07.23.10

Gemini version available ♊︎

Microsoft Hides Security Flaws, Then Brags About Transparency

Posted in Microsoft, Security, Windows at 8:10 am by Dr. Roy Schestowitz

Armour

Summary: Security news from Microsoft and the facts Microsoft carries on hiding

MICROSOFT’S practice of silent patching (fixing security bugs without ever telling anyone about it) does not prevent the company from lying about disclosure [1, 2] and even bragging about “transparency”. What a nerve they have when they produce reports that daemonise Red Hat based on incomplete data which Microsoft itself is knowingly hiding.

Today we look at some recent security problems, starting with one which was covered before:

Microsoft’s problems with Token Kidnapping [.pdf] on the Windows platform aren’t going away anytime soon.

“Microsoft gives up on Windows security flaw,” says the headline of another report.

DEVELOPER OF INSECURE SOFTWARE Microsoft has seemingly given up on finding a solution to a security vulnerability that takes advantage of the way Windows uses shortcuts.

As The INQUIRER reported on Monday, just about every operating system released by the Vole in the past decade is affected by the security flaw, which allows hackers to remotely execute code on Windows systems. Microsoft was relatively quick to admit to the problem, saying that the fault lies with the fact that “Windows incorrectly parses shortcuts”.

The risk was increased by removable and network storage mechanisms such as USB memory drives, which can be ‘autoplayed’ when connected. Due to a dodgy digital certificate in a driver, users would be none the wiser as control of their system was being outsourced to someone else.

From Slashdot (the summary):

Microsoft Has No Plans To Patch New Flaw

“Microsoft has acknowledged the vulnerability that the new malware Stuxnet uses to launch itself with .lnk files, but said it has no plans to patch the flaw right now. The company said the flaw affects most current versions of Windows, including Vista, Server 2008 and Windows 7 32- and 64-bit. Meanwhile, the digital certificate that belonging to Realtek Semiconductor that was used to sign a pair of drivers for the new Stuxnet rootkit has been revoked by VeriSign. The certificate was revoked Friday, several days after news broke about the existence of the new malware and the troubling existence of the signed drivers.”

Glyn Moody explains that “after all, with all the others [flaws], who will notice?”

Dell is now shipping computers with a hardware trojan that only affects Microsoft Windows. The New Scientist does not call out Windows, but the malware name is self explanatory.

Further information posted on Dell’s community forum reveals that the trojan in the affected motherboards is stored in onboard flash memory rather than firmware ROMs. And the malware at issue is called w32.spybot.worm, which normally spreads using file-sharing networks and an internet chat client.

Social networks are now being blamed for merely carrying messages that are used to control Microsoft Windows botnets. One should say “Windows botnet” and “Windows malware”, not just “malware”; these things are not universal. They specifically exploit Microsoft’s bad engineering. “Time to Get Rid of That Other OS,” argues Pogson.

The latest outrage is an attack that exploits another form of “autorun” for shortcuts/links on USB drives. That other OS lets the malware walk right in even if the user does not click on any of the links. That other OS tries to be so helpful…

The original article does name Windows as the problem (also in the headline).

Hackers have developed malware that spreads via USB sticks using a previously unknown security weakness involving Windows’ handling of shortcut files.

“Don’t Call the Police,” Pogson concludes.

There is no limit to how bad malware can be. It can range all the way from sending spam e-mail from your machines to selling all customer lists and sabotaging data by rot over a long period of time so that by the time you catch it weeks of work could go down the drain. The worst case is killing your operation through lawsuits charging negligence in allowing disaster to happen when reasonable people know you do not allow malware to run on your systems.

Running Windows is truly a liability. Windows was never designed to be secure.

“There was no strategic direction from Bill and Ballmer about these two things. It was like, ‘Well we have these two things, DOS and Windows, and do we have to run on top of this new multitasking DOS? Are we running on top of DOS 3.0 and we just ignore those guys?’ That went on for a year, this lack of strategic direction. And we just made our own decisions.”

Steve Wood, one of the first Microsoft developers

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

DecorWhat Else is New


  1. [Meme] [Teaser] Benoît Battistelli, King of Iceland

    Later today we shall see how the current deputy of the head of the EPO‘s overseeing body was in fact likely rewarded for her complicity in Benoît Battistelli‘s abuses against EPO staff, including staff from Iceland



  2. IRC Proceedings: Monday, October 18, 2021

    IRC logs for Monday, October 18, 2021



  3. Links 19/10/2021: MyGNUHealth 1.0.5 and Ubuntu 22.04 Now Developed

    Links for the day



  4. [Meme] [Teaser] Thrown Under the Bus

    Tomorrow we shall look at Danish enablers of unlawful EPO regulations, Jesper Kongstad and Anne Rejnhold Jørgensen



  5. The World Needs to Know What Many Austrians Already Know About Rude Liar, the Notorious 'Double-Dipper'

    Today we publish many translations (from German) about the Austrian double-dipper, who already became the subject of unfavourable press coverage in his home country; he’s partly responsible for crushing fundamental rights at the EPO under Benoît Battistelli‘s regime



  6. The EPO’s Overseer/Overseen Collusion — Part XVI: The Demise of the Austrian Double-Dipper

    Friedrich ‘Rude Liar’ Rödler is notorious in the eyes of EPO staff, whom he was slandering and scandalising for ages while he himself was the real scandal



  7. Links 18/10/2021: Porteus Kiosk 5.3 and Ventoy 1.0.55

    Links for the day



  8. [Meme] [Teaser] More to Life Than Patents

    Greedy sociopaths oughtn’t be put in charge of patent offices; this is what’s dooming the EPO in recent years (all they think about is money



  9. Microsoft GitHub Exposé — Part II — The Campaign Against GPL Compliance and War on Copyleft Enforcement

    Microsoft contemplated buying GitHub 7.5 years ago; the goal wasn’t to actually support “Open Source” but to crush it from the inside and that’s what Microsoft has been doing over the past 2.5 years (we have some details from the inside)



  10. Links 18/10/2021: Linux 5.15 RC6 and 7 New Stable Kernels

    Links for the day



  11. [Meme] The Austrian School of Friedrich Rude Liar

    With reference to the Austrian School, let’s consider the fact that Friedrich Rude Liar might in fact be standing to personally gain by plundering the EPO‘s staff by demonising them while helping Benoît Battistelli crush them



  12. IRC Proceedings: Sunday, October 17, 2021

    IRC logs for Sunday, October 17, 2021



  13. How (Simple Technical Steps) to Convince Yourself That DuckDuckGo is Just Spyware Connected to Microsoft, Falsely Advertised as 'Privacy'

    In recent days we published or republished some bits and pieces about what DuckDuckGo really is; the above reader dropped by to enlighten us and demonstrate just how easy it is to see what DuckDuckGo does even at the client side (with JavaScript); more people need to confront DuckDuckGo over this and warn colleagues/friends/family (there’s more here)



  14. Austria's Right-Wing Politicians Displaying Their Arrogance to EPO Examiners

    The EPO‘s current regime seems to be serving a money-hungry lobby of corrupt officials and pathological liars; tonight we focus on Austria



  15. [Meme] Friedrich Rödler's Increasingly Incomprehensible Debt Quagmire, Years Before EPO Money Was Trafficked Into the Stock Market

    As it turns out, numerous members of the Administrative Council of the EPO are abundantly corrupt and greedy; They falsely claim or selfishly pretend there’s a financial crisis and then moan about a "gap" that does not exist (unless one counts the illegal gambling, notably EPOTIF, which they approved), in turn recruiting or resorting to scabs that help improve ‘profit margins’



  16. The EPO’s Overseer/Overseen Collusion — Part XV: Et Tu Felix Austria…

    Prior to the Benoît Battistelli and António Campinos regime the EPO‘s hard-working staff was slandered by a corrupt Austrian official, Mr. Rödler



  17. Links 17/10/2021: Blender 2.93.5, Microsoft Bailouts

    Links for the day



  18. Links 17/10/2021: GhostBSD 21.10.16 and Mattermost 6.0

    Links for the day



  19. IRC Proceedings: Saturday, October 16, 2021

    IRC logs for Saturday, October 16, 2021



  20. [Meme] First Illegally Banning Strikes, Then Illegally Taking Over Courts

    The vision of Team Battistelli/Campinos is a hostile takeover of the entire patent system, not just patent offices like the EPO; they’d stop at nothing to get there



  21. Portuguese Network of Enablers

    Instead of serving Portuguese people or serving thousands of EPO workers (including many who are Portuguese) the delegation from Portugal served the network of Campinos



  22. In Picture: After Billions Spent on Marketing, With Vista 11 Hype and Vapourware, No Real Gains for Windows

    The very latest figures from Web usage show that it’s hardly even a blip on the radar; Windows continues bleeding to death, not only in servers



  23. [Meme] [Teaser] Double-Dipping Friedrich Rödler

    As we shall see tomorrow night, the EPO regime was supported by a fair share of corrupt officials inside the Administrative Council



  24. The EPO’s Overseer/Overseen Collusion — Part XIV: Battistelli's Iberian Facilitators - Portugal

    How illegal “Strike Regulations” and regressive ‘reforms’ at the EPO, empowering Benoît Battistelli to the detriment of the Rule of Law, were ushered in by António Campinos and by Portugal 5 years before Campinos took Battistelli’s seat (and power he had given himself)



  25. Links 16/10/2021: SparkyLinux Turns 10 and Sculpt OS 21.10

    Links for the day



  26. “Facebook Whistleblowers” Aside, It Has Been a Dying Platform for Years, and It's Mentally Perverting the Older Generation

    Guest post by Ryan, reprinted with permission



  27. [Meme] Microsoft Has Always Been About Control Over Others

    Hosting by Microsoft means subjugation or a slavery-like relationship; contrary to the current media narrative, Microsoft has long been censoring LinkedIn for China’s autocratic regime; and over at GitHub, as we shall show for months to come, there’s a war on information, a war on women, and gross violations of the law



  28. EFF Pushes for Users to Install DuckDuckGo Software After Being Paid to Kill HTTPS Everywhere

    Guest post by Ryan, reprinted with permission



  29. The Reign in Spain

    Discussion about the role of Spain in the EPO‘s autocratic regime which violates the rights of EPO staff, including Spanish workers



  30. [Meme] Spanish Inquisition

    Let it be widely known that Spain played a role in crushing the basic rights of all EPO workers, including hundreds of Spaniards


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts