Bonum Certa Men Certa

Eye on Microsoft: This Week's Security Hall of Shame

Summary: Microsoft security news from the past few days

Microsoft patches huge Windows 7 RC bug (that's not a bug, it's just release candidate by Microsoft's standards)

Just days after it launched Windows 7 Release Candidate (RC), Microsoft has released a fix for a major flaw that slipped through testing.

[...]

"The folder that is created as the root folder of the system drive (%SystemDrive%) is missing entries in its security descriptor," Microsoft acknowledged in the support article. "One effect of this problem is that standard users such as non-administrators cannot perform all operations to subfolders that are created directly under the root. Therefore, applications that reference folders under the root may not install successfully or may not uninstall successfully. Additionally, operations or applications that reference these folders may fail."


Pirates on Board the M.S. MoneyTanker!

Microsoft needs to be regulated, forced, coerced, sued and hammered on until they start up a substantial anti-botnet, anti-piracy effort that goes on the offensive against infected systems running their software.

[...]

Personally I'm tired of Microsoft's passive stance on allowing their customer's computers to be used as Internet versions of Typhoid Mary. They need to be held to account. There are lemon laws for bad cars. Doctors get sued for mal-practice. The EULA only protects Microsoft. Its about time that there was a balance between users as a class or an economic force and Microsoft.

Scare the hell out of the stockholders with a $25 billion fine and maybe Microsoft will move to tighten up OS install security.

Crackers who get caught and prosecuted are fined for their activity. So why can't Microsoft be fined for their apparent malpractice or indifference in really locking down security around their operating system image?


Please Join me in welcoming memcpy() to the SDL Rogues Gallery

Because we have seen many security vulnerabilities in products from Microsoft and many others, including ISVs and competitors, and because we have a viable replacement, I am “proud” to announce that we intend to add memcpy() will to the SDL C and C++ banned API list later this year as we make further revisions to the SDL. Right now, memcpy() is on the SDL Recommended banned list, but will soon be added to the SDL banned API requirement list now that we have more feedback from Microsoft product groups.


Organised crime cops seek international hacking powers

British law enforcement agents are quietly working with European counterparts on changes to national legislation that will allow them to share intelligence gained by hacking into suspects' PCs.

Sharon Lemon, director of the Serious and Organised Crime Agency's (SOCA) e-crime unit, told The Register data laws in some EU countries make it impossible for investigators to obtain and pool data covertly.


Malware infested MPs' PCs inflate leak risk

"That's one of those irregular verbs, isn't it? I give confidential security briefings. You leak. He has been charged under section 2a of the Official Secrets Act." (Bernard Woolley, Yes Minister)

The ongoing MPs' expenses row has brought public opinion of politics and politicians in the UK, never very high, towards unplumbed depths.

Embarrassing disclosures about how politicians across the political spectrum subsidised their living expense from the public purse follow hard on the heels of leaked emails regarding a proposed New Labour smear campaign against senior Tories, cobbled together by spin doctors Derek Draper and Brown aide Damian McBride in the style of In the Loop's Malcolm Tucker.


Hackers 'destroy' flight sim site

Flight simulator site Avsim has been "destroyed" by malicious hackers.

The site, which launched in 1996, covered all aspects of flight simulation, although its main focus was on Microsoft's Flight Simulator.


Microsoft update closes fourteen vulnerabilities in PowerPoint (14 "critical")

Although, as announced, Microsoft is distributing only a single update (MS09-017), it's a biggie that closes fourteen security vulnerabilities in PowerPoint 2000, 2002, 2003 and 2007, and in PowerPoint Viewer 2003 and 2007.


IIS 6 + Webdav auth bypass and data upload (more here)

In other words Microsoft, certainly through the late addition of Unicode support to IIS, failed to realise that converting chars to unicode representation should happen before any "security" checks. So the flaw was one of logic, Unicode convertion after the security check.


Conficker Worm Infects Hospital MRI Machines

The Conficker worm has found its way into nearly 300 MRI machines and other hospital equipment that’s connected to the Internet, say security experts who are monitoring the massive computer worm. Security workers at the Internet Storm Center, tracked Conficker to an MRI machine in a hospital when the machine’s computer connected to the worm’s command and control center for instructions.


Recent Techrights' Posts

[Meme] From Checked by Three Examiners to Gone (Granted) in 3 Seconds!
twice as many monopolies with 10% less staff
EPO Staff Representatives Explain the Latest Corruption at the EPO in a New Paper
Owing to corrupt management the EPO has resorted to corporate crime or organised crime designed to benefit large corporations. Who will pay the price? Everybody else in Europe.
Saudi Arabia and Its Footprint in X/Twitter
a massive proportion of pro-ISIS accounts in Twitter were operated from Saudi Arabia or by Saudi Arabians
 
Wine Took the Bait (Mono), Soon Starts the Microsoft Circus With the Banhammer
large companies are exercising more control over the thing/s they claim to "donate" to
Richard M. Stallman Explains Why the Web Becoming a Pile of Proprietary JavaScript Programs (Not Pages to Render) Does Harm to Web Users
"The web was designed to let users control how that data would be rendered but businesses didn't like that."
Links 13/09/2024: Crackdowns on Bloggers, Deepfakes, Internet Archive‘s Wayback Machine Now in Google Search
Links for the day
RedMonk: September the Month of the Mouth of Redmond (Still)
the usual storyline, i.e. what's not controlled by Microsoft's proprietary GitHub simply does not exist
Links 13/09/2024: Disinformation in Focus, End of Presidential Debates (Trump Accepts It Hurts Him)
Links for the day
Mono as a Double-Purpose Trojan Horse Inside Wine
And now they can oust founders and top contributor with a CoC
This is How Bad Things Have Become at Microsoft
We're seeing nearly 80 reports in English about those layoffs
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, September 12, 2024
IRC logs for Thursday, September 12, 2024
Links 13/09/2024: Recorded Future Bought by MasterCard, Bits of Freedom Turns 25
Links for the day
Gemini Links 13/09/2024: Towards Aristocratic Personal Computing, Technology and Privac
Links for the day
Once Again, Mass Layoffs at Microsoft (Just Like Every Month This Year)
Reporting and articles trickling in (in recent hours)
Rumour: Layoffs in IBM Consulting Today
IBM has had many layoffs lately
Microsoft Has Infiltrated the OSI and Its Moles (Whom It Pays to Speak 'for' OSI) Control the Narrative
This is utterly grotesque
Links 12/09/2024: Apple Owes a Lot of Money, Repressions and Censorship of Activists Noted
Links for the day
Anniversaries Coming Up
Probably the funnest year of our lives, and definitely the most productive
In Europe, Vista 11 Grew Only 3% (Relative to Other Windows Versions) This Year
That's a huge problem for Microsoft
Google's YouTube Censorship Has Gotten a Lot Worse and Anti-scientific (for Commercial Reasons)
By today's standards, YouTube is not something RMS can (or would) use
Google Appears to Have Broken Every Single Instance of Invidious. It's a Wake-up Call, Please Stop Uploading Videos to YouTube.
Including videos of Free software events
[Meme] Video Uploads Improved
The tools are all in our self-hosted Git repository and the licence is, as usual, AGPLv3
Apple Event as Fine Example of the "IT" Circus
It's not clear if the enemy of Free software is a company like Apple is simply public ignorance that Apple keeps fostering
Imposters Inheriting Institutions
Dealing with the "imposter syndrome"
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, September 11, 2024
IRC logs for Wednesday, September 11, 2024
Gemini Links 12/09/2024: Clean Island and VCFMW19
Links for the day
Links 11/09/2024: EPO Patents Tossed Out by Courts, Software Patent Reveals Ford "Tech That Listens to Driver Conversations to Serve Ads"
Links for the day
More "Linux" SEO SPAM, Wrapped Up as Clown Computing, Composed by a "Bullshit Generator" (LLM)
linuxsecurity.com at it again this week
"Linux" and Linux.com Diploma Mill
The front page of Linux.com right now is the usual nonsense
[Meme] The Ponzi Scheme That Eats Rivals (by Paying Them to Stop Competing)
Why compete when you can bribe and defang antitrust authorities?
In 2006 We Had a Novell Problem and Now We Have Several Novells
Microsoft thorns inside the community
Richard M. Stallman (RMS) Debunks Misconceptions About What Free Software Means and Explains How It Works
Free software means people (including users and developers) exercise control over the program, not the programmers
Links 11/09/2024: ROOPHLOCH Report, Small Web Experiences, and Cohost Effectively Dead
Links for the day
Links 11/09/2024: Russia Enters Latvia With Drone, Truth Social Stock Crashes
Links for the day
Certificate Authority Let's Encrypt Has Fallen From 12% in Geminispace to Just 1.2% in Two Years (Capsules Usually Self-Sign Their Certificates)
Don't ask the imposters about security
The "IT Industry" is Full of Imposters (It's a Growing Crisis)
They often manage the companies
Richard Stallman Explains Stochastic Parrots (LLMs)
From his latest talk
The Toys of Today's Kids and Coordination Woes, Not to Mention a Lack of Social Skills
Too much time indoors, too much screen time
Dispelling the Notion That Microsoft is Political Left
Microsoft not only got bailed out (several times) by Donald Trump but also approached him to take over TikTok without paying for it
Linus Torvalds, the Son of a Politician, Tries to Stay Out of Politics (or Political Topics)
"I'm just a geek" has its limits in practice
Richard Stallman Still Deals With Politics
Stallman's gonna Stallman
GAFAM Not Invincible
The US has an election very soon and Microsoft is already bribing candidates for deregulation and favours, based on press reports
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, September 10, 2024
IRC logs for Tuesday, September 10, 2024
The Greatest Show on Earth (Buzzwords Circus)
What next? Being denied medical service because you don't have a Facebook account?
Gemini Links 11/09/2024: Happiness, Improvised Nebuliser, and olden Age of Palm OS
Links for the day