The Evil Empire
Information about Microsoft, bugs, security holes, and dirty business tactics.
Updated irregularly (about once per week)
January 2005
December 2004
November 2004
October 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
Older archives
September 30, 2003
Unpatched Microsoft browser hole a gold mine for hackers
A long-ignored security hole in Microsoft Corp.'s Internet Explorer (IE) is proving to be a gold mine for hackers, providing an easy way for them to plant malicious programs on vulnerable machines through hacker Web sites and instant messaging applications, security experts warn.
New attacks using the vulnerability include a worm that spreads through America Online Inc.'s Instant Messenger (AIM) and a malicious Web site that silently loads snooping software on victims' machines, according to independent security expert Richard Smith. More... [Computerworld Security News]
September 26, 2003
New Windows holes, dangerous music
Ever visited a Web site that suddenly started playing music through your computer speakers? It may be annoying, but you can always turn down the volume. And it's harmless, right? Maybe not.
Researchers at EEye Digital Security Inc. recently discovered two big holes in Windows' music playback technology. The flaws, which Microsoft rates as "critical," could allow a hacker's code to run amok on your PC by exploiting a contaminated music file. The hacker could then take over your PC and do something nasty, like delete your files. [Computerworld Security News]
Microsoft critic dismissed by @Stake
A computer security expert who contributed to a paper deeply critical of Microsoft has been dismissed by his employer, a consulting company that works closely with the software giant.
Dan Geer, a longtime computer security researcher, and several colleagues released a controversial study on Wednesday that called the ubiquity of Microsoft software a hazard to the economy and to national security. Although independently financed and researched, the study was distributed by the Computer and Communications Industry Association (CCIA), a Washington-based trade association largely made up of Microsoft's rivals.
Cambridge, Mass-based @Stake, where Geer worked as chief technical officer, said in a statement Thursday that the researcher had not gotten his employers' approval for the study's release, and that he was no longer associated with the company. [CNet News.com]
September 25, 2003
Password theft due to IE security leak
According to an article on heise.de there have been several reports on Full Disclosure and Bugtraq about malicious websites which exploit an as yet unpatched security leak in Internet Explorer to attack uers's PCs.
In a number of cases faked e-mails were used to lure AOL users to a website, which then installed and executed a VB script that attempted to collect user name, password and buddy list of the AOL Instant messenger (AIM). Websites of spammers use similar exploits to spy on users.
As there is currently no patch available for this vulnerability and the code to script this kind of exploit is freely available on the Internet, users should be very careful about which websites they are visiting. With Internet Explorer 6, the problem can be circumvented by disabling Active Scripting and ActiveX; with older versions, even this does not help. [heise.de]
September 24, 2003
Microsoft chat move 'irresponsible'
Microsoft's decision to close the free, unmoderated chatrooms of its MSN internet service has sparked strong reactions.
Children's charities have welcomed the move as a positive step to ensuring children's safety online. But major net service providers have criticised the action as "irresponsible" and say it is driven by economic concerns rather than keeping children safe. [BBC News]
Report: Widespread use of MS poses security risk
Whatever Microsoft Corp.'s strengths or failings as a developer of reliable software, the mere existence of an operating-system monopoly is a critical security risk, argues a new report released Wednesday at a Computer & Communications Industry Association (CCIA) gathering in Washington, D.C.
Written by seven IT security researchers, "CyberInsecurity -- The Cost of Monopoly" calls on governments and businesses to consider in their buying decisions the dangers of homogenous systems, and to diversify the software mix deployed in their organizations. It also urges the U.S. government to counterbalance Microsoft's user lock-in tactics by forcing the company to offer multiplatform support for its dominant applications, including Internet Explorer and Microsoft Office products. [MacCentral]
September 19, 2003
IE will load and execute any program
Heise.de reports that Microsoft's latest patch for the Object Data Execution Vulnerability in all known versions of Internet Explorer does not work with the latest versions of known exploits.
The problem is due to a faulty implementation of the OBJECT tag, which allows execution of ActiveX components without further security checks. Heise also has a test page that shows if your computer is affected. [Heise.de]
New worm poses risk to corporate networks
A new worm that masks itself within fake Microsoft Corp. security bulletins poses a medium to high risk to corporate networks, according to security vendor Aladdin Knowledge Systems Inc.
The Win32.Swen.A worm quickly infects computers by disguising itself within fake Microsoft security bulletins sent to unsuspecting users, according to a statement from the Chicago-based Aladdin. [Computerworld Security News]
Hackers find way to exploit latest Windows vulnerability
A security company said yesterday that it found an example of working computer source code that exploits the latest critical security hole disclosed by Microsoft Corp.
Counterpane Internet Security Inc. in Cupertino, Calif., said it found and tested the source code, which it claimed exploits Microsoft operating systems that have one of three security flaws in the Microsoft Distributed Component Object Model (DCOM) component of Windows. [Computerworld Security News]
September 11, 2003
It's Security Patch Wednesday
Another Wednesday, another Windows security patch. Today's is aimed at fixing yet another Windows RPC vulnerability. Microsoft has deemed the patch critical for all Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003 users. [Microsoft Watch]
MS amends anti-Blaster fix
Microsoft today issued an amended antidote to the Windows vulnerability infamously exploited by the Blaster worm.
Today's fix for flaws with Microsoft's implementation of Remote Procedure Calls (RPC) within its Distributed Component Object Model (DCOM) framework supersede a patch Redmond issued in July. It also replaces a fix (MS01-48) involving a DoS risk MS issued two years ago. [The Register]
September 05, 2003
Microsoft Issues Five New Security Warnings
Microsoft on Wednesday issued security bulletins for five new software vulnerabilities, including a flaw in Visual Basic for Applications that the company rated as critical. The company has posted patches for each of the flaws on its Web site.
Four of the problems affect Microsoft's Office desktop software. The critical flaw in Visual Basic for Applications could be exploited by a hacker to execute code on a targeted PC, according to Microsoft. Visual Basic for Applications is used in many of the individual Office applications, as well as in some of the business applications sold by Microsoft Business Solutions. More...
September 04, 2003
Microsoft warns about new software flaw in Office suite
Microsoft Corp. warned today that users of its Office software are at risk of having their computers taken over by an attacker unless they apply a patch to correct the problem.
The world's largest software maker said that a flaw that it rated as "critical" in its Visual Basic for Applications software, used to develop applications for Windows and Office, could enable a malicious programmer to create documents that would launch attacks on unsuspecting users. More... [Computerworld Security News]
September 01, 2003
Size Doesn't Matter
If you want to be a malicious person, there are plenty of challenges for bad purposes in computing as well. And if you're looking to get your foot in the door, Microsoft Windows offers plenty of easy entrances. Due to the general lack of consideration for security in Windows, one can write a pretty destructive program with very little effort. The operating system itself does very little to restrict a user's actions, nor does it do much to restrict the actions of an application that might be running on that user's computer.
The Windows security model, which, contrary to popular belief, does exist, isn't as well thought out as that present in a Unix operating system. On top of that, it doesn't have 30 years of corrections and adaptations integrated into it like Unix does. With Mac OS X, Apple adopted Unix and inherited 30 years of tried, tested, and true security. Are there viruses and worms on Unix? Of course, but they are fewer in number and usually, once discovered, corrected much faster than anything coming out of Microsoft. More... [via IT&W]
