what MS recently did to XP is not new.
“Windows 2000 is supported until July of 2010, meaning that per their support agreement, every security patch should be delivered on until then, so they’re violating their own support agreement”
See my comments to this article:
http://boycottnovell.com/2009/09/21/windows-xp-security-eol/
Yuhong Bao said,
November 2, 2009 at 11:17 am
“> Do they “patch” one hole by moving it around to a different hiding place?
Rather than _fix_ a vulnerability, I’d almost wager that they keep the holes around but re-hide them”
This is the closest thing to this happening that I can find:
http://vx.netlux.org/lib/apf00.html
http://pferrie.tripod.com/papers/ani.pdf
Note however that the support lifecycle and the EULA are not the same agreement. The latter is for licensing, the former is for support of the same software.
Yuhong Bao said,
November 2, 2009 at 11:20 am
I think a fair comparison is look at how many security holes are still being discovered in say Linux 2.4 years after it was released.
Roy Schestowitz Reply:
November 2nd, 2009 at 12:02 pm
But Linux is just a kernel and Microsoft hides/lumps together flaws (it got caught).
Yuhong Bao Reply:
November 2nd, 2009 at 6:09 pm
“Microsoft hides/lumps together flaws (it got caught). ”
Really? But even if not, it is certainly not as simple as comparing numbers.
Roy Schestowitz Reply:
November 2nd, 2009 at 6:20 pm
Yes, that’s another issue, one of granularity.
TheTruth said,
November 3, 2009 at 1:23 am
It;s so funny that you bright and ‘honest’ people do not know what a EULA IS !!!..
It stands for END USER license agreement.
That means it’s the agreement THE END USER enters into.
If it was a “Software manufacturers license agreement” then you might (but probably not) have a case.
But it’s an agreement the END USER enters into, not an agreement the software company signs onto.
Microsoft is ___ NOT ___ repeat NOT the END USER..
Go figure, that bright people or people who claim to “know” whats going on would make such an error.
But for BN it’s expected… almost compulsory to warp, bend or just plain out break the truth..
Oh and Yes, im Mutex, and yes Roy we all know you dont censor dissenters. But you do, and why ?? because you either dont like, or cannot asnwer even simple questions in relation to you supporting your wild, and untrue “claims”.
And what OS are you using Roy ?? Linux ?? how do you cope with using linux with all that Novell code in the kernel ???
How do you sleep at night knowing that every second of every day you are running code written by NOVELL..
Oh thats right, you can pick and choose what you like in regards to your ’cause’.
Sure it does not matter that a huge amount of the code you run all the time, was written by NOVELL.
Why dont you create your own distro, and strip out all the NOVELL code, and replace it with your own.
Oh thats right, you dont code do you, in fact you dont contribute to FOSS at all. you are hell bent on taking away linux and FOSS.
Thats right, if all the NOVELL code on your computer suddenly went away, do you think it would still work…, Ill tell you, IT WONT..
But somehow you can both boycott NOVELL and use their product ALL THE TIME. but in your mind that is ok,,, right ??
And why are you so very scared of me Roy, what is it that I do that makes you feel so uneasy, is it because I CHECK YOUR ‘FACTS’. and when I see that you are lying I TELL YOU..
My bad, I should of guessed you dont like to have people question your motives.
Hows your PhD going ?? how many years ago did you finish it,, 2006?
Gee Roy, it must be nice to mooch off Daddy and Mommy, and spend your life (waste your life) running your hate site.
I see now you’ve also branched into politics, and anything else you dont agree with, including racist remarks about the President of the USA…
You do understand that it would be much easier for you to state what you DO like, as opposed to stating what you HATE… as the list would be much smaller.
But go on using your NOVELL code, all day every day, that very code that is hosting this web site, is FROM NOVELL…
So how is that boycotting them ?? it’s not..
but trying to talk logically to you is impossible, apart from you running a 3 minute mile when I start to question you..
It’s funny, (or sad) how you can pick and choose what you use and hate and how they can be both the same thing…
Roy,,, get a job, stop being a leech on humanity, and do something !!!!.
Oh,, that would be “WORK” and you dont do that, BN is just too important for you to
SUDO APT-GET A LIFE …