The Archives of The Evil Empire2002 February
| ||
|
25 February: MS warns of 'critical' flaws
Microsoft has released patches for two security holes in its Internet software that could allow hackers to read files off a user's computer or information in Web pages that they visit. The company also patched server glitches that could let attackers crash Web servers or take over computer networks attached to Microsoft Web servers. Three of the four alerts were classified by Microsoft as 'critical.' The security glitches have been discovered in the Internet Explorer Web browser, Microsoft's XML Core Services 2.6 and later, Microsoft SQL Server and Microsoft Commerce Server 2000. They are repaired by several separate new patches, which Microsoft recommends affected users to install immediately.
21 February: Serious privacy problems in Windows Media Player for Windows XP
There are a number of serious privacy problems with Microsoft's Windows Media Player (WMP) for Windows XP. A number of design choices were made in WMP which allow Microsoft to individually track what DVD movies consumers are watching on their Windows PC. These problems were introduced in version 8 of WMP which ships preinstalled on all Windows XP systems. Each time a new DVD movie is played on a computer, the WMP software contacts a Microsoft Web server to get title and chapter information for the DVD. When this contact is made, the Microsoft Web server is giving an electronic fingerprint which identifies the DVD movie being watched and a cookie which uniquely identifies a particular WMP player. With this two pieces of information Microsoft can track what DVD movies are being watched on a particular computer.
20 February: States claim Microsoft used settlement to squeeze PC makers
Microsoft is benefiting from the proposed settlement with the U.S. Department of Justice (DOJ) and nine U.S. states by using it to impose onerous licensing terms that squeeze PC makers out of their patent rights, several nonsettling states charged Tuesday. In a filing with the U.S. District Court for the District of Columbia, seeking rejection of the proposed settlement, the states cited testimony from a Microsoft executive to prove their claim that the settlement "has fostered new monopolistic practices and fettered the market with new anticompetitive practices." "Microsoft took advantage of the opportunities presented by the language [of the proposed settlement] to adopt significantly more onerous licensing terms and to impose those on the [PC makers]," the states said in the filing. Microsoft told PC makers that the patent provision was required by the settlement, the states said.
20 February: Dangerous Yarner worm spells bad news
A dangerous worm from Germany is loose on the Internet. Yarner (w32.yarner.a@mm) appears to be a newsletter about Trojan horses from a legitimate security site, but is actually a dangerous worm. Yarner is a Windows PE EXE file about 434K in size, written in Delphi. It uses its own e-mail engine to send copies of itself to others. Once executed, the worm deletes the Windows directory on infected computers. At present, the infections are limited to Germany, however, a new variation could be produced in English or any other language.
17 February: Admins left to fix Microsoft's browser mess
Microsoft's latest security patch for Internet Explorer (IE) causes the Web browser to crash when viewing Web pages that contain a certain VBScript directive, several IE users found. Microsoft has acknowledged the problem and says Web site administrators will need to take action. "This issue does not pose a security threat to users. This issue affects stability. Normal operation can be restored by restarting IE," Microsoft said in a statement Friday.
17 February: Sony: MS already using Seattlement terms to screw us
Sony accuses Microsoft of using the Seattlement condition for a uniform Windows license (Section III.B) to renegotiate Sony's license in Microsoft's favor. Sony makes explicit its fear that: "Microsoft will use its monopoly power to force its OEM licensees to give up intellectual property rights, thus affording Microsoft the opportunity to expand its power." "Sony must agree to new 'uniform' non-assertion covenants that may weaken previously negotiated protections for Sony's intellectual property," writes the company. "This raises the possibility that Microsoft will use its monopoly power to force its OEM licensees to give up intellectual property rights, thus affording Microsoft the opportunity to expand its power.
17 February: Microsoft releases patch for SNMP flaw
Microsoft Friday released a patch for two versions of its Windows operating system to secure a hole discovered in a critical networking technology that could allow an attacker to stage denial of service attacks or take over a user's computer system. The vulnerability lies in the way a number of companies implement a standard protocol that allows system administrators to manage devices in a network, such as firewalls, computers and routers, called SNMP (Simple Network Management Protocol). It was identified last week and publicized by CERT/CC (Computer Emergency Response Team/Coordination Center), a federally funded security group.
16 February: Which Microsoft monopoly really matters?
Ordinary people don't pay too much attention to software-development tools. And this is just the way Microsoft likes it. Why? Because while the world argues, debates, and even sues over Microsoft's dominance over things like Web browsers and operating systems, it's able to quietly control the hearts, minds, and digital tool chests of the people who create the software we use every day. And why would Microsoft want to do that? Well, controlling developers--and the tools they use--is just the most insidious way it stamps out competition. Programmers get hooked on Microsoft's tools because they're so easy to use. After that, they tend to use other Microsoft products, too. As time goes on, it becomes more and more difficult for developers to follow a competitor's path.
16 February: Worm exploits MSN Messenger
A relatively benign but effective Internet worm attacked users of Microsoft's MSN Messenger service Wednesday by exploiting a bug in Internet Explorer that was reported last year, but was only recently patched by Microsoft. Dubbed the 'Cool Worm' by an early discoverer, the worm arrives as an MSN instant message that reads, "Go To http://www.masenko-media.net/cool.html NoW !!!" Clicking on the link opens a Web page with malicious Javascript code that rifles through the victim's MSN Contacts list, then messages every contact with the same "Go To..." invitation.
16 February: Flaw spotted in new Microsoft tool
A flaw in a software tool just released by Microsoft could lead software developers to inadvertently write programs that are vulnerable to attack, according to security specialists who discovered the flaw. The security problem is said to lie with the compiler that accompanies the new Visual C++.Net, just one of several tools included in Visual Studio.Net that Microsoft shipped Wednesday. Visual Studio.Net comprises new versions of the company's software development tools, including Visual Basic, Visual C++ and its new Java-like language, C#. Software security company Cigital says the compiler contains a flaw that can allow an attack called a "buffer overflow" to be initiated.
16 February: Virus smuggling risk for Outlook Express users
Security researchers have identified a way to smuggle virus laden emails past AV checkers and into the in-boxes of Outlook Express users. A demo suggests it's possible to send attachments to Outlook Express users using non-standard attachment techniques, by encapsulating the data in Carriage Return () specifiers in the subject line of an email. Mail filtering utilities usually don't search the subject line for this type of data, so a maliciously constructed email might appear as an attachment to Outlook Express users. Users of other email clients, such as Eudora, wouldn't see the attachment, so the risk is restricted to Outlook Express 5.5. and 6.0 users on Windows PCs.
16 February: Justice chief queried over MS campaign contributions
A Democrat representative on the US House Judiciary Committee has written to Attorney General John Ashcroft asking why he did not disqualify himself from participation in settlement talks in the Microsoft case, whereas he has done so in the case of the Enron investigation. Ashcroft's failed senate campaign in 2000 received contributions from both Microsoft and Enron.
16 February: More growing pains at Microsoft?
While Microsoft is focusing much of its energy these days on developing Web services and on tightening the security of its software, it hasn't stopped exploring new markets. The Redmond, Wash.-based company plans to make deeper forays into the areas of security software and storage through two upstart divisions, according to Group Vice President Jim Allchin. A new storage business unit, run by Bob Muglia, is "looking at products that corporate customers might use," Allchin said in an interview with CNET News.com. Despite scant information on Microsoft's plans, analysts said the move could send shockwaves through the industry. "Microsoft's entry into that marketplace could be very disruptive; they could change the way that marketplace does business," said John Webster, a senior analyst at research firm Illuminata. "If it decides it wants to be in the storage market, (storage makers) would really have to sit up and watch them."
16 February: Microsoft Patch Leaves IE Users Exposed To Attacks
A bundle of software fixes designed to close security holes in Microsoft's Web browser leaves Internet Explorer users vulnerable to several published attacks. The patch, which was released by Microsoft Monday, "eliminates all known security vulnerabilities affecting Internet Explorer," according to bulletin MS02-005 from the company. Six bugs, two of which are rated "critical," are addressed by the cumulative patch, Microsoft said. But tests performed by Newsbytes and independent security researchers show that the Feb. 11 patch only partially closes two vulnerabilities and does not address at all a flaw in Internet Explorer version 6 that could allow remote attackers to execute programs on a client system.
12 February: MS issues monster IE security fix
A total of six new security stuff-ups affecting Internet Explorer and Outlook Express have been addressed in a cumulative patch which has made two temporary appearances on the TechNet Web site since last week. This, the third posting, has been up for several hours, so we're going to take a chance and assume it works properly. The patch addresses a serious buffer overflow vulnerability which can give an attacker total control of a victim's machine; a vulnerability allowing an attacker to view files on the victim's local drive; an HTML header manipulation vulnerability allowing an attacker to feed an executable file to a victim while causing it to appear to be a harmless text file; another header manipulation vulnerability which allows an attacker to invoke applications on the victim's system; a permission vulnerability allowing an attacker to run scripts even if the victim has scripting disabled; and the Document.Open() vulnerability which enables MSN and Windows Messenger to be hijacked.
12 February: Windows XP license gives full control over computers to Microsoft
The German news service Heise.de points out a change in the January 2002 version of Microsoft's Product Use Rights document, which it calls "reminiscent of the story of the Trojan horse." Under the regulations of this document, every user with XP installed acknowledges and agrees that Microsoft may automatically check the version of the Product and/or its components that they are utilizing and may provide upgrades or fixes to the Product that will be automatically downloaded to their Workstation Computer. This right is not just limited to Microsoft software, but also also extends to software installed under the Digital Rights Management scheme. These automatic updates are highly problematic as they infringe on the responsibilities of systems administrators and may cause problems in environments where security concerns dictate that new software only be installed after it has passed several security tests. NOTE: This article is in German.
12 February: Microsoft's lobbying efforts eclipse Enron
Microsoft's budget for political lobbying exceeded that of Enron, the judge residing over the antitrust case has heard. The software giant's budget for its Political Action Committee (PAC) increased from about $16,000 in 1995 to $1.6 million in 2000, according to Edward Roeder, a self-styled expert on efforts to influence the U.S. government, and founder of Sunshine Press Services, a news agency devoted to investigating money in politics. Total donations to political donations from Microsoft and its employees to political parties, candidates and PACs in the 2000 election cycle amounted to more than $6.1 million. During this period, Microsoft and its executives accounted for $2.3 million in soft money contributions, compared to $1.55 million by Enron and its executives for the same period.
12 February: Rebel States slam MS witness list
The nine States still pursuing the case against Microsoft yesterday asked the judge to bar 16 of Microsoft's witnesses, accusing the company of using "hide-the-ball" tactics by waiting until the last minute before filing the list. Microsoft's list includes 23 "previously undisclosed" witnesses, and maintains a certain coyness in that no less than seven of the mooted Microsoft witnesses may or may not actually take the stand. The States are objecting on the basis that the new batch of witnesses, and the way it was produced, constitutes time-wasting. Microsoft has shown "blatant disregard for this court's schedule and for the reasonable and appropriate conduct of litigation."
11 February: New security leak in IE lets attacker take over MSN messenger
There has recently been reported some privacy problems in MSN Messenger. However, these problems pale in comparison to what can be done if you use MSN Messenger through unpatched IE vulnerabilities. Using these, a malicious programmer can easily hijack the MSN Messenger client from a user, allowing him/her (among others) to silently and automatically read their contact list (harvesting email addresses) and impersonate the user by sending arbitrary messages, email or local files to anyone. The victim would be unaware of any such action, and the malicious programmer would in practice be impersonating himself as the victim towards the MSN Messenger client, allowing him/her to do anything with MSN Messenger that the victim would normally be able to.
11 February: The full impact of .NET
The German computer magazine c't has published an interesting analysis of the full impact of Microsoft's .NET technology. Apart from showing the various positive aspects of .NET, c't also points out that it may be highly problematic that millions of users worldwide trust one particular company - Microsoft - to store highly sensitive personal data that makes every single person identifiable on the net, especially given Microsoft's poor security record. NOTE: This article is in German
9 February: Privacy at risk from MSN hole
MSN Australia has acknowledged that users remain at risk from a privacy hole, even though the company has known about the vulnerability since Tuesday. A spokesperson at MSN's Australian arm confirmed it had been aware of the vulnerability since a posting was made on Bugtraq, a security mailing list, on Tuesday yet is still looking for a solution. According to the posting, MSN Messenger or Windows Messenger on XP could be used to obtain personal information about a user from any Web site, in any domain. Richard Burton, who posted details of the vulnerability on Bugtraq, said that by using JavaScript anyone can obtain a user's Messenger display name, and the display names of their contacts.
9 February: Mac Office vulnerable, Microsoft warns
Users of Microsoft Office on the Macintosh may find that their product serial number is a tool for hackers. Microsoft issued a security warning Wednesday saying that programmers with malicious intent could use Mac Office v. X's product identifier to shut down one or more copies of the application running on a network or connected to the Internet.
9 February: MS bitten by old .NET vulnerability
Numerous installations of Microsoft ASP.NET are vulnerable to cross-site scripting (CSS), according to a recent post by Johannes Westerink to the BugTraq mailing list. CSS leverages JavaScript and makes it possible to place a malicious URL in an e-mail or on a Web site, which if followed will compromise the user's machine by various means, including exposing shares and/or retrieving data files such as cookies. JavaScript can also be executed on a remote server using malicious URLs. There are numerous possible attacks; but for one common example, a 404 page may be generated with the added bonus of full path disclosure.
9 February: MS chief lashes out at German Free Software petition
A petition lobbying for the use of Free Software in the German Bundestag has rattled Microsoft Germany sufficiently for the company to retaliate. Microsoft Deutschland chairman and EMEA VP Kurt Sibold has responded to the ringleaders, complaining of discrimination, and of being accused of being a hindrance to democracy. One of the things likely to have worried Microsoft most is the fact that quite a few of the initial supporters of the petition are Bundestag members, meaning it looks much more like a genuine campaign with heft than just a clutch of crazed visionary lobbyists.
|
