Bonum Certa Men Certa

Microsoft Angers the World by Asking for a Form of Security Bailout, More Fundamental Windows Flaws Found

Screaming



Summary: Microsoft's recommendation of "Internet tax" for removing Windows botnets/zombies doesn't fly; Windows DEP (data execution prevention) is busted

EARLIER in the week we wrote about Microsoft's Charney suggesting that everyone -- UNIX and Linux users included -- should pay [1, 2] to compensate for Microsoft's own negligence [1, 2, 3]. Many people already pay for the damage collectively; for instance, if banks lose money due to zombie Windows PCs that compromise accounts, then interest rates will be lessened. These are some of the hidden costs everyone pays for Microsoft's incompetence. In Germany, it's hardly even hidden anymore.



"Microsoft's Laugh-a-Minute Show Continues," says Glyn Moody regarding Microsoft's arrogant suggestion.

Can you believe it? Microsoft's lousy programming has caused *billions* of pounds worth of damage to the global economy in terms of downtime, lost files (and probably blood pressure problems) and it has the bare-faced cheek to suggest there should be an “Internet usage tax” on *everyone* (including GNU/Linux users) to pay for the rectification of *its* mistakes? No wonder Scott Charney has the humorous and manifestly self-contradictory title of “Microsoft Corporate Vice President for Trustworthy Computing”....


Here is another response: "Taxing every citizen for Microsoft Windows problems? Are we insane?"

Just when you think you've heard everything, something new arrives. Two years ago, we heard that half a million computers are infected with malicious bots every day (a "bot" is a software program that enters your computer from the Internet or inside infected files, then runs in the background to steal your data, send spam or wreak havoc in some other way).

This is a huge problem both because we depend on digital data in too many ways to explain them here (but you may read about them in the Open Government Book) and because of environmental reasons. According to a McAfee report published in May 2009 the amount of energy used every year to transmit, process and filter spam would be enough to power 2.4 million homes, with the same Greenhouse Gas emissions as 3.1 million passenger cars.

On March 2nd, 2010, Microsoft Corporate Vice President for Trustworthy Computing Scott Charney spoke at a computer security conference about this very theme, that is how to fight the damages caused by computers infected by bots (or "malware").

According to the summary published on ComputerWorld, Mr Charney started correctly. He pointed out that, just as there are quarantine programs for people with infective diseases, the same thing should happen with people who have computers infected by malware but, for any reasons, won't fix them up as soon as possible: such people should not be allowed to go online until their computer is clean and safe.


Windows is insecure not because people are negligent; Microsoft itself is extremely negligent and there are many examples of this. "Typical Windows user patches every 5 days," says this new report from IDG (quoting Secunia).

75 Microsoft, third-party patch events each year are a burden most users can't bear, says Secunia


Here is Berend-Jan Weve finding another security problem in Windows. From SJVN:

Honest to God I don't go around trying to pick on Windows for its security problems, but the hackers keep finding new ways to break into it. And, this time, they've found a doozie. Berend-Jan Wever, aka "Skylined," a Google security software engineer has busted DEP (data execution prevention), one of the few significant security improvements Microsoft has made to Windows.

DEP, which was added to Windows back in August 2004 in XP SP2. It addressed the very common hacking technique of buffer overflows. In a buffer overflow attack, a malicious program tries to overwrite the buffer, the amount of memory a program has been allocated for running its code in. By so doing, a buffer overflow overwrites memory that may or may not have been allocated to other programs. In either case, it can then use this overwritten memory for its own purposes. Usually this means running malware or even taking over the computer itself.

[...]

Unfortunately, Wever, using a variation of a hacking technique he helped perfect called heap-spraying has busted DEP. In heap-spraying, the attack code made an educated guess at where vulnerable memory that could be used to execute unapproved programs could be found. In Wever's latest trick, the attacking code looks for clues on where to find memory that's allowed by DEP to run programs. Once armed with this information, the attack code can then successfully plant itself in the system.

While the attack code isn't ready to go for any script-kiddie, as Wever himself points out, he has given enough information on how to defeat DEP that it's only a matter of time before a competent cracker uses the code to start enabling new attacks.

[...]

In short, if you're running 32-bit Windows of any sort-XP, Vista, 7, Server 2008-you can look 'forward' to being even more vulnerable to attacks. Have I mentioned lately that I tend to do most of my desktop computing with Linux? Well, I am. This exploit opens up a new and huge hole in Windows' already vulnerable defenses.


For some of its better enhancements to security, Microsoft relies on Free software in the form of firewalls, even virus scanners.

The open source ClamAV project is often used on servers as a way to scan and secure e-mail gateways and Windows file shares. Now ClamAV is coming to the Windows desktop too, by way of the cloud.


Vista 7 is not a solution because it's not secure either. See the links below.

  1. Cybercrime Rises and Vista 7 is Already Open to Hijackers
  2. Vista 7: Broken Apart Before Arrival
  3. Department of Homeland Security 'Poisoned' by Microsoft; Vista 7 is Open to Hijackers Again
  4. Vista 7 Security “Cannot be Fixed. It's a Design Problem.”
  5. Why Vista 7 Could be the Least Secure Operating System Ever
  6. Journalists Suggest Banning Windows, Maybe Suing Microsoft Over DDoS Attacks
  7. Vista 7 Vulnerable to Latest “Critical” Flaws
  8. Vista 7 Seemingly Affected by Several More “Critical” Flaws This Month
  9. Reason #1 to Avoid Vista 7: Insecurity
  10. Vista 7 Left Hijackable Again (Almost a Monthly Recurrence)
  11. Trend Micro: Vista 7 Less Secure Than Vista
  12. Vista 7 Less Secure Than Predecessors? Remote BSoD Now Possible!

Comments

Recent Techrights' Posts

Terms of Service (TOS) Under Scrutiny - Part XV - "Zoom's terms of service change sparks worries over AI uses" (and More)
Then they wonder why users get all grumpy?
IBM is Cutting - Almost in Half - Its Office Space in Austin, So Expect Many Layoffs (RAs)
IBM reduces office space by 187,00 square feet or 37%
IRC Proceedings: Saturday, September 07, 2024
IRC logs for Saturday, September 07, 2024
They Used to Say Avoid Nginx (or NGINX) Because It's Russian. Now You Can Say Avoid It Because It's Microsoft.
Thankfully we quit using NGINX when we shut down our HTTP proxy for Gemini
Instead of Telegram People Should Use Free Software (Telegram Was Always Unsafe for Use)
"Modern" so-called 'smart' 'phones' are compromised at the OS level or baseband side
Techrights is a Demonstrably Popular Site, Reporting Suppressed Facts. Those Vouching for Its 'Unpopularity' Express a Desire Rather Than a Condition or a Fact.
Our 100% source protection record will hold up
Terms of Service (TOS) Under Scrutiny - Part XIV - Zoom the Beast
breakdown of the Zoom TOS and corresponding privacy statement
 
Peter Eckersley and 'Afterlife'
It's better to look after one's health at present than to pursue all sorts of perceived 'insurance' policies
Terms of Service (TOS) Under Scrutiny - Part XVI - When Radio is No Longer "Read-Only" (Listening Mode) Because Someone Listens and Sells Your Data
Who would want to put up with this?
redhat.com is Promoting Revisionism and Lies Regarding the Origin of the Term "Open Source"
debunked many times before
Software Patents Against GNU/Linux Again
Patent extortion against OpenShift and Red Hat Enterprise Linux
Over at Tux Machines...
GNU/Linux news for the past day
Gemini Links 07/09/2024: Self Hosting (Not "CLOUD") and Site Reliability Engineering
Links for the day
The Arrest of Pavel Durov is Changing Telegram
Remember that Telegram's founder, who is also French, cannot leave France until he satisfies those who detained him
The Growth of GNU/Linux is Now a Mainstream Topic With Widespread Awareness
We can do less counting (of baskets and eggs) and more advocacy
The Free Software Movement Must Not Assume That Truth and Science Always Win
Sometimes the bad people and the liars get ahead
John Pilger's Site Relaunches, Wikileaks' Site Has Not Been Updated in Years
We have long hoped that, more so after the release of Assange, Wikileaks will have some kind of "relaunch" or recovery
Rage in the Propaganda Machine
There has never been a better time to quit social control media
Certificate Authorities (CAs) Are Serving the Authorities, Not You
The centralised CAs "model" is not working
A Terms of Service (TOS) Notion of "Consent"
We're well past the true notion of real consent
Links 07/09/2024: Qualcomm May Buy Parts of Intel, YouTube Deletes Channels for the US Government
Links for the day
No, Mastodon is Not Growing, Social Control Media is Generally Waning
Our sister site pulled the plug on the whole thing over a year ago, seeing it was mostly a source of online abuse
A Loss for Fake Security, a Win for Net Autonomy
Crucifixion of domains has been ramping up this past week; it's a cautionary signal
Links 07/09/2024: UK Police Raid Journalist's Home, Epoch Times Setbacks, and Karma
Links for the day
FSFE: Donate to Us to Co-Fund With Microsoft the Unpaid Underage Labour, YH4F
Latest from FSFE
Links 07/09/2024: China's Financial "Bond" to Africa and Attempts to Postpone Trump Criminal Cases
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, September 06, 2024
IRC logs for Friday, September 06, 2024
linuxsecurity.com is Still Spamming the Web
This is not harmless to Linux and it definitely merits a shun
Gemini Links 07/09/2024: Freedom in Bareness, Reactions in Addictive Social Control Media
Links for the day
Why We Are Suing Matthew J. Garrett for Harassment and Why It's Important to Everybody in the Community
There's a limit to how much abuse to me and to my family I can tolerate for the act of merely reporting on corporate corruption
[Meme] Confused Michael
Teaser...
Links 06/09/2024: Censorship of Sites by US, Hype Around LLMs Noted
Links for the day
[Meme] Hijacking the Brands
"Linux? Ah, you mean Microsoft!"
Google: We Help Combat What We Are Guilty of
The search itself is a conflict of interest
Linux Foundation Technical Advisory Board Has Election, But Google is Already Guaranteed Over 33.3% of the Seats ('Reserved' for It)
It has too much power/influence and it looks like a stacked panel
[Video] Theodore Ts'o Says How He Brought Linux to the United States (MIT) and What Makes Linux Leadership Effective
Microsofters keep attacking him
Layoffs Are Healthy and Not Happening
Good news for a change?
[Meme] Trickle-Down Ponzi Scheme
Where does money actually come from?
Considering Microsoft's Totally Fake Finances It Too is at Risk of Being Delisted From the Dow Jones Industrial Average and Other Indexes (NASDAQ, S and P) in the Near Future
Microsoft and Apple both had many layoffs this year
Asking Ourselves What Topics to Strategically Focus on
A lot of the tech media - if not "mainstream" media too - is already covering the growth of GNU/Linux
Media Needs to Stop Asking If "AI" is Just Hype (It Is, It's Not a Question)
The media should stop asking if the "AI" thing is bubble about to pop
Lots of GNU/Linux Detected in Palau and Windows Falls to New All-Time Low (14%)
Windows is falling further
Gemini Links 06/09/2024: Degoogling, LLMs, and ROOPHLOCH
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, September 05, 2024
IRC logs for Thursday, September 05, 2024