The Archives of The Evil Empire2001 December
| ||
|
30 December: Microsoft must pay French company 3 million francs for copyright infringement
The French newspaper Libération reports that a French court ordered Microsoft to pay damages of 3 million French francs (400,000 euros) for infringing on the copyright of a French software company. Microsoft declines to pay, claiming they are no longer using the code in question. 28 December: Gartner warns: Hands off Windows XP!
The Swiss news service newsBYTE reports that following the recently discovered security leak in Windows XP, Gartner has issued a warning against using or even considering migrating to Windows XP. The Gartner report condemns Microsoft's security policies and advises companies to wait until further security risks become known. Note: this article is in German. 28 December: Two new security leaks found in Microsoft SQL server
SQL Server 7.0 and 2000 provide a number of functions that enable database queries to generate text messages. In some cases, the functions create a text message and store it in a variable; in others, the functions directly display the message. Two vulnerabilities associated with these functions have been discovered. The first vulnerability results because of a flaw in the functions themselves. Several of the functions donŐt adequately verify that the requested text will fit into the buffer thatŐs supplied to hold it. The second vulnerability results because of a format string vulnerability in the C runtime functions that the SQL Server functions call when installed on Windows NT 4.0, Windows 2000 or Windows XP. An attacker could exploit the vulnerabilities in either of two ways. The most direct way would be for the attacker to simply load and execute a database query that calls one of the affected functions. Alternatively, if a web site or other database front-end would accept and process arbitrary queries, it could be possible for the attacker to provide inputs that would cause the query to call an affected function with the appropriate parameters. 28 December: Germany warns users about Windows XP
The German edition of the Financial Times reports that the German Department of Economics and the Ministry of Interior Affairs are waarning users against using Windows XP. The two departments have published an advisory earlier issued by the NICP (see below). Note: this article is in German. 28 December: NICP issues warning against Windows XP
The National Infrastructure Protection Center (NICP) has issued a warning instructing users to disable several features of Windows XP in order to prevent users from intrusions into their computers. 28 December: Microsoft: Piecemeal patchwork for IE
Since the Nimda worm this fall exploited a common vulnerability in Internet Explorer, one would think that Microsoft might make it easy for you and me to get our browsers up-to-date. Unfortunately, Microsoft has elected to continue its policy of piecemeal patches, even in the wake of this costly worm attack. System administrators are furious with Microsoft because they can't burn a patched version of Internet Explorer to take to every desktop in their corporation. That's not the way the game is currently played. If one wants to patch a desktop, one must download all the attendant updates and patches for that desktop. But during a crisis, particularly when a worm like Nimda is jamming the Internet with unusually heavy traffic, system administrators may not have the time to initiate downloads on each PC, especially if the patch required is a rather large download. 24 December: Merry Christmas! I'd like to wish all visitors to this site a happy Christmas and a great New Year 2002. Thanks for visiting, thanks for reading, and, if you do, thanks for spreading the word that monopolies are evil, especially monopolies that control 90% of the world's computers. Take care, and all the best,
24 December: New serious security leak in Internet Explorer discovered
A flaw in Microsoft Internet Explorer allows an attacker to perform a SSL Man-In-The-Middle attack without the majority of users recognising it. In fact the only way to detect the attack is to manually compare the server name with the name stored in the certificate. Microsoft was informed about this vulnerability on 26 November 2001. Until today they did not release a patch; instead they call it a 'very complex issue'. Unfortunately it is christmas time and especially during the last month millions of customers where buying christmas presents on the internet all around the world. That means millions of customers were shopping with insuffient protection of their private data. Because there are no patches out yet, I strongly recommend that you use Mozilla, Opera or another non MS browser to do your internet banking or shopping these days. 23 December: FBI, Pentagon quiz Microsoft on XP software patch
FBI and Defense Department officials and some top industry experts sought reassurance Friday from Microsoft Corp. that a free software fix it offered will prevent hackers from attacking major flaws discovered in the latest version of Windows. The government's rare interest in the problems with Windows XP software, which is expected to be widely adopted by consumers, illustrates U.S. concerns about risks to the Internet. Microsoft acknowledged Thursday that Windows XP suffers from serious problems that allow hackers to steal or destroy a victim's data files across the Internet or implant rogue computer software. The glitches were unusually serious because they allow hackers to seize control of all Windows XP operating system software without requiring a computer user to do anything except connect to the Internet. 22 December: Who Needs Hackers? We've Got Microsoft!
This brief 2-page rant questions Microsoft's alleged renewed committment to software security, and challenges it's interpretation of 'responsible disclosure' in light of the major UPnP exploit. There's a great quote by Microsoft Security Manager Scott Culp saying that the UPnP exploit (found by EEye) is "the first network-based, remote compromise that I'm aware of for Windows desktop systems." I guess they've got a sensory deprivation tank out in Redmond that masks the security events arising from Microsoft products in recent years. 22 December: Shoho outbreak -- New worm, old tricks
Yet another worm has cleverly taken advantage of a well-publicized and already patched vulnerability in Internet Explorer by offering an e-mail message that sounds legitimate to frequent Internet users. On some systems, Shoho (w32.Shoho.a@mm, alias Welyah) will launch itself when the infected e-mail is previewed or viewed. Shoho also uses its own SMTP engine, as SirCam does, to send out copies of itself to e-mail addresses found in the Outlook Address book. 22 December: 'Happy New Year' worm hits Windows
A mass-mailing Internet worm that purports to offer New Year greetings was spreading rapidly Wednesday, and is rumored to be the big Christmas virus that antivirus companies have been gearing up for. The worm, operating under the guises of Zacker, Reeezak, Maldal and Keyluc, arrives with the subject header "Happy New Year" and contains a file attachment entitled "christmas.exe." It uses familiar social engineering tactics to entice recipients to double click on the attachment, before mailing itself and the victim's contact list to everyone in the contact's address book. The worm spreads by taking advantage of Microsoft applications. According to reports, Symantec believes the worm also spreads via Microsoft's Instant Messaging software, and will try to delete antivirus software from an infected PC. 21 December: Commentary: XP's "plug and prey" hole
The 2001 holiday season hasn't been merry for early adopters of Microsoft's Windows XP. They must cope with two cases of serious security vulnerabilities--one in the Internet Explorer 6 browser, the other affecting Universal Plug and Play service--both of which are embedded in Windows XP. These vulnerabilities earn a "high risk" mark on Gartner's Internet Vulnerability Risk Rating system. We predict that by the end of the first quarter of 2002, standard hacker attack tools will incorporate these weaknesses into the rampant hacker scanning that is seen on cable modem and DSL Internet access systems. Enterprises debating a move to Windows XP should wait to see if more security vulnerabilities are found in the operating system during the next three to six months. Those actively planning Windows XP migration should test application compatibility with this patch (and any patch fixes that Microsoft offers after problems are found with the initial one) for any operating system image they intend to make standard on their computer systems. 21 December: Microsoft issues patch for "serious" XP hole
Microsoft may have touted Windows XP as the most secure operating system it has made, but the company on Thursday released a bug fix for a security hole that could leave some people's systems open to malicious attack. Microsoft is recommending that every Windows XP customer apply the patch immediately. Customers using Windows 98, Windows 98 Second Edition and Windows ME with the "Universal Plug and Play" (UPnP) service up and running should also use the patch, the company said. "With most cable modem users, there's a physical wire that feeds an entire neighborhood, and someone from that wire could attack anyone without needing to know the IP address," Scott Culp, manager of Microsoft's Security Response Center said. "The attacker can take control of the PC and have access to all the files. They might as well be sitting in front of the keyboard." 21 December: New security leak in Internet Explorer 6 can send data from your files to any computer on the Internet
The German News site heise.de reports a new security leak in IE 6. An AcziveX control marked as "safe for scripting" can read data from any file on the computer and then send it to another computer via JScript. Heise.de also reports that the user who discovered the vulnerability has informed Microsoft, but has not yet received a reply. Note: This article is in German 21 December: Microsoft IE Same Origin Policy Violation Vulnerability
There exists a vulnerability in Microsoft Internet Explorer that can allow for a violation of the same origin policy. In modern browsers, script code executing in the context of one website should not be able to access the properties of another. This is a security feature known as the 'same origin policy', and it is put in place to prevent malicious websites from interacting with and possibly stealing sensitive information from others in different windows. This violation of the 'same origin policy' is a severe security vulnerability. There are many ways that an attacker could exploit this vulnerability. 21 December: Exposing Excel's Dirty Little Secret
Microsoft Excel has features that allow spreadsheet creators to hide, lock, and/or password-protect data and mathematical calculations used in original documents. These features seemingly provide a measure of data security to conceal specified data from prying eyes.Advertisement In reality, that data can be exposed by any end user who can execute a simple copy-and-paste procedure. It takes fewer steps to reverse the security than it does to set it up. Unless access to the document is locked down, Excel cannot protect any information, although the program gives the illusion that it can, critics say. The result for large corporations is that millions of Excel documents shared between co-workers and business partners could become a security breach for confidential data. 21 December: Microsoft IE Same Origin Policy Violation Vulnerability
There exists a vulnerability in Microsoft Internet Explorer that can allow for a violation of the same origin policy. In modern browsers, script code executing in the context of one website should not be able to access the properties of another. This is a security feature known as the 'same origin policy', and it is put in place to prevent malicious websites from interacting with and possibly stealing sensitive information from others in different windows. This violation of the 'same origin policy' is a severe security vulnerability. There are many ways that an attacker could exploit this vulnerability. 15 December: Microsoft, terrorism, and computer security
If 11 September taught us anything, it's that everything is vulnerable, and often in the most blunt and simplistic ways. The massive Internet disruptions launched via Microsoft bugs over the past few years have been executed primarily by pimply amateurs. Does anyone actually believe there are no computer scientists who wouldn't love to find a place in heaven by exploiting the Great Satan's favorite software company? Microsoft's security through obscurity will only give these guys an exclusive advantage, because they'll find and use the holes that no one is expecting to be found. 15 December: MS releases mother of all IE security patches
Microsoft has released a cumulative patch for Internet Explorer which the firm says is a "critical" security precaution against crackers which should be applied "immediately". Installation of the mother of all patches "eliminates all previously discussed security vulnerabilities affecting IE 5.5 and IE 6" as well as tackling three newly discovered vulnerabilities, according to a security alert from Microsoft. 15 December: Microsoft denies Oracle's Windows claim
Oracle has been pitching its own software as "unbreakable" in a new marketing campaign that executives have used in part to call attention to what they see as the improved security of their platform running on Unix, compared with Microsoft's rival Windows standard. Hackers attempting to break into Oracle's Web site have been trying to exploit known holes in Windows NT, an executive said last week, apparently unaware that Oracle is running Unix. Mark Jarvis, senior vice president and chief marketing officer at Oracle, added: "Microsoft doesn't even use NT on their own Web site. They use Unix. It's rather ironic." Microsoft spokesman Jim Desler denied that contention, saying the company's main Web site uses Windows 2000 and a beta version of Windows .Net Server, the successor to Windows NT. 12 December: New security leak in IE 5 and IE 6. MS: "Not a vulnerability."
Oy Online Solutions Ltd's security experts have found a flaw in Microsoft Internet Explorer that allows a malicious website to spoof file extensions in the download dialog to make an executable program file look like a text, image, audio, or any other file. If the user chooses to open the file from its current location, the executable program will be run, circumventing Security Warning dialogs, and the attacker could gain control over the user's system. No active scripting is necessary in order to exploit the flaw. The malicious website can be refered e.g. in an iframe, in a normal link, or by javascript. The flaw has been successfully exploited with Internet Explorer 5.5 and 6. Microsoft was contacted on November 19th. The company doesn't currently consider this is a vulnerability; they say that the trust decision should be based on the file source and not type. The origin of the file, ie. the web server's hostname can't be spoofed with this flaw. It's not known whether a patch is going to be produced. Microsoft is currently investigating the issue. 12 December: Microsoft TV: It'll Be Watching You
Soon your television could be watching you far more carefully than you watch it. Microsoft announced on Tuesday it will be using Predictive Networks' technology to track the viewing habits of people who use Microsoft TV interactive television products. Some potential users are concerned over the prospect of being observed by their household appliances, and said they would not knowingly purchase a product that tracked their entertainment preferences. "I don't want my TV taking notes on what I'm watching. I don't want my kid's game console tracking what he's playing. I don't want my CD player collecting data on my music collection," said Kelley Consco, who was shopping for holiday gifts at Radio Shack. "It's just too creepy." Microsoft TV is a software platform that network operators can use to deliver interactive TV services to consumers, such as themed shopping, games and email. The platform supports a wide range of devices such as set-top boxes and digital video recorders to integrated television sets and games consoles. 12 December: MS mislays huge lobbyist team in court filing
Microsoft filed a characteristically Microsoftish document with with the District of Columbia court on Monday. Its "Description of written or oral comunications regarding the revised proposed final judgment" is intended to comply with US regulations regarding lobbying. In the submitted document, Microsoft is taking the narrowest of narrow views of compliance with the Act. Relevant communications are deemed to have commenced after the judge told them to try to settle, and these communications are solely the settlement talks themselves. The swarms of lobbyists Microsoft unleashed on Washington to press for a settlement following the appeals court decision apparently don't count, maybe didn't even exist, because the talks themselves must have just kind of popped out of the judge's head, and then Microsoft, good corporate citizen, fell into line. 12 December: MS Passport shuts out users
Online game players using Microsoft's Zone site complained of persistent problems accessing the service Tuesday, as Microsoft required all users to switch to its Passport authentication service. In a notice posted on the Zone home page, Microsoft informed users that they must sign up for the Passport online identification service, a controversial element of the company's .Net online services push. "The Zone is now a Microsoft .Net Passport site!" the notice read. "Your existing Zone account still works, but you must first sign in to .Net Passport or register for a new .Net Passport account." 7 December: Apple: Microsoft should pay $1 billion--cash
Apple Computer CEO Steve Jobs said Thursday that Microsoft should give $1 billion in cash to help schools, instead of software and some money, to settle more than 100 consumer lawsuits. Jobs' statement came one day before Apple plans to file a supplemental legal brief further contesting the legitimacy of the proposed settlement of the suits. Under the Microsoft proposal, the software giant could become a key beneficiary. The enticement of free software could encourage school districts to spend $500 million on Microsoft-compatible equipment and services. By contrast, if Microsoft were to give $1 billion to charitable institutions geared toward building technology capabilities inside of schools, Apple could greatly benefit because schools that could not previously afford new computers would become technology buyers. 7 December: What Microsoft antivirus software?
For years I have used a good explanation when people ask me why Microsoft doesn't bundle antivirus software: there is no additional revenue, it's just an added expense. So, I was just as surprised as anyone else when Bill Gates told a small group having dinner with him in Manhattan just before the launch of Windows XP that the company may be reconsidering its position on the issue. What is important is the underlying reason for all this--and it's not computer security. Microsoft wants people to get used to the idea of 24/7 online connections to Microsoft. Antivirus software would let the company connect to users' machines more than ever before. People don't necessarily like this idea. They don't trust the company, and over the years they've fretted that Microsoft might look at their Quicken records or spy to see whose competitive software is listed in the Registry, and then erase crucial files. These notions are crazy, but they simmer deep in the public consciousness. Anyway, Microsoft has to find some reasonable excuse to access your machine. And antivirus updates are that excuse. 7 December: How to set a record for the number of games sold per console
Microsoft is trumpeting the fact that its console buyers, "can't get enough of the Xbox launch games... gamers are buying 2.4 games with every Xbox, resulting in the highest game attach rate ever recorded for a console at launch". So reads Microsoft's latest press release, but as a few The Register readers have been quick to point out, this is a form of democracy where no matter who you vote for, the politicians win. Reader Brian Henry comments that the KB toy stores he visited required the purchase of games in order to buy the console itself. One store demanded three games with a box, while the other wanted two, an average of 2.5, which is rather close to the figure MS is touting. 4 December: "Pentagone" virus still spreading
The Pentagone worm spread quickly on Tuesday, but slowed near the end of the day, as companies took measures to prevent infections. Antivirus experts expected infections of the Visual Basic Script program--also known as Goner and Gone--to surge again Wednesday when employees and home PC users open e-mail that may be infected, thus allowing the spread of the virus to continue. The worm affects only computers running Microsoft Windows and spreads through Outlook e-mail clients. Macs and computers running Linux or other Unix-like operating systems are unaffected. 4 December: Could XP allow hackers into your fridge?
Microsoft's release of a version of Windows XP that can squeeze into all sorts of devices, from slot machines to set-top boxes to cash registers, has a catch: If you're not careful, you could find that a virus has crashed your video recorder, or a hacker has invaded your refrigerator. With Windows XP Embedded, the software company is aiming to give makers of so-called "embedded" devices--basically, any digital device that isn't a PC--an easy way of building machines that are compatible with the software of the PC world, while including only as much complexity as is needed. But manufacturers are finding that they have to deal with the security issues inherent in the PC world. With Windows compatibility comes vulnerability to all sorts of Windows-specific attacks. 4 December: MS to Europe: opening source would break patent laws
In its response to the European Commission's accusations of anti-competitive behaviour, Microsoft has claimed that the Commission forcing it to license its source code would break international patent laws. And it has noted: "The proceedings before the Commission are inevitably affected by the settlement that Microsoft has entered into with the US Department of Justice." These little snippets from the 102 page document, which was leaked to Bloomberg yesterday, might just be read as Microsoft drawing a line in the sand. The Commission does indeed have the power to force Microsoft to license its source code, but if it did so it would, in Microsoft's view, be breaking international law, and setting itself up for a tussle with the US authorities and the World Trade Organisation. It almost sounds like a threat, and that might not be wise at this juncture. 3 December: Microsoft: crime and (no) punishment
If you missed the news, more penalties against Microsoft were handed down the week of Thanksgiving. What you didn't miss was that Microsoft got off lightly--again. The beneficiaries in the settlement of about 100 private lawsuits--filed against the company in the wake of the government's antitrust case--are students at some 14,000 public schools who will get free software and computers. But it's Microsoft that will be saying thanks. To add insult to injury, the company gets to distribute even more of its product to expand and lock in its user base. If this is what the DOJ wanted by taking up the case in the first place, then we, not Microsoft, are the guilty party. 3 December: The Great MS Patch Nobody Uses
A free, downloadable update that transforms Microsoft's Outlook into a significantly more secure e-mail application has languished virtually ignored on Microsoft's website for more than a year. Although the majority of recent viral attacks have come compliments of worms that don't rely only on e-mail to spread, the Outlook E-mail Security Update (OESU) can stop or greatly lessen the impact of most malicious code, such as BadTrans and SirCam, if only people would download and install it. "Obviously, Microsoft has done a poor marketing job letting people know about the Outlook Security update, given the low download numbers," said security expert Richard Smith. "Plus the patch is difficult to locate on the Microsoft Office website, and the documentation is confusing. One has to be a super-sleuth and rocket scientist to locate the right patch file and get it installed properly." 1 December: "Microsoft," No. "Mickeysoft", Yes.
This short missive looks at the relative security of Microsoft products in light of the monopoly's announcement of its move into the electronic home market. Oh, yes..the latest, Microsoft-based e-mail virus is making headlines this week, too.
|
