Bonum Certa Men Certa

Microsoft Hides Security Flaws, Then Brags About Transparency

Armour



Summary: Security news from Microsoft and the facts Microsoft carries on hiding

MICROSOFT'S practice of silent patching (fixing security bugs without ever telling anyone about it) does not prevent the company from lying about disclosure [1, 2] and even bragging about "transparency". What a nerve they have when they produce reports that daemonise Red Hat based on incomplete data which Microsoft itself is knowingly hiding.



Today we look at some recent security problems, starting with one which was covered before:

Microsoft’s problems with Token Kidnapping [.pdf] on the Windows platform aren’t going away anytime soon.


"Microsoft gives up on Windows security flaw," says the headline of another report.

DEVELOPER OF INSECURE SOFTWARE Microsoft has seemingly given up on finding a solution to a security vulnerability that takes advantage of the way Windows uses shortcuts.

As The INQUIRER reported on Monday, just about every operating system released by the Vole in the past decade is affected by the security flaw, which allows hackers to remotely execute code on Windows systems. Microsoft was relatively quick to admit to the problem, saying that the fault lies with the fact that "Windows incorrectly parses shortcuts".

The risk was increased by removable and network storage mechanisms such as USB memory drives, which can be 'autoplayed' when connected. Due to a dodgy digital certificate in a driver, users would be none the wiser as control of their system was being outsourced to someone else.


From Slashdot (the summary):

Microsoft Has No Plans To Patch New Flaw



"Microsoft has acknowledged the vulnerability that the new malware Stuxnet uses to launch itself with .lnk files, but said it has no plans to patch the flaw right now. The company said the flaw affects most current versions of Windows, including Vista, Server 2008 and Windows 7 32- and 64-bit. Meanwhile, the digital certificate that belonging to Realtek Semiconductor that was used to sign a pair of drivers for the new Stuxnet rootkit has been revoked by VeriSign. The certificate was revoked Friday, several days after news broke about the existence of the new malware and the troubling existence of the signed drivers."


Glyn Moody explains that "after all, with all the others [flaws], who will notice?"

Dell is now shipping computers with a hardware trojan that only affects Microsoft Windows. The New Scientist does not call out Windows, but the malware name is self explanatory.

Further information posted on Dell's community forum reveals that the trojan in the affected motherboards is stored in onboard flash memory rather than firmware ROMs. And the malware at issue is called w32.spybot.worm, which normally spreads using file-sharing networks and an internet chat client.


Social networks are now being blamed for merely carrying messages that are used to control Microsoft Windows botnets. One should say "Windows botnet" and "Windows malware", not just "malware"; these things are not universal. They specifically exploit Microsoft's bad engineering. "Time to Get Rid of That Other OS," argues Pogson.

The latest outrage is an attack that exploits another form of “autorun” for shortcuts/links on USB drives. That other OS lets the malware walk right in even if the user does not click on any of the links. That other OS tries to be so helpful…


The original article does name Windows as the problem (also in the headline).

Hackers have developed malware that spreads via USB sticks using a previously unknown security weakness involving Windows' handling of shortcut files.


"Don’t Call the Police," Pogson concludes.

There is no limit to how bad malware can be. It can range all the way from sending spam e-mail from your machines to selling all customer lists and sabotaging data by rot over a long period of time so that by the time you catch it weeks of work could go down the drain. The worst case is killing your operation through lawsuits charging negligence in allowing disaster to happen when reasonable people know you do not allow malware to run on your systems.


Running Windows is truly a liability. Windows was never designed to be secure.

"There was no strategic direction from Bill and Ballmer about these two things. It was like, 'Well we have these two things, DOS and Windows, and do we have to run on top of this new multitasking DOS? Are we running on top of DOS 3.0 and we just ignore those guys?' That went on for a year, this lack of strategic direction. And we just made our own decisions."

--Steve Wood, one of the first Microsoft developers



Recent Techrights' Posts

More Information About Public Talks That Richard Stallman Gave This Week in Europe
Two talks in Switzerland
SoylentNews Grows Up, Registers as a Business, Site Traffic Reportedly Grows
More people realise that social control media may in fact be a passing fad
 
Links 29/03/2024: Fentanylware (TikTok) Fines and UK High Court Makes It Seem OK to Assassinate People Wrongly (Falsely) Associated With "Russia"
Links for the day
Garden Season Starts Today
Outdoor time, officially...
Engadget is Still a Spamfarm, It's Just an Amazon Catalogue (SPAM/SEO), a Sea of Junk Disguised as "Articles" With Few 'Fillers' (Real Articles) in Between
Engadget writes for bots now, not for humans
Richard Stallman's Talks in Switzerland This Week
We need to put an end to 'cancer culture'; it's trying to kill people and it is even swatting people
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, March 28, 2024
IRC logs for Thursday, March 28, 2024
[Meme] EPO's New Ways of Working (NWoW), a.k.a. You Don't Even Get a Desk at Work and Cannot be Near Known Colleagues
Seems more like union-busting (divide and rule)
Hiding Microsoft's Culpability in Security Breaches and Other Major Blunders (in the United Kingdom, This May Mean You Can't Get Food)
Total Cost of Ownership (TCO) is vast
Giving back to the community
Reprinted with permission from Daniel Pocock
Links 28/03/2024: Sega, Nintendo, and Bell Layoffs
Links for the day
Open letter to the ACM regarding Codes of Conduct impersonating the Code of Ethics
Reprinted with permission from Daniel Pocock
With 9 Mentions of Azure In Its Latest Blog Post, Canonical is Again Promoting Microsoft and Intel Vendor Lock-in, Surveillance, Back Doors, Considerable Power Waste, and Defects That Cannot be Fixed
Microsoft did not even have to buy Canonical (for Canonical to act like it happened)
Links 28/03/2024: GAFAM Replacing Full-Time Workers With Interns Now
Links for the day
Consent & Debian's illegitimate constitution
Reprinted with permission from Daniel Pocock
The Time Our Server Host Died in a Car Accident
If Debian has internal problems, then they need to be illuminated and then tackled, at the very least in order to ensure we do not end up with "Deadian"
China's New 'IT' Rules Are a Massive Headache for Microsoft
On the issue of China we're neutral except when it comes to human rights issues
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, March 27, 2024
IRC logs for Wednesday, March 27, 2024
WeMakeFedora.org: harassment decision, victory for volunteers and Fedora Foundations
Reprinted with permission from Daniel Pocock
Links 27/03/2024: Terrorism Grows in Africa, Unemployment in Finland Rose Sharply in a Year, Chinese Aggression Escalates
Links for the day
Links 27/03/2024: Ericsson and Tencent Layoffs
Links for the day
Amid Online Reports of XBox Sales Collapsing, Mass Layoffs in More Teams, and Windows Making Things Worse (Admission of Losses, Rumours About XBox Canceled as a Hardware Unit)...
Windows has loads of issues, also as a gaming platform
Links 27/03/2024: BBC Resorts to CG Cruft, Akamai Blocking Blunders in Piracy Shield
Links for the day
Android Approaches 90% of the Operating Systems Market in Chad (Windows Down From 99.5% 15 Years Ago to Just 2.5% Right Now)
Windows is down to about 2% on the Web-connected client side as measured by statCounter
Sainsbury's: Let Them Eat Yoghurts (and Microsoft Downtimes When They Need Proper Food)
a social control media 'scandal' this week
IRC Proceedings: Tuesday, March 26, 2024
IRC logs for Tuesday, March 26, 2024
Over at Tux Machines...
GNU/Linux news for the past day
Windows/Client at Microsoft Falling Sharply (Well Over 10% Decline Every Quarter), So For His Next Trick the Ponzi in Chief Merges Units, Spices Everything Up With "AI"
Hiding the steep decline of Windows/Client at Microsoft?
Free technology in housing and construction
Reprinted with permission from Daniel Pocock
We Need Open Standards With Free Software Implementations, Not "Interoperability" Alone
Sadly we're confronting misguided managers and a bunch of clowns trying to herd us all - sometimes without consent - into "clown computing"
Microsoft's Collapse in the Web Server Space Continued This Month
Microsoft is the "2%", just like Windows in some countries