Bonum Certa Men Certa

Eye on Microsoft: This Week's Security Hall of Shame

Summary: Microsoft security news from the past few days

Microsoft patches huge Windows 7 RC bug (that's not a bug, it's just release candidate by Microsoft's standards)

Just days after it launched Windows 7 Release Candidate (RC), Microsoft has released a fix for a major flaw that slipped through testing.

[...]

"The folder that is created as the root folder of the system drive (%SystemDrive%) is missing entries in its security descriptor," Microsoft acknowledged in the support article. "One effect of this problem is that standard users such as non-administrators cannot perform all operations to subfolders that are created directly under the root. Therefore, applications that reference folders under the root may not install successfully or may not uninstall successfully. Additionally, operations or applications that reference these folders may fail."








Pirates on Board the M.S. MoneyTanker!

Microsoft needs to be regulated, forced, coerced, sued and hammered on until they start up a substantial anti-botnet, anti-piracy effort that goes on the offensive against infected systems running their software.

[...]

Personally I'm tired of Microsoft's passive stance on allowing their customer's computers to be used as Internet versions of Typhoid Mary. They need to be held to account. There are lemon laws for bad cars. Doctors get sued for mal-practice. The EULA only protects Microsoft. Its about time that there was a balance between users as a class or an economic force and Microsoft.

Scare the hell out of the stockholders with a $25 billion fine and maybe Microsoft will move to tighten up OS install security.

Crackers who get caught and prosecuted are fined for their activity. So why can't Microsoft be fined for their apparent malpractice or indifference in really locking down security around their operating system image?














Please Join me in welcoming memcpy() to the SDL Rogues Gallery

Because we have seen many security vulnerabilities in products from Microsoft and many others, including ISVs and competitors, and because we have a viable replacement, I am “proud” to announce that we intend to add memcpy() will to the SDL C and C++ banned API list later this year as we make further revisions to the SDL. Right now, memcpy() is on the SDL Recommended banned list, but will soon be added to the SDL banned API requirement list now that we have more feedback from Microsoft product groups.










Organised crime cops seek international hacking powers

British law enforcement agents are quietly working with European counterparts on changes to national legislation that will allow them to share intelligence gained by hacking into suspects' PCs.

Sharon Lemon, director of the Serious and Organised Crime Agency's (SOCA) e-crime unit, told The Register data laws in some EU countries make it impossible for investigators to obtain and pool data covertly.










Malware infested MPs' PCs inflate leak risk

"That's one of those irregular verbs, isn't it? I give confidential security briefings. You leak. He has been charged under section 2a of the Official Secrets Act." (Bernard Woolley, Yes Minister)

The ongoing MPs' expenses row has brought public opinion of politics and politicians in the UK, never very high, towards unplumbed depths.

Embarrassing disclosures about how politicians across the political spectrum subsidised their living expense from the public purse follow hard on the heels of leaked emails regarding a proposed New Labour smear campaign against senior Tories, cobbled together by spin doctors Derek Draper and Brown aide Damian McBride in the style of In the Loop's Malcolm Tucker.
















Hackers 'destroy' flight sim site

Flight simulator site Avsim has been "destroyed" by malicious hackers.

The site, which launched in 1996, covered all aspects of flight simulation, although its main focus was on Microsoft's Flight Simulator.








Microsoft update closes fourteen vulnerabilities in PowerPoint (14 "critical")

Although, as announced, Microsoft is distributing only a single update (MS09-017), it's a biggie that closes fourteen security vulnerabilities in PowerPoint 2000, 2002, 2003 and 2007, and in PowerPoint Viewer 2003 and 2007.






IIS 6 + Webdav auth bypass and data upload (more here)

In other words Microsoft, certainly through the late addition of Unicode support to IIS, failed to realise that converting chars to unicode representation should happen before any "security" checks. So the flaw was one of logic, Unicode convertion after the security check.






Conficker Worm Infects Hospital MRI Machines

The Conficker worm has found its way into nearly 300 MRI machines and other hospital equipment that’s connected to the Internet, say security experts who are monitoring the massive computer worm. Security workers at the Internet Storm Center, tracked Conficker to an MRI machine in a hospital when the machine’s computer connected to the worm’s command and control center for instructions.




Recent Techrights' Posts

A Lot of Technological 'Progress' Has Been Nothing But Buzzwords
Free software does not try to excite people people over nothing
Proprietary Software: Here Today, Gone Tomorrow
Proprietary software has an entirely different mindset, revolving around business models rather than science
Web Hostnames Down to Lowest Number in More Than 7 Years!
the number of hostnames is falling rapidly (they hide this by choosing logarithmic scale)
Over at Tux Machines...
2 days' worth
Stop Begging Companies That Don't Value Your Freedom to Stop Pushing You Around
That's not freedom
The forbidden topics
There are forbidden topics in the hacker community
 
Better Footage of Richard Stallman's Talk Last Week: “Freedom in computing, forty years after starting to really protect it”
Richard Stallman speaks about the cancer situation early in his speech
Links 30/09/2023: A Government Shutdown and More Blizzard Layoffs
Links for the day
Links 30/09/2023: Bing Almost Offloaded Due to Failure/Losses, Nvidia Raided
Links for the day
Community is the Lifeblood of Freedom in the GNU/Linux World
Removing or undoing the "cancerd" (systemd) is feasible but increasingly difficult
Richard Stallman Says He Will Probably Live Many More Years
"Richard Stallman has cancer. Fortunately it is slow-growing and manageable follicular lymphona, so he will probably live many more years nonetheless. But he now has to be even more careful not to catch Covid-19."
Quitting 'Clown Computing' and GAFAM is Only the Start
The Web and the Net at large became far too centralised
They Say Free Software is Like Communism When They, the Proprietary Software Giants, Constantly Pursue Government Bailouts (Subsidies From Taxpayers)
At the moment Ukraine is at most risk due to its dependence on Microsoft (inside its infrastructure)
Social Control Media Has No Future, It Was Always Doomed to Fail (Also Promoted Based on Lies)
Recent events, including developments at Twitter, meant that they lost a lot of their audience and then, in turn, sponsors/advertisers
They're Been Trying to 'Kill' Richard Stallman for Years (by Mentally Tormenting Him)
Malicious tongue wanted to do him what had been done to Julian Assange
We Temporarily Have Two Gemini Capsules
They're both authentic and secure, but they're not the same
Consumerism is Lying and Revisionism
We need to reject these liars and charlatans
Links 30/09/2023: Open VFS Framework, CrossOver 23.5, Dianne Feinstein Dies
Links for the day
Security Leftovers
GNU/Linux, Microsoft, and more
Microsoft Down on the World Wide Web, Shows Survey
down by a lot in this category
IRC Proceedings: Friday, September 29, 2023
IRC logs for Friday, September 29, 2023
A Society That Fails Journalists Does Not Deserve Journalism
It's probably too later to save Julian Assange as a working publisher (he might never recover from the mental torture), but as a person and a father we can wish and work towards his release
Almost Nothing To Go With Your Morning's Cup Of Coffee
Newspaper? What newspaper?
Techrights Was Right About the Chaff Bots (They Failed to Live up to Their Promise)
Those who have been paying attention to news of substance rather than fashionable "tech trends" probably know that GNU/Linux grew a lot this year
Selling Out to Microsoft Makes You Dead Beef
If all goes as well as we've envisioned, Microsoft will get smaller and smaller
Curation and Preservation Work
The winter is coming soon and this means our anniversary is near
Mobile Phones Aren't Your Friend or a Gateway to Truly Social Life
Newer should not always seem more seductive, as novelty is by default questionable and debatable
Links 29/09/2023: Disinformation and Monopolies
Links for the day
iFixit Requests DMCA Exemption…To Figure Out How To Repair McDonald’s Ice Cream Machines
Reprinted with permission from Ryan Farmer
Jim Zemlin Thinks the World's Largest Software Company Has 200 Staff, Many of Whom Not Technical at All
biggest ego in the world
Microsoft GitHub Exposé — In the Alex Graveley Case, His Lawyer, Rick Cofer, Appears to Have Bribed the DA to Keep Graveley (and Others) Out of Prison
Is this how one gets out of prison? Hire the person who bribes the DA?
Richard Stallman's Public Talk in GNU's 40th Anniversary Ceremony
Out now
Links 29/09/2023: Linux Foundation Boasting, QLite FDW 2.4.0 Released
Links for the day
Red Hat Does Not Understand Community and It's Publicly Promoting Microsoft's Gartner
RedHat.com is basically lioning a firm that has long been attacking GNU/Linux in the private and public sectors at the behest of Microsoft
A 'Code of Conduct' Typically Promoted by Criminal Corporations to Protect Crimes From Scrutiny
We saw this in action last week
Objections to binutils CoC
LXO response to proposed Code of Conduct
Conde Nast (Reddit), Which Endlessly Defamed Richard Stallman and Had Paid Salaries to Microsoft-Connected Pedophiles, Says You Must Be Over 18 to See 'Stallman Was Right'
Does this get in the way of their Bill Gates-sponsored "Bill Gates says" programme/schedule?
Techrights Extends Wishes of Good Health to Richard M. Stallman
Richard Stallman has cancer
endsoftwarepatents.org Still Going, Some Good News From Canada
a blow to software patents in Canada
The Debian Project Leader said the main thing Debian lacked was more contributors
The Debian Project Leader said the main thing Debian lacked was more contributors
IRC Proceedings: Thursday, September 28, 2023
IRC logs for Thursday, September 28, 2023
Links 28/09/2023: Openwashing and Patent Spam as 'News'
Links for the day