08.01.10
Security Emergency at Microsoft, All Windows Users Are Vulnerable for Now
Windows users can cut the Internet cable to feel more secure
Summary: Every version of Windows is open to attack which has already targeted very many users and no patches are available yet
MICROSOFT HAD MANY security issues last month. We covered many of them over the course of the past fortnight, but here are some newer items and items which we missed.
Some while ago Microsoft discovered a very major zero-day flaw, which made a lot of headlines including this one where Microsoft is shown to be confirming the problem.
Microsoft on Friday warned that attackers are exploiting a critical unpatched Windows vulnerability using infected USB flash drives.
“Microsoft Acknowledges Windows Shell Vulnerability,” says another article from around the same time. “Microsoft Warns Of Attacks Exploiting Windows Shell Flaw,” alerts CRN. This is an emergency which, according to OpenBytes begs for a vulnerability patch on Monday. For how many consecutive months must such embarrassments happen? Also in the news:
- Microsoft sets emergency Windows patch for Monday
- Microsoft To Release Emergency Patch For Windows
- Microsoft Releasing Windows Security Fix Next Week
According to this new report, Microsoft’s bad patches, which even Microsoft partners are scared to apply, leave many Windows installations unpatched and thus totally vulnerable on a permanent basis. Microsoft pulls support (as in security patches) for older versions of Windows (Windows 2000 and soon Windows Server 2003) and since upgrades are not free when it comes to Windows, more people are expected to have vulnerable machines. To Microsoft, it’s just a business decision. When it comes to Windows 2000, Microsoft has neglected it security-wise longer than it's legally allowed.
“When it comes to Windows 2000, Microsoft has neglected it security-wise longer than it’s legally allowed.”Microsoft is largely a PR company, so needless to say it has ways of downlplaying the severity of such issues, which may have made one in two Windows PCs a zombie PC (since 2008).
As evidence of Microsoft’s PR crusade, look no further than the latest Microsoft Imagine Cup rubbish [1, 2, 3, 4, 5]. It’s Microsoft advertising and it’s a way of making the monopolist look like it is loved by children. It’s an attempt to change the company’s image and similar stunts currently come from Microsoft Malaysia. But that’s another story for another day. The point we are trying to make here is that no matter how serious Microsoft’s security problems are, it will always do lots of PR work to silence reporters. We have documented cases where Microsoft unleashes PR people at journalists (regarding Vista security) and in last month’s news we found “Irvine PR firm honored for work related to Microsoft patches”. Watch the body of this article:
Madison Alexander was honored for the agency’s work on behalf of its client, Shavlik Technologies. By consistently positioning Shavlik as an expert on Patch Tuesdays – when Microsoft Corp. releases software security updates once a month on a Tuesday – the firm delivered “prominent references” to Shavlik in media coverage of Patch Tuesdays, according a statement from Madison Alexander.
Juniper, which is run by several Microsoft executives, seem to be trying something similar with occasional press releases that are consistent with the same template.
“Microsoft’s security problems are not helped by disgruntled groups whom Microsoft is pushing to behave as they do”This just shows how ‘independent’ the press really is and why. It’s all distorted by PR, but the PR happens behind the scenes (the back end, so to speak). “atom42 Tops Agency Leaderboard in Microsoft Competition,” says the headline of this new press release. “In a recent competition run by Microsoft to promote recently improved ‘decision engine’ Bing, online marketing agency atom42 outperformed larger rivals to win ‘blingin’ prizes.” Awww… wonderful!
Microsoft’s security problems are not helped by disgruntled groups whom Microsoft is pushing to behave as they do [1, 2]. It is only making things worse because they take revenge and put all Windows users at risk. This is where Microsoft’s attitudinal problem (arrogance and power games [1, 2, 3]) contributes to lack of security in its products. Some security experts are even leaving Microsoft. New example:
Security researcher and former Microsoft gadfly Marc Maiffret has returned to the company he started when he was a teenager, eEye Digital Security.
Until Microsoft’s emergency security patch arrives everyone who uses Windows is at risk of being assembled into a botnet, “Experts predict extensive attacks of Windows zero-day,” says this report, noting that “Security organizations… raised Internet threat levels to warn users that they expect widespread attacks using exploits of a just-acknowledged critical bug in all versions of Windows.”
That’s right, all versions are affected, Vista 7 included. A while ago Microsoft said that 25,000 PCs were attacked with the latest Windows zero-day flaw (the number is now higher) and it investigated issues it could prevent by simply changing its internal culture. █
“Fuck! It took you a year to figure that out!”
–Bill Gates
“That’s the dumbest fucking idea I’ve heard since I’ve been at Microsoft.”
–Bill Gates