|
[an error occurred while processing this directive]
| | The Evil Empire - August 2002 Archive
|
Friday, August 30, 2002
|
Lots of other things to do, so I'm going offline for a week. I should be back online and blogging on happily next Friday, September 6th. Until then, have fun and take care.
|
|
|
Thursday, August 29, 2002
|
Microsoft said Wednesday that a critical flaw in most versions of the company's Windows operating system could allow malicious attackers to corrupt the digital certificates that PCs use to connect to network services. The vulnerability can be exploited via a special-coded ActiveX inserted into hypertext markup language (HTML), the lingua franca of the Web. To fall victim to attack, a PC user would have to browse a Web site, or open an HTML e-mail, specifically set up to take advantage of the vulnerability. [CNET News.com]
|
|
|
Wednesday, August 28, 2002
|
A certain remote root vulnerability in a Microsoft application called File Transfer Manager (FTM), a gimmick for developers, beta testers and volume license addicts (i.e., most of their corporate customers) alike, is not serious and there's almost no chance that it can be used against you -- says Microsoft. The reality is somewhat harsher. [The Register]
|
|
Microsoft Software security widely used for Internet banking and e-commerce can be easily circumvented, and customer accounts at several of Sweden's largest banks remain at risk as a result, a computer expert said in a Reuters report. The expert showed how to crack the security systems for Internet banking, breaking into three of Sweden's big four banks in quick succession. He was then able to show how to conceal his tracks, making detection difficult afterward. [Macfixit]
|
|
|
Tuesday, August 27, 2002
|
And uncrack cracked systems. Well, I guess they are legally entitled to do this. Still, they're putting a lot of effort into this. Makes you wonder... [The Register]
|
|
|
Friday, August 23, 2002
|
Microsoft yesterday said that "critical" security lapses in its Office software and Internet Explorer Web browser put tens of millions of users at risk of having their files read and altered by online attackers, according to a CNN report. An attacker, using e-mail or a Web page, could use Internet related parts of Office to run programs, alter data and wipe out the hard drive as well as view file and clipboard contents on a user's system [The Macintosh News Network]
|
|
What the heck is .NET anyway? I know what it is supposed to be -- an uber-platform that will launch and support all things e-commerce- and Web-related for Microsoft. But depending on one's perspective, it also can be seen as an elusive phantom designed to titillate customers and inspire fear in competitors. [osOpinion]
|
|
Earlier this week Microsoft posted details of a large number of APIs in the MSDN library. This publication is intended to to comply with the terms of the MS-DoJ proposed settlement to the antitrust suit, and is part of a process whereby Microsoft 'levels the playing filed' for rival software publishers and developers by disclosing APIs and protocols, and offering them for license. But the API disclosure seems at best utterly irrelevant, and at worst counter-productive, because it is not complete, and some of the information is misleading or wrong. [The Register]
|
|
On Thursday, Microsoft issued a cumulative patch for its Internet Explorer Web browser that also fixes six new vulnerabilities, the most serious of which could enable an attacker to take control over a user's system, Microsoft said.
All currently-supported versions of Internet Explorer, 5.01, 5.5, and 6.0, are affected, putting tens of millions of Internet users at risk. Internet Explorer is the world's most popular Web browser. Microsoft urges all users to immediately apply the patch, it said in security bulletin MS02-047.
Versions of Internet Explorer that are no longer supported could also be vulnerable, Microsoft noted. [InfoWorld: Top News]
|
|
|
Wednesday, August 21, 2002
|
From Wired: Microsoft gives money to the University of Waterloo in a research partnership. The school offers a new course in the company's programming language. More than a coincidence? [Wired News]
|
|
A hole in software used by subscribers to the giant's volume licensing program, developer network and other services leaves computers vulnerable to takeover. [CNET News.com]
|
|
|
Tuesday, August 20, 2002
|
Bugtraq reports a new security hole in the Microsoft Windows Help and Support Center, which allows a malicious web site to remotely delete files from a computer. This should be fixed in the Windows XP SP1 release.
|
|
|
Monday, August 19, 2002
|
Microsoft's commitment to security, specifically its Trustworthy Computing initiative, is being questioned after its inaction regarding two new reports of security vulnerabilities in its products. [eWeek via MyAppleMenu]
|
|
|
Wednesday, August 14, 2002
|
From BusinessWeek: Microsoft's trap was to let itself get hooked on mediocrity. Rather than invent exciting new products, the company focused on selling incremental improvements of its flagship Office suite every two or three years. But users have wised up. Increasingly, they're not willing to pay hundreds of dollars for a package of small changes. Recent industry surveys show that users now only upgrade software such as Office when they buy a new computer, sales of which have slowed sharply in the past two years. [BusinessWeek]
|
|
|
Tuesday, August 13, 2002
|
From The Register: A serious flaw in SSL certificate handling reported by Mike Benham, affecting IE and Konqueror, has already been fixed by KDE's Waldo Bastian, we're pleased to mention. As for Microsoft? According to Benham they haven't even replied to him yet. Apparently, real Trustworthy Computing takes an enormous amount of time. [The Register]
|
|
From InfoWorld: A security flaw in Microsoft's Internet Explorer (IE) Web browser can completely undermine the supposedly watertight Secure Sockets Layer (SSL) standard for securing online transactions and e-commerce , researchers said Tuesday.
IE's implementation of SSL contains a vulnerability which allows what is described as an active, undetected, man-in-the-middle attack, where no dialogs are shown and no warnings are given. [InfoWorld: Top News]
|
|
From The Register: Now you see it, oops, there it is again: With the release of Windows 2000 Service Pack 3, however, it's been possible to see how at least one part of the proposed settlement, the hiding of Microsoft middleware and its replacement by alternative applications, works - or not. [The Register]
|
|
From The Register: Microsoft's efforts to disassociate Palladium from DRM seem to have hit their first speed bump. They'll probably not be best pleased by the Microsoft job ad that seeks a group program manager "interested in being part of Microsoft's effort to build the Digital Rights Management (DRM) and trusted platforms of the future (Palladium)." [The Register]
|
|
|
Monday, August 12, 2002
|
From The Register: A colossal stuff-up in Microsoft's and KDE's implementation of SSL (Secure Sockets Layer) certificate handling makes it possible for anyone with a valid VeriSign SSL site certificate to forge any other VeriSign SSL site certificate, and abuse hapless Konqueror and Internet Explorer users with impunity. [The Register]
|
|
|
Sunday, August 11, 2002
|
Jon Udell: As with earlier Microsoft mantras (ActiveX, Windows DNA), .NET means almost everything and therefore nothing in particular. The Redmond priesthood incants XML with the same mystical vagueness. No resounding amen has yet been heard from the hundreds of millions of souls who use Windows and Office, who were recently demoted from "knowledge workers" to "information workers," and who were then reclassified as "first-class data objects." Instead they ask, "What's in it for me?" Read the full story... [Jon's Radio]
|
|
From LinuxWorld: Microsoft is selling [Palladium] as a hardware-enabled way to make your PC software secure, but all it really amounts to is a digital cop that arrests any software that tries to use copyrighted content in an unapproved manner. In plain language, your computer will only play songs or movies if you've paid for them. That's right. It's chip-enforced digital rights management.
Microsoft has a patent on the concept of a digital rights management operating system. If Microsoft can make the Palladium successful, it can present the open source community with two choices. PCs running Linux or any other non-Microsoft OS may not use the chip, in which case these PCs will not be able to play any copyrighted DVDs or music CDs. If the open source OS uses the chip, someone has to pay Microsoft for the right to do so, since it owns the patent.
Some people are dismissing the Palladium chip because they equate it with Intel's plans for the CPU ID, plans that were thwarted by the massive public reaction against the ID. Nevertheless, Palladium is likely to get the backing of huge content providers. If these content providers have the power to sway Congress on issues as outrageous as cracking P2P networks, then they have the power to get Palladium installed on every motherboard by default. That's what makes Palladium scary. [Privacy Digest]
|
|
|
Friday, August 9, 2002
|
From Dan Gillmor's eJournal: Remember Microsoft's squeals of angst when privacy advocates complained about Passport? Once again, Microsoft is found not to be telling the truth about serious issues. And, once again, the governmental agency with the power to do something realistic fades away on contact. The FTC hasn't even issued a slap on the wrist here. It merely got Microsoft to agree not to do it again. You would imagine that the feds would care, one of these days, that it keeps giving a pass to a company that doesn't change its ways. No, I guess that's unimaginable. [Dan Gillmor's eJournal]
|
|
From Wired News: A settlement with U.S. regulators requires Microsoft to improve security for its Passport services. But some privacy advocates say the agreement doesn't do enough to protect user data. By Joanna Glasner. [Wired News]
|
|
|
Thursday, August 8, 2002
|
From InfoWorld: "We believe that Microsoft made a number of misrepresentations regarding the security of Passport, the information it stores, the security of online purchases using Passport Wallet and the information collected on Websites using Kids Passport," FTC Commissioner Timothy J. Muris said during a conference call Thursday. [InfoWorld: Top News]
|
|
John Robb writes: "According to a CNet story, Microsoft is set to release Media Player 9. The strategy on this is interesting and scary. The media industry continues to cry out for a DRM solution that meets their desires for complete control over content delivery and use. Microsoft can supply a 60% solution now, and a 99% solution with Palladium. However, the media industry doesn't want to give over implementation of DRM controls to Microsoft. They want to pick their partners.
Given the rule of power politics in Washington, this means that the only thing really stopping the implementation of a mandatory DRM solution based on open standards is Microsoft. It isn't fair use, privacy considerations, or the needs of you and me. This is a battle over control of the technology." [John Robb's Radio Weblog]
|
|
Finally, a glimpse of hope: an analyst says that frustration with Microsoft is pushing more companies to consider Linux-based operating systems as well as Apple Computer's Unix-based OS X. [InfoWorld: Top News]
|
|
The software giant's application for developing and managing e-business Web sites has three vulnerabilities, one of which could open up the software to attackers. [CNET News.com]
|
|
|
Wednesday, August 7, 2002
|
This brilliant article by Phil Lemmons gives a good overview of Microsoft history -- how it extinguished competitors and built up a software empire by wielding monopolistic power, knowing that the American judicial system would do little to prevent any means of trade, predatory pricing, or monopolization Microsoft chose to pursue. [Upside Today]
|
|
Windows might possibly be the most insecure piece of viral code ever to infect a computer, according to Chris Paget who's found a fascinating hole in the Win32 Messaging System which he believes is irreprarable, and which he posted to the BugTraq security mailing list. However, critics observed that it's more the application developer than MS which has made this possible: 'While you can assert that the blame lies with Microsoft, the chief blame lies with the vendor of the software whose bad programming you are exploiting.' [The Register]
|
|
Microsoft has issued a security bulletin concerning the w32.Chir.B@mm
worm. Like many worms before, it uses a well-known and documented security leak in Internet Explorer and MS Outlook to send itself to every person in a user's address book. A fix for this security leak has been available since March 2001, but the recent outbreak of this worm illustrates very clearly that only very few users have actually installed the security patch. [Microsoft]
|
|
Microsoft has acknowledged a security problem in SQL server: 'An attacker who submits a database query that contains a specially malformed parameter in a call to OpenRowset could overrun the buffer, either to cause the server that is running Microsoft SQL Server to fail or to cause the SQL Server service to take actions that the attacker dictates.' A security patch is now available. [Microsoft]
|
|
In this article, Charles Cooper is talking about .Net and the fact that no one -- including Microsoft -- seems to know what it is, despite the fact that the company has been propagating it as revolutionizing the computing world for years. 'This project, as even Gates might allow, remains a riddle wrapped in a mystery inside an enigma,' writes Cooper. My personal guess is that it's either vaporware or something utterly sinister. [ZDNet]
|
|
Georgi Guninski, the veteran bug hunter who discovered many of the security risks in Internet Explorer, has found a new vulnerability: apparently an Excel .xla spreadsheet embedded in a web page can cause IE to create arbitrary files on the computer. This may lead to executing arbitrary programs on the user's computer. [Guninski.com]
|
|
|
Sunday, August 4, 2002
|
The Houston Chronicle reports that on a typical day, Hotmail subscribers collectively receive over 1 billion of junk mail. These account for 80% of messages received -- not counting those blocked by Hotmail's junk filters. And it's increasing every day. [The Houston Chronicle]
|
|
On Slashdot.org, a discussion has started about the new changes in the End User License Agreement for the Windows XP SP1 and Windows 2000 SP3 update, which allows MS to access users' PCs (see the item posted earlier today). Apparently, the EULA also contains a clause that 'You may not disclose the results of any benchmark test of the .NET Framework component of the OS Components to any third party without Microsoft's prior written approval.' [Slashdot.org] See also this article at iRights.
|
|
With the reorganisation of this web site, the article about Microsoft's Palladium project has now been moved here.
|
|
Windows XP Service Pack 1 and Windows 2000 Service Pack contain a new condition which asks you to allow Windows to go and install future updates. [Andrew Orlowski, The Register]
See also this related story, which I wrote in early July.
|
|
At a bleak time, when other vendors are pulling in, laying off, and riding out the recession, Microsoft is partying like it's 1999. But not everybody is invited. By piecing together what Microsoft tells each of its constituencies, we can make some predictions about where Windows and the Windows server stack are going and how changes will affect customers and competitors. [Tom Yager, InfoWorld]
|
|
|
