The Evil Empire
Information about Microsoft, bugs, security holes, and dirty business tactics.
Updated irregularly (about once per week)
January 2005
December 2004
November 2004
October 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
Older archives
April 20, 2004
Microsoft Patches: Too Much of a Good Thing?
It's like clockwork these days: Every second Tuesday of the month, Microsoft releases its amalgamated security patches and fixes. Microsoft's customers have come to plan on this monthly happening. And many of them have programmed their systems to automatically download the patches when they appear—usually around 10 a.m. Pacific time. The result is problems connecting to Microsoft's Windows Update site, where the downloadable patches reside.
"Now that more people are aware that updates are due on the second Tuesday … I'm seeing what I thought would happen…Denial of service of Windows Update from their own customers," said one Microsoft customer, systems engineer Rafael Cappas. More... [eWeek]
April 19, 2004
Security Patch Breaks SSL support in IE 6 with Windows 2003
A user on the Full Disclosure mailing list sent out a warning that fter installing the latest set of patches from Microsoft, he was unable to access sites using SSL. After some investigation it turned out that his IE Cipher strength was set to 0bit. Uninstalling the patches solved the problem. More... [Full Disclosure]
April 17, 2004
Web Braces for Netsky.V's Attack
The latest variant of the hugely effective Netsky series of worms is causing trouble by spreading without the use of an attachment. Slipping past many e-mail gateways, it can launch simply by being viewed in an e-mail program. Rather than attaching the worm's executable code to an e-mail message, Netsky.V uses two separate vulnerabilities in Microsoft software to download the code from an infected PC. Many e-mail gateways now block all e-mail attachments, so the worm's tactic is a way of getting around that precaution, experts says. More... [PC World]
April 15, 2004
IE 6 Prints Without Prompt
Using an OLE object, JavaScript, and HTML, IE 6 will allow a malicious document to send pages to the printer without prompting the user. Printing documents without prompting the user could result in the waste of paper, toner, ink or result in damage to the printer. If inserted into a high traffic website this waste could be substantial. More... [SecurityFocus]
April 14, 2004
Microsoft releases patches to fix 20 flaws
Microsoft Corp. released four new security bulletins detailing patches for several critical vulnerabilities, including one that fixes 14 separate flaws, in a wide range of Windows software. The patches are part of the company's monthly rollout of security fixes and address a total of 20 flaws. The products affected by the flaws include Windows NT Workstation and Server, Windows 98, Windows XP, Windows 2000 and Windows Server 2003. More... [Computerworld Security News]
April 13, 2004
eEye Digital Security Discovers Six New Security Flaws in Microsoft Windows
eEye(R) Digital Security, a leading developer of network security software solutions, today announced the discovery of six new vulnerabilities related to Microsoft Windows(R). The critical discoveries include dangerous flaws in Windows Remote Procedure Call, Local Security Authority Subsystem Service, and in the rendering of Windows Metafile and Enhanced Metafile image formats. These critical security flaws affect unpatched Windows NT, 2000, XP and Windows Server 2003 machines. eEye's research team discovered two of the most critical vulnerabilities as early as September 2003. The patch for these vulnerabilities released today comes more than 200 days after eEye's discovery. More... [TMCnet]
The Structural Failures of Windows
Using the developmental history of Windows as the basis for his article, Ryan Hunter writes in The Inquirer why Windows is fundamentally flawed. [The Inquirer]
April 12, 2004
Security focus or not, can an unrepentant Microsoft be trusted?
Microsoft is working hard to make good on the promises making security job #1, and with Windows XP Service Pack 2 just a few months away we're all looking forward to this very important first step. But the Washington Post's Rob Pegoraro wonders if "no-regrets Microsoft" is really worthy of being trusted again. Questioning Ballmer on whether or not the company regrets its early no-holds-barred feature development pace, Ballmer essentially said "no." More... [Ars Technica]
April 10, 2004
IE Vulnerability Flagged
The U.S. Computer Emergency Readiness Team (CERT) has published a security flaw that has no complete workaround, leaving PCs at risk even if protective steps are taken. The vulnerability lets attackers trick the InfoTech Storage (ITS) protocol handlers in Microsoft's Internet Explorer (IE) to grab scripts from another domain (server) and gain the same privileges as those found in the victim's Local Machine Zone. More... [Internet News]
Click here for the CERT bulletin.
April 02, 2004
"Internet Exploit"?
Symantec has an interesting Freudian typo on their Security Response page for the new Trojan.Ibiza trojan:
Click to enlarge, and check the second paragraph. [many thanks to Jason Boshears]
