11.02.09

Gemini version available ♊︎

Microsoft Breaks the Law by Not Patching Windows as Per the Agreement

Posted in Law, Microsoft, Security, Windows at 4:35 am by Dr. Roy Schestowitz

Balance

Summary: Microsoft’s legal obligations are hanging in the balance while Windows 2000 does not receive security patches

ABOUT a month ago we showed that Microsoft broke its contract with the customers by refusing to patch Windows XP. As it turns out, Microsoft is doing this with Windows 2000 as well.

Our reader Ryan, who is a former Microsoft MVP and an expert in this area, wrote in IRC: “You should drive home a point that you aren’t when talking about Conficker and its brethren. Windows 2000 will be TEN YEARS OLD on February 17, 2010, and still manages to get at least a dozen security patches a month, even now. It’s a good way to point out that no matter how many patches you install, there’s always more vulnerabilities. Several thousand of them have been patched in Windows 2000 and it’s still regularly patched. You would think that the patch rate would have slowed down and the OS would have more or less settled by now, but it’s going to be patched from birth to abortion. You should also mention that companies won’t necessarily throw out Windows 2000 on their systems just because it’s out of support. From Wikipedia: ‘On 8 September 2009, Microsoft skipped patching two of the five security flaws that were addressed in the monthly security update, saying that patching one of the critical security flaws was “infeasible”.[93] According to the Microsoft Security Bulletin MS09-048, “The architecture to properly support TCP/IP protection does not exist on Microsoft Windows 2000 systems, making it infeasible to build the fix for Microsoft Windows 2000 Service Pack 4 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Microsoft Windows 2000 Service Pack 4 operating system, [...] there would be no assurance that applications designed to run on Microsoft Windows 2000 Service Pack 4 would continue to operate on the updated system.”‘ Windows 2000 not only shares all the vulnerabilities in XP, Microsoft has started refusing to patch some while the damned thing is still supported (to try and force an upgrade). It’s not the first time that Microsoft has refused a security patch for operating systems still in support, they left some critical Windows 98 and Windows NT 4 vulnerabilities unpatched, with a year left on the support lifecycle.

“In other words, Microsoft can flagrantly violate the hell out of their side of the agreement, but don’t you dare to step out of line or install Windows on two systems with one license.”
      –Ryan
“Windows 2000 is supported until July of 2010, meaning that per their support agreement, every security patch should be delivered on until then, so they’re violating their own support agreement, but insisting that you obey your obligations under their EULA. This is kind of like the times Microsoft was found violating their side of the privacy agreement in Windows Media Player 7 (they probably still do). In other words, Microsoft can flagrantly violate the hell out of their side of the agreement, but don’t you dare to step out of line or install Windows on two systems with one license.”

Fewa responds with: “Microsoft has always been an outlaw corporation. They only obey the laws that benefit them and disregard those that would dare limit their greed of monopoly. They even wish to impose on other those laws. It’s not just that; of course having the government totally hijacked for 6 years did not help. The democrats got a majority in 2006 (in the house).”

“8 years,” insists Ryan, “and I’d argue that they still do. Obama has packed the DOJ with more RIAA mafia types.” Here is a collection of references.

Ryan is not optimistic. “They’re one of the richest companies and have hundreds of lawyers,” he says. “You could sue them, in theory, but they could just stall forever.”

To summarise, writes Ryan: “What kind of confuses me is that according to Microsoft, breaking their EULA is “illegal”, but when they break their side of the agreement it’s OK as long as they can say “It would have been too much work to close that critical patch on Windows 2000.” It would be like me saying “Well, I installed the same copy of Windows on ten computers cause it would have been too much of a strain on my finances to buy 9 more licenses”; Same defense they’re trying, too much of a strain on limited resources, so it’s OK to break the agreement.”

In other news, Microsoft’s cryptology is broken again.

Microsoft releases fix for crypto patch

[...]

The ocsasnfix.exe (direct download) program is to fix the glitch both in the client and in the server. In a knowledgebase article, Microsoft describes how to run the program and what other actions may need to be taken.

Perhaps Microsoft could not just disable the features this time around [1, 2].

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

8 Comments

  1. Jose_X said,

    November 2, 2009 at 7:51 am

    Gravatar

    >> Our reader Ryan, who is a former Microsoft MVP and an expert in this area, wrote in IRC: “…Windows 2000 will be TEN YEARS OLD on February 17, 2010, and still manages to get at least a dozen security patches a month, even now. It’s a good way to point out that no matter how many patches you install, there’s always more vulnerabilities… You would think that the patch rate would have slowed down and the OS would have more or less settled by now, but it’s going to be patched from birth to abortion….”

    http://boycottnovell.com/2009/03/08/conficker-alive-vista-office-flaws/#comment-60287

    > Do they “patch” one hole by moving it around to a different hiding place?

    Rather than _fix_ a vulnerability, I’d almost wager that they keep the holes around but re-hide them. This would allow the holes/backdoors to keep existing but hide their location so that unauthorized sources can’t exploit them (at least not until these get rediscovered).

    Or maybe Microsoft developers are simply sloppy repeatedly at infinitum. All those smart people might be too wealthy to put in solid effort. We should help them regain their mojave by contributing less money to them.

    Really, perhaps it’s “too much work” to fix the vulnerabilities when a quick reshuffling would stop the current malware cold. The pressure is on to find fixes quickly. Who will know the difference anyway? Microsoft keeps the source code to themselves, and if the hole is rediscovered, it will simply appear as an new distinct vulnerability.

    Maturing software? What’s that?

    Alright, the hole shuffling might not be the norm. Who knows?

    Either way, it is a little scary to think what will happen when Microsoft’s profits aren’t large enough for their needs. What will become of your data on your PCs on their abandoned software?

    Will you get the locked proprietary data out of your systems before the virus and other malware completely decimate the host computers and everything on them?

    Will Microsoft promise to meet their contract security obligations when it’s no longer extremely profitable to do so? [I'm echoing the article]

    With Linux+FOSS [I have to mention this in case some readers don't know], there is a free upgrade path for life and the data is not locked. That’s at least two viable paths that can be taken no matter what (well, to an approximation since really old software source code is not looked at too much). Also, vulnerabilities (at least for important widely used software) usually aren’t simply moved around for convenience’s sake because those watching likely catch it right away and scream (or make the fixes themselves).

  2. Yuhong Bao said,

    November 2, 2009 at 11:03 am

    Gravatar

    “It’s not the first time that Microsoft has refused a security patch for operating systems still in support, they left some critical Windows 98 and Windows NT 4 vulnerabilities unpatched, with a year left on the support lifecycle.”
    Yea, I told you that what MS recently did to XP is not new.
    “Windows 2000 is supported until July of 2010, meaning that per their support agreement, every security patch should be delivered on until then, so they’re violating their own support agreement”
    See my comments to this article:
    http://boycottnovell.com/2009/09/21/windows-xp-security-eol/

  3. Yuhong Bao said,

    November 2, 2009 at 11:17 am

    Gravatar

    “> Do they “patch” one hole by moving it around to a different hiding place?
    Rather than _fix_ a vulnerability, I’d almost wager that they keep the holes around but re-hide them”
    This is the closest thing to this happening that I can find:
    http://vx.netlux.org/lib/apf00.html
    http://pferrie.tripod.com/papers/ani.pdf
    Note however that the support lifecycle and the EULA are not the same agreement. The latter is for licensing, the former is for support of the same software.

  4. Yuhong Bao said,

    November 2, 2009 at 11:20 am

    Gravatar

    I think a fair comparison is look at how many security holes are still being discovered in say Linux 2.4 years after it was released.

    Roy Schestowitz Reply:

    But Linux is just a kernel and Microsoft hides/lumps together flaws (it got caught).

    Yuhong Bao Reply:

    “Microsoft hides/lumps together flaws (it got caught). ”
    Really? But even if not, it is certainly not as simple as comparing numbers.

    Roy Schestowitz Reply:

    Yes, that’s another issue, one of granularity.

  5. TheTruth said,

    November 3, 2009 at 1:23 am

    Gravatar

    It;s so funny that you bright and ‘honest’ people do not know what a EULA IS !!!..

    It stands for END USER license agreement.

    That means it’s the agreement THE END USER enters into.

    If it was a “Software manufacturers license agreement” then you might (but probably not) have a case.

    But it’s an agreement the END USER enters into, not an agreement the software company signs onto.

    Microsoft is ___ NOT ___ repeat NOT the END USER..

    Go figure, that bright people or people who claim to “know” whats going on would make such an error.

    But for BN it’s expected… almost compulsory to warp, bend or just plain out break the truth..

    Oh and Yes, im Mutex, and yes Roy we all know you dont censor dissenters. But you do, and why ?? because you either dont like, or cannot asnwer even simple questions in relation to you supporting your wild, and untrue “claims”.

    And what OS are you using Roy ?? Linux ?? how do you cope with using linux with all that Novell code in the kernel ???

    How do you sleep at night knowing that every second of every day you are running code written by NOVELL..

    Oh thats right, you can pick and choose what you like in regards to your ’cause’.

    Sure it does not matter that a huge amount of the code you run all the time, was written by NOVELL.

    Why dont you create your own distro, and strip out all the NOVELL code, and replace it with your own.

    Oh thats right, you dont code do you, in fact you dont contribute to FOSS at all. you are hell bent on taking away linux and FOSS.

    Thats right, if all the NOVELL code on your computer suddenly went away, do you think it would still work…, Ill tell you, IT WONT..

    But somehow you can both boycott NOVELL and use their product ALL THE TIME. but in your mind that is ok,,, right ??

    And why are you so very scared of me Roy, what is it that I do that makes you feel so uneasy, is it because I CHECK YOUR ‘FACTS’. and when I see that you are lying I TELL YOU..

    My bad, I should of guessed you dont like to have people question your motives.

    Hows your PhD going ?? how many years ago did you finish it,, 2006?

    Gee Roy, it must be nice to mooch off Daddy and Mommy, and spend your life (waste your life) running your hate site.

    I see now you’ve also branched into politics, and anything else you dont agree with, including racist remarks about the President of the USA…

    You do understand that it would be much easier for you to state what you DO like, as opposed to stating what you HATE… as the list would be much smaller.

    But go on using your NOVELL code, all day every day, that very code that is hosting this web site, is FROM NOVELL…

    So how is that boycotting them ?? it’s not..

    but trying to talk logically to you is impossible, apart from you running a 3 minute mile when I start to question you..

    It’s funny, (or sad) how you can pick and choose what you use and hate and how they can be both the same thing…

    Roy,,, get a job, stop being a leech on humanity, and do something !!!!.

    Oh,, that would be “WORK” and you dont do that, BN is just too important for you to

    SUDO APT-GET A LIFE …

DecorWhat Else is New


  1. IRC Proceedings: Wednesday, December 01, 2021

    IRC logs for Wednesday, December 01, 2021



  2. EPO Staff Committee Compares the Tactics of António Campinos to Benoît Battistelli's

    The Central Staff Committee (CSC) of the EPO talks about EPO President António Campinos, arguing that “he seems to subscribe to the Manichean view, introduced by Mr Battistelli…”



  3. Prof. Thomas Jaeger in GRUR: Unified Patent Court (UPC) “Incompatible With EU Law“

    The truth remains unquestionable and the law remains unchanged; Team UPC is living in another universe, unable to accept that what it is scheming will inevitably face high-level legal challenges (shall that become necessary) and it will lose because the facts are all still the same



  4. Links 1/12/2021: LibrePlanet CFS Extended to December 15th and DB Comparer for PostgreSQL Reaches 5.0

    Links for the day



  5. EPO Cannot and Will Not Self-Regulate

    The term financialisation helps describe some of the activities of the EPO in recent years; see Wikipedia on financialisation below



  6. [Meme] Germany's Licence to Break the Law

    Remember that the young Campinos asked dad for his immunity after he had gotten drunk and crashed the car; maybe the EPO should stop giving diplomatic immunity to people, seeing what criminals (e.g. Benoît Battistelli) this attracts; the German government is destroying its image (and the EU’s) by fostering such corruption, wrongly believing that it’s worth it because of Eurozone domination for patents/litigation



  7. EPO Dislikes Science and Scientists

    The EPO's management has become like a corrupt political party with blind faith in money and monopolies (or monopoly money); it has lost sight of its original goals and at this moment it serves to exacerbate an awful pandemic, as the video above explains



  8. Links 1/12/2021: LibreOffice 7.3 Beta, Krita 5.0, Julia 1.7

    Links for the day



  9. Links 1/12/2021: NixOS 21.11 Released

    Links for the day



  10. IRC Proceedings: Tuesday, November 30, 2021

    IRC logs for Tuesday, November 30, 2021



  11. Links 1/12/2021: Tux Paint 0.9.27 and WordPress 5.9 Beta

    Links for the day



  12. [Meme] EPO Administrative Council Believing EPO-Bribed 'Media' (IAM Still Shilling and Lying for Cash)

    IAM continues to do what brings money from EPO management and Team UPC, never mind if it is being disputed by the patent examiners themselves



  13. The EPO's Mythical “Gap” Has Been Found and It's Bonuses for People Who Use Pure Fiction to Steal From Patent Examiners

    The phony president who has the audacity to claim there's a budget gap is issuing millions of euros for his enablers to enjoy; weeks ahead of the next meeting of national delegates the Central Staff Committee (CSC) tells them: "Events show that the delegations’ concerns about functional allowances have materialised. The lack of transparency and inflation of the budget envelope gives rise to the suspicion that high management is pursuing a policy of self-service at the expense of EPO staff, which is difficult to reconcile with the Office’s claimed cost-saving policy, and to the detriment of the whole Organisation."



  14. Video: Making the Internet a Better Place for People, Not Megacorporations

    Following that earlier list of suggested improvements for a freedom-respecting Internet, here's a video and outline



  15. Links 30/11/2021: KDE Plasma 5.23.4, 4MLinux 38.0, Long GitHub Downtime, and Microsoft's CEO Selling Away Shares

    Links for the day



  16. A Concise Manifesto For Freedom-Respecting Internet

    An informal list of considerations to make when reshaping the Internet to better serve people, not a few corporations that are mostly military contractors subsidised by the American taxpayers



  17. Freenode.net Becomes a 'Reddit Clone' and Freenode IRC is Back to Old Configurations After Flushing Down Decades' Worth of User/Channel Data and Locking/Shutting Out Longtime Users

    Freenode is having another go; after “chits” and “jobs” (among many other ideas) have clearly failed, and following the change of daemon (resulting in massive loss of data and even security issues associated with impersonation) as well as pointless rebrand as “Joseon”, the domain Freenode.net becomes something completely different and the IRC network reopens to all



  18. Jack Dorsey's Decision is a Wake-up Call: Social Control Media is Just a Toxic Bubble

    The state of the World Wide Web (reliability, preservation, accessibility, compatibility etc.) was worsened a lot more than a decade ago; with social control media that’s nowadays just a pile of JavaScript programs we’re basically seeing the Web gradually turning into another Adobe Flash (but this time they tell us it’s a “standard”), exacerbating an already-oversized ‘bubble economy’ where companies operate at a loss while claiming to be worth hundreds of billions (USD) and generally serve imperialistic objectives by means of manipulation like surveillance, selective curation, and censorship



  19. IRC Proceedings: Monday, November 29, 2021

    IRC logs for Monday, November 29, 2021



  20. Links 29/11/2021: NuTyX 21.10.5 and CrossOver 21.1.0

    Links for the day



  21. This Apt Has Super Dumbass Powers. Linus Sebastian and Pop_OS!

    Guest post by Ryan, reprinted with permission



  22. [Meme] Trying to Appease Provocateurs and Borderline Trolls

    GNU/Linux isn’t just a clone of Microsoft Windows and it oughtn’t be a clone of Microsoft Windows, either; some people set themselves up for failure, maybe by intention



  23. Centralised Git Hosting Has a Business Model Which is Hostile Towards Developers' Interests (in Microsoft's Case, It's an Attack on Reciprocal Licensing and Persistent Manipulation)

    Spying, censoring, and abusing projects/developers/users are among the perks Microsoft found in GitHub; the E.E.E.-styled takeover is being misused for perception manipulation and even racism, so projects really need to take control of their hosting (outsourcing is risky and very expensive in the long run)



  24. Links 29/11/2021: FWUPD's 'Best Known Configuration' and Glimpse at OpenZFS 3.0

    Links for the day



  25. President Biden Wants to Put Microsofter in Charge of the Patent Office, Soon to Penalise Patent Applicants Who Don't Use Microsoft's Proprietary Formats

    The tradition of GAFAM or GIAFAM inside the USPTO carries on (e.g. Kappos and Lee; Kappos lobbies for Microsoft and IBM, whereas Lee now works for Amazon/Bezos after a career at Google); it's hard to believe anymore that the USPTO exists to serve innovators rather than aggressive monopolists, shielding their territory by patent threats (lawsuits or worse aggression) and cross-licensing that's akin to a cartel



  26. Microsoft GitHub Exposé — Part VIII — Mr. Graveley's Long Career Serving Microsoft's Agenda (Before Hiring by Microsoft to Work on GitHub's GPL Violations Machine)

    Balabhadra (Alex) Graveley was promoting .NET (or Mono) since his young days; his current job at Microsoft is consistent with past harms to GNU/Linux, basically pushing undesirable (except to Microsoft) things to GNU/Linux users; Tomboy used to be the main reason for distro ISOs to include Mono



  27. Dr. Andy Farnell on Teaching Cybersecurity in an Age of 'Fake Security'

    By Dr. Andy Farnell



  28. IRC Proceedings: Sunday, November 28, 2021

    IRC logs for Sunday, November 28, 2021



  29. Links 29/11/2021: Linux 5.16 RC3 and Lots of Patent Catch-up

    Links for the day



  30. By 2022 0% of 'News' Coverage About Patents Will Be Actual Journalism (Patent Litigation Sector Has Hijacked the World Wide Web to Disseminate Self-Promotional Misinformation)

    Finding news about the EPO is almost impossible because today’s so-called ‘news’ sites are in the pockets of Benoît Battistelli, António Campinos, and their cohorts who turned the EPO into a hub of litigation, not science; this is part of an international (worldwide) problem because financial resources for journalism have run out, and so the vacuum is filled/replaced almost entirely by Public Relations (PR) and marketing


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts