The Archives of The Evil Empire2001 September
| ||
|
27 September: Time to stand up to Microsoft
Microsoft's upgrade policy is nothing if not predictable. And this time, it's a biggie--Microsoft Arrogance XP is so far ahead of Microsoft Arrogance 98 that it'll take the competition years to even get close. Take for example Microsoft Arrogance XP Professional Edition: a full-strength version, and then some. From October 1st, corporate licence holders will upgrade when Microsoft tells them to, not when they want. They either pay an annual fee for a two-year maintenance contract, or pay list price for upgrades. Or they don't have a license--and don't think that Microsoft has any compunction about letting people know about the consequences there. Just to make it an offer you can't refuse, existing options, which included a four-year upgrade cycle, have been withdrawn--people who were on that will pay between 68 and 107 percent more than before, according to the Gartner Group. Of course, businesses are furious. But the company is unmoved, saying that everyone has choice and that the changes help people get "the latest and greatest from Microsoft in a predictable way." Perhaps people didn't find it difficult in the past to get upgrades when they wanted them, but Microsoft isn't listening. It doesn't have to listen. 26 September: Serious security leak .manifests itself in Windows XP
The German news site tecChannel reports a serious security leak in Windows XP. WinXP allows users to confgure user interface elements by placing XML instructions in a file called .manifest. This file is always executed whenever the associated application is launched; this even includes the command line interface cmd.exe. In a test, tecChannel writers changed a .manifest file to random characters, which caused the associated application to crash. They are warning now of the possibility that hackers could write a virus that scrambles the content of various .manifest files, which would cause all associated applications to crash. This is further aggraveted by the fact that, according to tecChannel, only a full new install of Windows XP can re-establish the integrity of these files. Note: this article is in German. 26 September: Consumer watchdogs attack Win XP
In a joint statement, the Consumer Federation of America, Consumers Union, Media Access Project and U.S. Public Interest Research Group complained that the new operating system "advances the company's illegal anti-competitive practices and harms the nation's consumers." "Activities such as communications, commerce, streaming audio-visual applications and online services are, at the present, vigorously competitive," the groups said in a statement. "These essential areas of the 21st century economy will be threatened, and consumers harmed, if Windows XP and its tightly bundled version of Internet software hits shelves as planned." 26 September: IE upgrade jams domain name deal
A new feature in Internet Explorer 6 is driving over a deal between Microsoft-backed RealNames and domain name company XTNS, cutting off traffic headed toward their services. Microsoft tinkered with the browser settings in an IE upgrade last month, capitalizing on misspelled or nonexistent domain names typed into the address bar by diverting people to an MSN Search page. But much of that traffic is supposed to travel through XTNS, which directs someone entering a nearly correct Web address, such as "ibm.co," to the page most likely intended. The new IE feature also catches simplified addresses such as "store.disney" or "movie.gladiator" or "corp.ibm"--all for sale as "namespaces" through XTNS' deal with RealNames. Microsoft would not comment on the domain name companies' agreement, saying it is not directly involved. 25 September: MS Frontpage limits free speech
A posting on slashdot.org claims to verify a rumor that the End User License Agreement (EULA) for Microsoft FrontPage 2002 prohibits the use of this software for anti-Microsoft websites. Apparently, section #1, second paragraph of the EULA states: "You may not use the Software in connection with any site that disparages Microsoft, MSN, MSNBC, Expedia, or their products or services, infringe any intellectual property or other rights of these parties, violate any state, federal or international law, or promote racism, hatred or pornography." 24 September: Gartner advises looking for alternatives to Microsoft IIS
Business consultants Gartner recommend that enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications to Web server software from other vendors, such as iPlanet and Apache. Although these Web servers have required some security patches, they have much better security records than IIS and are not under active attack by the vast number of virus and worm writers. Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS. Update 25 September: See also this comment by The Register 24 September: Calls for Microsoft
investigation
A trade body representing some of Britain's largest companies has asked the UK government to investigate Microsoft's new software pricing policy, which could double costs over the next four years. Microsoft's new pricing policy could cost tif's members an extra £880m over a typical four-year investment cycle, it said in a statement. The group said the new pricing structure will push up Microsoft licences by almost 100% by forcing them to "This money has not been budgeted for by organisations, so where will it be found...Does Microsoft realise the damaging impact its pricing policy could have on British business?" said David Roberts, chief executive of tif. 23 September: Serious security hole in Microsoft SQL Server Database Engine opens computers
German computer magazine c't has found a serious security leak caused by the Microsoft SQL Server Database Engine (MSDE). Upon Installation, this software automatically creates a default administrator account with no password. Thus hackers logging into databases based on this engine can not only access all data in the database, but also execute local applications via special database commands. Note: this article is in German 21 September: Microsoft IIS hole gives System-level access
The vulnerability was discovered less than a fortnight ago by engineers from eEye Digital Security, while upgrading a security scanner it makes called Retina. Once upgraded to audit the .printer ISAPI (Internet Server Application Programming Interface) filter, which enables Web-based control of networked printers, the Retina implementation reported a buffer overflow which eEye soon found to be exploitable. Web-based printer support is enabled by default in IIS, unfortunately, so a great many users will be affected. The vulnerability occurs when a buffer of approximately 420 bytes is sent within the HTTP Host: header for a .printer ISAPI request. Because Win 2K is equipped with a lovely feature which automatically restarts the Web server after a crash, an attacker can gain easy access. 20 September: Did too many cooks spoil Windows XP security?
While previous MS operating systems were all different animals, we find now that the XP OS's are really just different cuts from the same beast. It seems to be an effort to get all the cooks into the same kitchen, select the best parts of each recipe, and present a culinary feast suitable for every palette while keeping the "Whine List" to a minimum. My concern is the fat content. Will this lead to a product line resulting from careful selection of the finest ingredients, or will each chef walk up with a bowl-full of "Knows Best" and just dump it into the pot? The concern here is security. We have all been trained to separate the roles of our systems: Don't make your Internet web server a domain controller, don't run SQL on the Exchange server, and don't read email on your ISA server. This practice isolates potentially dangerous operations from processes that are prone to compromise. So you can see why I get a little nervous when I see different components of these services getting installed by default at the OS level. 20 September: New IIS security hole
Microsoft Internet Information Server is vulnerable to a UTF directory traversal, which could allow an attacker to execute commands remotely on the target server. Normally, IIS blocks attempts to access directories outside of the webroot in HTTP requests. If 'directory traversal' character sequences that try to do this are found in an HTTP request, IIS blocks the request. However, if special UTF encoding is used, this filtering is bypassed, allowing an attacker to traverse outside of the webroot and execute commands on the system. 20 September: Microsoft users balk at license changes
What's the cost of little or no competition? For some Microsoft customers, it's paying as much as 107 percent more for the software they buy in volume. As previously reported by CNET News.com, Microsoft on Oct. 1 will dramatically change how it licenses software to its largest customers. That change will drive up what they pay for products such as Office XP or Windows 2000 between 33 percent and 107 percent, according to market researcher Gartner. With market share of more than 90 percent in both desktop productivity applications and operating systems, Microsoft is able to charge more in a way it couldn't in a more competitive market, say analysts and the company's customers. 18 September: 'Nimda' worm hits net: Self-executing virus attacks IIS and Microsoft Outlook.
Experts are tracking a fast-spreading virus that propagates both by sending itself as an email attachment, and by hacking into vulnerable web servers. The worm also attacks Microsoft Outlook users, arriving as an apparently blank message with an attachment called 'readme.exe.' As with other viruses, opening the attachment will infect the machine. But unlike most so-called mass mailers, Nimda can also infect Outlook and Outlook Express users who know better than to open strange attachments. By exploiting a bug in Internet Explorer discovered last March, the worm is able to infect victim computers when the email is read, or even displayed in Outlook's preview pane. Ken Van Wyk, chief technology officer at ParaProtect, said the worm tries to wriggle in through 16 known vulnerabilities in Microsoft's IIS, including the security hole left in some computers by the "Code Red II" worm, which followed Code Red in August. Code Red, by comparison, attacked through only one hole, which could be patched by downloading a program from Microsoft's Web site." 17 September: Will Microsoft do right thing?
Microsoft should do the right thing and settle. But will it, and what behavioral remedies will it accept? Worse, what if no settlement is reached and Microsoft is allowed to keep doing what it is doing, long into the so-called post-PC era, when Passport and HailStorm start becoming as ubiquitous as Windows? What then? One can hope that the DOJ's moves are an olive branch offered the com pany as a steppingstone to a settlement or a quid pro quo that induces a settlement. Anything less, and our long national nightmare will continue. 12 September: Windows XP ROI Calculator
This calculator enables you to compute and analyze the expected ROI (if any) associated with migrating a current Windows computing environment to Windows XP. By entering data specific to YOUR particular computing environment, and modifying the assumptions utilized in this ROI model, you can quickly estimate a realistic cost and benefit analysis of a Windows XP migration whether you have a Small Office/Home Office or large corporate environment. 12 September: Hotmail vulnerable to JavaScript exploit
A new technique for attacking MSN Hotmail users has been discovered, the latest in a cat-and-mouse game between Microsoft and Hotmail security holes. The technique, announced today on a security mailing list, doesn't even require that the victim open the booby-trapped message. Hotmail takes the "From" address on an incoming message and builds it into the HTML code for displaying the Hotmail user's Inbox. As a result, simply viewing the service's Inbox page will cause the hostile Javascript to execute. The vulnerability could allow an attacker to write a Javascript program that steals a Hotmail user's login credentials, thus giving the attacker the ability to read, delete, and send mail as the user. 11 September Our sincere condolences to the families, friends, and victims of today's tragic terrorist attacks on the World Trade Center Buildings in New York City and the Pentagon in Washington, as well as the downed commercial airliners. 11 September: Dell admits MS price gouge is hurting business
Michael Dell yesterday admitted that far from boosting business, Microsoft's aggressive new pricing structure for Windows XP is having the opposite effect, and deterring the traditional Wintel upgrade cycle. 10 September: Paying More For an Xmas Xbox
Online retailers have begun taking advance orders for Microsoft's forthcoming Xbox gaming console, but some consumers are steamed at being forced to buy extra games and hardware that add hundreds of dollars to the price. To get a console before the holidays, customers are being forced to buy bundles of extra games and hardware that almost double the price. But the bundling policy is not determined by the retailers: It is Microsoft's idea. Microsoft set the minimum requirements for the pre-order program: Merchants must sell one Microsoft game title and two third-party titles, plus one extra controller; which titles come with which bundle is decided by the retailers. 10 September: Windows XP: Microsoft's New Look for Fall, in Size XXL
If technical and design merit were the only criteria for judging an operating system, the release of Windows XP would be cause for jubilation. Unfortunately, the inability to separate Microsoft's products from its business practices tarnishes what could have been an exhilarating release. For example, if you try to install your copy onto a second computer--say, your laptop--you'll find yourself locked out of the second machine after 30 days. Furthermore, Windows XP omits support for the Java programming language. To use Web sites that require Java, like online banking and investment sites, you must download and install Java yourself. There are privacy questions, too; at every turn, Windows XP tries to send information about you back to the mother ship. 7 September: Microsoft Antitrust Case:
An Update on the Company's
Lobbying and Campaign Contributions
After more than three years of investigations, litigation and intensive lobbying, the Justice Department today announced it would no longer seek a break-up of the computer giant Microsoft. The decision by the Bush administration to vacate the lawsuit is considered a major victory for Microsoft, which nearly tripled its campaign contributions and more than doubled its lobbying expenditures during its fight against the antitrust case. During the 1999-2000 election cycle, Microsoft contributed more than $4.7 million in soft money, PAC and individual contributions to federal candidates and partiesÑalmost three times what the company contributed during the previous three election cycles combined. More than two-thirds of that money went to Republicans. 5 September: Microsoft's new twist in error messages
The Web's once common "page not found" errors are themselves going missing, stripped from recent versions of Microsoft's Internet Explorer in favor of a search tool provided by--you guessed it--Microsoft. Now, whenever someone types a misspelled or nonexistent domain name into the browser's address bar, an MSN Search page appears by default, rather than one of several standard error pages. Critics say the feature could be likened to a land grab on territory that has otherwise been the Antarctica of the Internet. Error pages are called up more than 14 million times a day worldwide via Internet Explorer, according to Microsoft. Because Internet Explorer is the most widely used Web browser, critics say the change could unfairly influence competition among search engines on the Internet. 4 September: New Outlook e-mail worm spreading slowly
Antivirus experts have warned about a new e-mail worm that uses Microsoft Outlook to spread. "Troj_Apost.A" is a worm rather than a Trojan horse, as its name suggests. The malicious e-mail arrives with the subject line "As per your request!" with the message, "Please find attached file for your review. I look forward to hear from you again very soon. Thank you." When the attached file entitled "Readme.exe" is executed, it will try to copy itself to the floppy drive. It will then self-propagate by e-mailing itself to all addresses listed in the infected user's address book. 4 September: Microsoft's copy-protection racket
What does Microsoft think it's doing by introducing copy protection, in a new form, with Office XP and Windows XP? Discouraging 'casual piracy' is the official answer, but it seems more likely to discourage legitimate users in the same way as Lotus' key disk did in 1983. 1 September: Why is Microsoft pulling the IE plug-ins?
Some people like to complain about all the new features that come with new versions of software. Microsoft recently took the unusual step of removing a feature from Internet Explorer, but don't get the idea that they're doing us a favor. Their unwillingness to explain why they are removing plug-in support indicates that there's no good reason for it. They just don't want people writing or relying on plug-ins anymore.
|
