EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

01.22.10

Microsoft Security Negligence Confirmed: Critical Internet Explorer Flaw Known and Ignored for 4 Months

Posted in Deception, Microsoft, Security, Windows at 4:12 pm by Dr. Roy Schestowitz

Summary: The newest facts show that Microsoft knowingly refused to fix flaws that led to tremendous damage; lies from Microsoft (about its competition) are refuted as well

IN MANY RECENT posts about Internet Explorer [1, 2, 3, 4, 5, 6, 7, 8], we have pointed out Microsoft’s pattern of negligence [1, 2, 3], which always passes costs (damages) to the public. Microsoft should probably be sued for it, rather than make money from it. Microsoft — like Goldman Sachs — is making a lot of money out of a crisis caused by its own risk-taking.

Here are some self-explanatory news headlines:

Microsoft lies to your face about browser security

Microsoft’s Head of Security and Privacy in the UK has told TechRadar that people who jump ship from Internet Explorer after the recent spate of bad headlines risk ending up on a less secure browser. With France and Germany both advising a move away from Internet Explorer, things are far from rosy for Microsoft’s browser [...yet] Microsoft’s UK security chief Cliff Evans insists that a non-Microsoft browser is the worse option. “The net effect of switching [from IE] is that you will end up on less secure browser,” insisted Evans. “The risk [over this specific] exploit is minimal compared to Firefox or other competing browsers… you will be opening yourself up to security issues.

Let’s fight FUD with facts…

Vulnerability Report: Mozilla Firefox 3.5.x
Unpatched: 0

Vulnerability Report: Google Chrome 3.x
Unpatched: 0

Vulnerability Report: Opera 10.x
Unpatched: 0

Vulnerability Report: Apple Safari 4.x
Unpatched: 0

Vulnerability Report: Microsoft Internet Explorer 6.x
Unpatched: 24
Most Critical Unpatched: Extremely critical

Vulnerability Report: Microsoft Internet Explorer 7.x
Unpatched: 11
Most Critical Unpatched: Extremely critical

Vulnerability Report: Microsoft Internet Explorer 8.x
Unpatched: 4
Most Critical Unpatched: Extremely critical

My recommendation if you use Windows: make sure the version of IE that’s installed (because you can’t uninstall it!) is the latest/least vulnerable (IE8) and then install at least one of the non-IE browsers listed (personally I always recommend Firefox :) and then use THAT. Of course, you could always switch to a Mac or Linux…

Microsoft patches IE, admits it knew of bug last August

As Microsoft patched the Internet Explorer (IE) vulnerability that was used to break into Google’s network, it also acknowledged that it had known of the bug since August 2009, when an Israeli security company reported the flaw.

MS knew of Aurora exploit four months before Google attacks

Microsoft first knew of the bug used in the infamous Operation Aurora IE exploits as long ago as August, four months before the vulnerability was used in exploits against Google and other hi-tech firms in December, it has emerged.

Redmond’s security gnomes finally got around to patching the exploit on Thursday. the hack attacks against Google et al targeted IE 6, a browser first released in 2001. Exploits involved tricking users of vulnerable browsers into visiting booby-trapped websites. These sites downloaded the Hydraq backdoor Trojan and other malicious components onto compromised PCs.

[...]

A quick search of Secunia’s database, via its PSI patching tool, reveals a problem with an unpatched ActiveX control that looks just as bad, for example.

Emergency IE patch goes live as exploits proliferate

Microsoft released an emergency security update for all versions of Internet Explorer on Thursday as attacks exploiting a critical vulnerability in the widely used browser spread to hundreds of websites.

[...]

While some of the sites hosting the attacks were free services that had been co-opted, others appeared to be domains of legitimate companies that had been compromised.

[...]

In an admission that’s sure to spark criticism, Microsoft said it learned of the critical bug more than three months ago.

[...]

The unscheduled bulletin fixes a memory corruption flaw in most versions of the widely used browser that allows attackers to execute malicious code simply by luring victims to a booby-trapped website. It fixes seven other privately reported vulnerabilities, some of which also made remote code execution possible, that Microsoft had been planning to issue next month during its next regularly scheduled patch release.

[...]

Systems compromised by the sites reported by Symantec were infected with a backdoor that collected registry settings and other system information and sent it to an email address that was under the control of attackers. That email address has since been disabled, Talbot said.

Widespread Attacks Exploit Newly Patched IE Bug

The first widespread attack to leverage a recently patched flaw in Microsoft’s Internet Explorer browser has surfaced.

Starting late Wednesday, researchers at antivirus vendor Symantec’s Security Response group began spotting dozens of Web sites that contain the Internet Explorer attack, which works reliably on the IE 6 browser, running on Windows XP. The attack installs a Trojan horse program that is able to bypass some security products and then give hackers access to the system, said Joshua Talbot, a security intelligence manager with Symantec.

Once it has infected a PC, the Trojan sends a notification e-mail to the attackers, using a U.S.-based, free e-mail service that Symantec declined to name.

Make the right browser update: Firefox 3.6

Neolithic Windows security hole alive and well in Windows 7

One of the reasons I’ve never liked Windows is that it was never made to deal with the security problems of working in a networked, multi-user world. As a direct result, Windows has been fundamentally insecure for more than a decade. Even so, I was surprised to find that there’s a 17-year old security hole that’s been in Windows since NT and it’s still present today in Windows 7.

Wow. Even I’m shocked by this latest example of just how rotten Windows security is. It just reminds me again though that while Microsoft keeps adding features and attempting to patch its way out of security problems to Windows, Windows’ foundation is built on sand and not on the stone of good, solid design.

[...]

Be that as it may, the code’s still in there. An attacker can trigger the vulnerability through a variety of means. The end-result is, surprise, another Windows machine that’s totally owned by the attacker. Once in charge, they can vacuum down your files, install malware, and all the other usual tricks.

Vista 7 was never secure to begin with. See the examples below.

  1. Cybercrime Rises and Vista 7 is Already Open to Hijackers
  2. Vista 7: Broken Apart Before Arrival
  3. Department of Homeland Security ‘Poisoned’ by Microsoft; Vista 7 is Open to Hijackers Again
  4. Vista 7 Security “Cannot be Fixed. It’s a Design Problem.”
  5. Why Vista 7 Could be the Least Secure Operating System Ever
  6. Journalists Suggest Banning Windows, Maybe Suing Microsoft Over DDoS Attacks
  7. Vista 7 Vulnerable to Latest “Critical” Flaws
  8. Vista 7 Seemingly Affected by Several More “Critical” Flaws This Month
  9. Reason #1 to Avoid Vista 7: Insecurity
  10. Vista 7 Left Hijackable Again (Almost a Monthly Recurrence)
Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

A Single Comment

  1. uberVU - social comments said,

    January 22, 2010 at 9:26 pm

    Social comments and analytics for this post…

    This post was mentioned on Twitter by schestowitz: Critical Internet Explorer Flaw Known and Ignored for 4 Months http://boycottnovell.com/2010/01/22/refusing-to-fix-ie-flaws/

What Else is New

  1. Links 2/1/2017: Neptune 4.5.3 Release, Netrunner Desktop 17.01 Released

    Links for the day

  2. Teaser: Corruption Indictments Brought Against Vice-President of the European Patent Office (EPO)

    New trouble for Željko Topić in Strasbourg, making it yet another EPO Vice-President who is on shaky grounds and paving the way to managerial collapse/avalanche at the EPO

  3. 365 Days Later, German Justice Minister Heiko Maas Remains Silent and Thus Complicit in EPO Abuses on German Soil

    The utter lack of participation, involvement or even intervention by German authorities serve to confirm that the government of Germany is very much complicit in the EPO's abuses, by refusing to do anything to stop them

  4. Battistelli's Idea of 'Independent' 'External' 'Social' 'Study' is Something to BUY From Notorious Firm PwC

    The sham which is the so-called 'social' 'study' as explained by the Central Staff Committee last year, well before the results came out

  5. Europe Should Listen to SMEs Regarding the UPC, as Battistelli, Team UPC and the Select Committee Lie About It

    Another example of UPC promotion from within the EPO (a committee dedicated to UPC promotion), in spite of everything we know about opposition to the UPC from small businesses (not the imaginary ones which Team UPC claims to speak 'on behalf' of)

  6. Video: French State Secretary for Digital Economy Speaks Out Against Benoît Battistelli at Battistelli's PR Event

    Uploaded by SUEPO earlier today was the above video, which shows how last year's party (actually 2015) was spoiled for Battistelli by the French State Secretary for Digital Economy, Axelle Lemaire, echoing the French government's concern about union busting etc. at the EPO (only to be rudely censored by Battistelli's 'media partner')

  7. When EPO Vice-President, Who Will Resign Soon, Made a Mockery of the EPO

    Leaked letter from Willy Minnoye/management to the people who are supposed to oversee EPO management

  8. No Separation of Powers or Justice at the EPO: Reign of Terror by Battistelli Explained in Letter to the Administrative Council

    In violation of international labour laws, Team Battistelli marches on and engages in a union-busting race against the clock, relying on immunity to keep this gravy train rolling before an inevitable crash

  9. FFPE-EPO is a Zombie (if Not Dead) Yellow Union Whose Only de Facto Purpose Has Been Attacking the EPO's Staff Union

    A new year's reminder that the EPO has only one legitimate union, the Staff Union of the EPO (SUEPO), whereas FFPE-EPO serves virtually no purpose other than to attack SUEPO, more so after signing a deal with the devil (Battistelli)

  10. EPO Select Committee is Wrong About the Unitary Patent (UPC)

    The UPC is neither desirable nor practical, especially now that the EPO lowers patent quality; but does the Select Committee understand that?

  11. Links 1/1/2017: KDE Plasma 5.9 Coming, PelicanHPC 4.1

    Links for the day

  12. 2016: The Year EPO Staff Went on Strike, Possibly “Biggest Ever Strike in the History of the EPO.”

    A look back at a key event inside the EPO, which marked somewhat of a breaking point for Team Battistelli

  13. Open EPO Letter Bemoans Battistelli's Antisocial Autocracy Disguised/Camouflaged Under the Misleading Term “Social Democracy”

    Orwellian misuse of terms by the EPO, which keeps using the term "social democracy" whilst actually pushing further and further towards a totalitarian regime led by 'King' Battistelli

  14. EPO's Central Staff Committee Complains About Battistelli's Bodyguards Fetish and Corruption of the Media

    Even the EPO's Central Staff Committee (not SUEPO) understands that Battistelli brings waste and disgrace to the Office

  15. Translation of French Texts About Battistelli and His Awful Perception of Omnipotence

    The paradigm of totalitarian control, inability to admit mistakes and tendency to lie all the time is backfiring on the EPO rather than making it stronger

  16. 2016 in Review and Plans for 2017

    A look back and a quick look at the road ahead, as 2016 comes to an end

  17. Links 31/12/2016: Firefox 52 Improves Privacy, Tizen Comes to Middle East

    Links for the day

  18. Korea's Challenge of Abusive Patents, China's Race to the Bottom, and the United States' Gradual Improvement

    An outline of recent stories about patents, where patent quality is key, reflecting upon the population's interests rather than the interests of few very powerful corporations

  19. German Justice Minister Heiko Maas, Who Flagrantly Ignores Serious EPO Abuses, Helps Battistelli's Agenda ('Reform') With the UPC

    The role played by Heiko Maas in the UPC, which would harm businesses and people all across Europe, is becoming clearer and hence his motivation/desire to keep Team Battistelli in tact, in spite of endless abuses on German soil

  20. Links 30/12/2016: KDE for FreeBSD, Automotive Grade Linux UCB 3.0

    Links for the day

  21. Software Patents Continue to Collapse, But IBM, Watchtroll and David Kappos Continue to Deny and Antagonise It

    The latest facts and figures about software patents, compared to the spinmeisters' creed which they profit from (because they are in the litigation business)

  22. 2016 Was a Terrible Year for Patent Trolls and 2017 Will Probably be a Lot Worse for Them

    The US Supreme Court (SCOTUS) is planning to weigh in on a case which will quite likely drive patent trolls out of the Eastern District of Texas, where all the courts that are notoriously friendly towards them reside

  23. Fitbit’s Decision to Drop Patent Case Against Jawbone Shows Decreased Potency of Abstract Patents, Not Jawbone’s Weakness

    The scope of patents in the United States is rapidly tightening (meaning, fewer patents are deemed acceptable by the courts) and Fitbit’s patent case is the latest case to bite the dust

  24. The EPO Under Benoît Battistelli Makes the Mafia Look Like Rookies

    Pretending there is a violent, physical threat that is imminent, Paranoid in Chief Benoît Battistelli is alleged to have pursued weapons on EPO premises

  25. Links 29/12/2016: OpenELEC 7.0, Android Wear 2.0 Smartwatches Coming

    Links for the day

  26. Links 28/12/2016: OpenVPN 2.4, SeaMonkey 2.46

    Links for the day

  27. Bad Service at the European Patent Office (EPO) Escalated in the Form of Complaints to European Authorities/Politicians

    A look at actions taken at a political level against the EPO in spite of the EPO's truly awkward exemption from lawfulness or even minimal accountability

  28. No “New Life to Software Patents” in the US; That's Just Fiction Perpetuated by the Patent Microcosm

    Selective emphasis on very few cases and neglect of various other dimensions help create a parallel reality (or so-called 'fake news') where software patents are on the rebound

  29. Links 27/12/2016: Chakra GNU/Linux Updated, Preview of Fedora 26

    Links for the day

  30. Leaked: Letter to Quality Support (DQS) at the European Patent Office (EPO)

    Example of abysmal service at the EPO, where high staff turnover and unreasonable pressure from above may be leading to communication issues that harm stakeholders the most

CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts