03.06.10

Gemini version available ♊︎

Microsoft Angers the World by Asking for a Form of Security Bailout, More Fundamental Windows Flaws Found

Posted in GNU/Linux, Microsoft, Security, Windows at 4:08 am by Dr. Roy Schestowitz

Screaming

Summary: Microsoft’s recommendation of “Internet tax” for removing Windows botnets/zombies doesn’t fly; Windows DEP (data execution prevention) is busted

EARLIER in the week we wrote about Microsoft’s Charney suggesting that everyone — UNIX and Linux users included — should pay [1, 2] to compensate for Microsoft’s own negligence [1, 2, 3]. Many people already pay for the damage collectively; for instance, if banks lose money due to zombie Windows PCs that compromise accounts, then interest rates will be lessened. These are some of the hidden costs everyone pays for Microsoft’s incompetence. In Germany, it's hardly even hidden anymore.

“Microsoft’s Laugh-a-Minute Show Continues,” says Glyn Moody regarding Microsoft’s arrogant suggestion.

Can you believe it? Microsoft’s lousy programming has caused *billions* of pounds worth of damage to the global economy in terms of downtime, lost files (and probably blood pressure problems) and it has the bare-faced cheek to suggest there should be an “Internet usage tax” on *everyone* (including GNU/Linux users) to pay for the rectification of *its* mistakes? No wonder Scott Charney has the humorous and manifestly self-contradictory title of “Microsoft Corporate Vice President for Trustworthy Computing”….

Here is another response: “Taxing every citizen for Microsoft Windows problems? Are we insane?”

Just when you think you’ve heard everything, something new arrives. Two years ago, we heard that half a million computers are infected with malicious bots every day (a “bot” is a software program that enters your computer from the Internet or inside infected files, then runs in the background to steal your data, send spam or wreak havoc in some other way).

This is a huge problem both because we depend on digital data in too many ways to explain them here (but you may read about them in the Open Government Book) and because of environmental reasons. According to a McAfee report published in May 2009 the amount of energy used every year to transmit, process and filter spam would be enough to power 2.4 million homes, with the same Greenhouse Gas emissions as 3.1 million passenger cars.

On March 2nd, 2010, Microsoft Corporate Vice President for Trustworthy Computing Scott Charney spoke at a computer security conference about this very theme, that is how to fight the damages caused by computers infected by bots (or “malware”).

According to the summary published on ComputerWorld, Mr Charney started correctly. He pointed out that, just as there are quarantine programs for people with infective diseases, the same thing should happen with people who have computers infected by malware but, for any reasons, won’t fix them up as soon as possible: such people should not be allowed to go online until their computer is clean and safe.

Windows is insecure not because people are negligent; Microsoft itself is extremely negligent and there are many examples of this. “Typical Windows user patches every 5 days,” says this new report from IDG (quoting Secunia).

75 Microsoft, third-party patch events each year are a burden most users can’t bear, says Secunia

Here is Berend-Jan Weve finding another security problem in Windows. From SJVN:

Honest to God I don’t go around trying to pick on Windows for its security problems, but the hackers keep finding new ways to break into it. And, this time, they’ve found a doozie. Berend-Jan Wever, aka “Skylined,” a Google security software engineer has busted DEP (data execution prevention), one of the few significant security improvements Microsoft has made to Windows.

DEP, which was added to Windows back in August 2004 in XP SP2. It addressed the very common hacking technique of buffer overflows. In a buffer overflow attack, a malicious program tries to overwrite the buffer, the amount of memory a program has been allocated for running its code in. By so doing, a buffer overflow overwrites memory that may or may not have been allocated to other programs. In either case, it can then use this overwritten memory for its own purposes. Usually this means running malware or even taking over the computer itself.

[...]

Unfortunately, Wever, using a variation of a hacking technique he helped perfect called heap-spraying has busted DEP. In heap-spraying, the attack code made an educated guess at where vulnerable memory that could be used to execute unapproved programs could be found. In Wever’s latest trick, the attacking code looks for clues on where to find memory that’s allowed by DEP to run programs. Once armed with this information, the attack code can then successfully plant itself in the system.

While the attack code isn’t ready to go for any script-kiddie, as Wever himself points out, he has given enough information on how to defeat DEP that it’s only a matter of time before a competent cracker uses the code to start enabling new attacks.

[...]

In short, if you’re running 32-bit Windows of any sort-XP, Vista, 7, Server 2008-you can look ‘forward’ to being even more vulnerable to attacks. Have I mentioned lately that I tend to do most of my desktop computing with Linux? Well, I am. This exploit opens up a new and huge hole in Windows’ already vulnerable defenses.

For some of its better enhancements to security, Microsoft relies on Free software in the form of firewalls, even virus scanners.

The open source ClamAV project is often used on servers as a way to scan and secure e-mail gateways and Windows file shares. Now ClamAV is coming to the Windows desktop too, by way of the cloud.

Vista 7 is not a solution because it’s not secure either. See the links below.

  1. Cybercrime Rises and Vista 7 is Already Open to Hijackers
  2. Vista 7: Broken Apart Before Arrival
  3. Department of Homeland Security ‘Poisoned’ by Microsoft; Vista 7 is Open to Hijackers Again
  4. Vista 7 Security “Cannot be Fixed. It’s a Design Problem.”
  5. Why Vista 7 Could be the Least Secure Operating System Ever
  6. Journalists Suggest Banning Windows, Maybe Suing Microsoft Over DDoS Attacks
  7. Vista 7 Vulnerable to Latest “Critical” Flaws
  8. Vista 7 Seemingly Affected by Several More “Critical” Flaws This Month
  9. Reason #1 to Avoid Vista 7: Insecurity
  10. Vista 7 Left Hijackable Again (Almost a Monthly Recurrence)
  11. Trend Micro: Vista 7 Less Secure Than Vista
  12. Vista 7 Less Secure Than Predecessors? Remote BSoD Now Possible!
Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

A Single Comment

  1. Needs Sunlight said,

    March 6, 2010 at 10:03 am

    Gravatar

    So this is another Windows vulnerability?

    http://www.vupen.com/english/advisories/2010/0529

    If that’s the case, then Vista and Vista7 are probably defective in the same way as XP. Wait a week or two until the so-called security sites that make their money from Windows are allowed to post about Vista and Vista7.

DecorWhat Else is New


  1. Microsoft GitHub Exposé — Part II — The Campaign Against GPL Compliance and War on Copyleft Enforcement

    Microsoft contemplated buying GitHub 7.5 years ago; the goal wasn’t to actually support “Open Source” but to crush it from the inside and that’s what Microsoft has been doing over the past 2.5 years (we have some details from the inside)



  2. Links 18/10/2021: Linux 5.15 RC6 and 7 New Stable Kernels

    Links for the day



  3. [Meme] The Austrian School of Friedrich Rude Liar

    With reference to the Austrian School, let’s consider the fact that Friedrich Rude Liar might in fact be standing to personally gain by plundering the EPO‘s staff by demonising them while helping Benoît Battistelli crush them



  4. IRC Proceedings: Sunday, October 17, 2021

    IRC logs for Sunday, October 17, 2021



  5. How (Simple Technical Steps) to Convince Yourself That DuckDuckGo is Just Spyware Connected to Microsoft, Falsely Advertised as 'Privacy'

    In recent days we published or republished some bits and pieces about what DuckDuckGo really is; the above reader dropped by to enlighten us and demonstrate just how easy it is to see what DuckDuckGo does even at the client side (with JavaScript); more people need to confront DuckDuckGo over this and warn colleagues/friends/family (there’s more here)



  6. Austria's Right-Wing Politicians Displaying Their Arrogance to EPO Examiners

    The EPO‘s current regime seems to be serving a money-hungry lobby of corrupt officials and pathological liars; tonight we focus on Austria



  7. [Meme] Friedrich Rödler's Increasingly Incomprehensible Debt Quagmire, Years Before EPO Money Was Trafficked Into the Stock Market

    As it turns out, numerous members of the Administrative Council of the EPO are abundantly corrupt and greedy; They falsely claim or selfishly pretend there’s a financial crisis and then moan about a "gap" that does not exist (unless one counts the illegal gambling, notably EPOTIF, which they approved), in turn recruiting or resorting to scabs that help improve ‘profit margins’



  8. The EPO’s Overseer/Overseen Collusion — Part XV: Et Tu Felix Austria…

    Prior to the Benoît Battistelli and António Campinos regime the EPO‘s hard-working staff was slandered by a corrupt Austrian official, Mr. Rödler



  9. Links 17/10/2021: Blender 2.93.5, Microsoft Bailouts

    Links for the day



  10. Links 17/10/2021: GhostBSD 21.10.16 and Mattermost 6.0

    Links for the day



  11. IRC Proceedings: Saturday, October 16, 2021

    IRC logs for Saturday, October 16, 2021



  12. [Meme] First Illegally Banning Strikes, Then Illegally Taking Over Courts

    The vision of Team Battistelli/Campinos is a hostile takeover of the entire patent system, not just patent offices like the EPO; they’d stop at nothing to get there



  13. Portuguese Network of Enablers

    Instead of serving Portuguese people or serving thousands of EPO workers (including many who are Portuguese) the delegation from Portugal served the network of Campinos



  14. In Picture: After Billions Spent on Marketing, With Vista 11 Hype and Vapourware, No Real Gains for Windows

    The very latest figures from Web usage show that it’s hardly even a blip on the radar; Windows continues bleeding to death, not only in servers



  15. [Meme] [Teaser] Double-Dipping Friedrich Rödler

    As we shall see tomorrow night, the EPO regime was supported by a fair share of corrupt officials inside the Administrative Council



  16. The EPO’s Overseer/Overseen Collusion — Part XIV: Battistelli's Iberian Facilitators - Portugal

    How illegal “Strike Regulations” and regressive ‘reforms’ at the EPO, empowering Benoît Battistelli to the detriment of the Rule of Law, were ushered in by António Campinos and by Portugal 5 years before Campinos took Battistelli’s seat (and power he had given himself)



  17. Links 16/10/2021: SparkyLinux Turns 10 and Sculpt OS 21.10

    Links for the day



  18. “Facebook Whistleblowers” Aside, It Has Been a Dying Platform for Years, and It's Mentally Perverting the Older Generation

    Guest post by Ryan, reprinted with permission



  19. [Meme] Microsoft Has Always Been About Control Over Others

    Hosting by Microsoft means subjugation or a slavery-like relationship; contrary to the current media narrative, Microsoft has long been censoring LinkedIn for China’s autocratic regime; and over at GitHub, as we shall show for months to come, there’s a war on information, a war on women, and gross violations of the law



  20. EFF Pushes for Users to Install DuckDuckGo Software After Being Paid to Kill HTTPS Everywhere

    Guest post by Ryan, reprinted with permission



  21. The Reign in Spain

    Discussion about the role of Spain in the EPO‘s autocratic regime which violates the rights of EPO staff, including Spanish workers



  22. [Meme] Spanish Inquisition

    Let it be widely known that Spain played a role in crushing the basic rights of all EPO workers, including hundreds of Spaniards



  23. Why You Shouldn’t Use SteamOS, a Really Incompetent GNU/Linux Distribution With Security Pitfalls (Lutris is a Great Alternative)

    Guest post by Ryan, reprinted with permission



  24. IRC Proceedings: Friday, October 15, 2021

    IRC logs for Friday, October 15, 2021



  25. Links 16/10/2021: Xubuntu 21.10 and DearPyGui 1.0.0

    Links for the day



  26. DuckDuckGo’s HQ is Smaller Than My Apartment

    Guest post by Ryan, reprinted with permission



  27. Post About Whether Vivaldi is a GPL violation Was Quietly Knifed by the Mods of /r/uBlockOrigin in Reddit

    Guest post by Ryan, reprinted with permission



  28. The EPO’s Overseer/Overseen Collusion — Part XIII: Battistelli's Iberian Facilitators - Spain

    The EPO‘s António Campinos is an ‘Academy’ of overt nepotism; what Benoît Battistelli did mostly in France Campinos does in Spain and Portugal, severely harming the international image of these countries



  29. From Competitive (Top-Level, High-Calibre, Well-Paid) Jobs to 2,000 Euros a Month -- How the EPO is Becoming a Sweatshop by Patent Examiners' Standards

    A longish video about the dreadful situation at the EPO, where staff is being ‘robbed’ and EPO funds get funnelled into some dodgy stock market investments (a clear violation of the institution’s charter)



  30. [Meme] Protecting European Patent Courts From EPO 'Mafia'

    With flagrant disregard for court rulings (or workarounds to dodge actual compliance) it seems clear that today's EPO management is allergic to justice and to judges; European Patents perish at unprecedented levels in national European courts and it should be kept that way


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts