In an article dated April 14, 2004 Microsoft acknowledged 14 vulnerabilities in the Windows operating system, where the most serious can be exploited by malicious people to compromise a vulnerable system.
Since that time Microsoft has issued patches upon patches, but as of this writing - after release of Microsoft's Service Pack 2 - which is 270 Megabytes!), there are still Windows security problems. In addition, many of the patches have caused some software to fail.
Here is another reason why we neither use nor promote Windows:
A former Microsoft employee says addiction to Windows revenue, mediocre products and missed opportunities could doom Seattle's most successful company, according to an article written by Jeff Reifman
Here are a few quotes from the article:
"Why are Microsoft products so endlessly frustrating to use? Even techno-geeks like me get annoyed by Windows. I'm tired of spending the first 10 minutes of my day rebooting just so I can get to work. MS Outlook 2003, the latest version of the company's e-mail and calendar software, hangs for me about once a day, requiring me to restart my PC. I also have a problem with Word 2003. Whenever I bullet a line of text, every line in the document gets a bullet. Asking Windows to shut down is more of a request than a command - it might, it might not. And recently, Internet Exployer stopped opening for me.
. . . I began using Microsoft products 23 years ago, at age 11, and worked for Microsoft from 1991 to 1999 as a technology manager. For many years, I was a Microsoft loyalist. While aware of Microsoft's shortcomings, I always believed that the Soft did its best to improve product over time . . .But recently, I've had a crisis of faith. Perhaps I've rebooted Windows one too many times.
. . . Last month . . .I bought a Macintosh G5 . . . It has been a breath of badly needed fresh air after Windows. . . Until recently, I dismissed those who did (use Macs) as impractical, elitist hipsters. . . But in the first five minutes on my new Mac, I was surfing the Internet, sending e-mail, and ripping a CD. This made me wonder about Microsofts's willingness to innovate and compete. Why are Microsoft products still so difficult to use and so unreliable? . . .Competitors such as Linux and Google are gaining, and Microsoft seems unprepared for the road ahead.
. . . Microsoft's attempts to diversify into consumer businesses have yet to pay off: 68 percent of its revenue still comes from Windows and Office sales-more than 80 percent if you include the Windows server software used by so many businesses. The company must protect these core products. 'The prime directive at Microsoft is to protect Windows and get customers to buy Windows and upgrade to Windows,' says Mat Rosoff, lead analyst at Directions on Microsoft. . . Windows, Office, and IE all have greater than 90 percent share of their respective markets. To protect the cash cows, Microsoft must do things that no other software company would be doing. . .Microsoft hasn't solved many of the software problems described . . . because of lack of competition. 'One of the most frustrating things about Windows is how it steals time from us,' says Andrews . . . In most ways, OS X is superior to Windows XP. . .
Microsoft is resisting the trend to open-source software development, in part because its entire Windows revenue stream could dwindle to a trickle if it did so. . . Recently, though, Microsoft announced that its next major Windows release, code-named "Longhorn" might be delayed beyond 2006 unless it is significantly pared down. It's already been three years since the release of Windows XP and customers still have quality and security problems with it. . . It is beyond comprehension how the company could let five years lapse between major upgrades of its flagship product. Microsoft's missteps have oepned a gaping window of opportunity for competitors.
To remain attractive to investors, Microsoft must demonstrate that it can replace lost revenue by diversifying into new businesses. . . Microsoft admits that one of its bigest chalenges is getting users of its products to upgrade to new releases. Fewer than 3 percent of Microsoft Office users have upgraded to the latest version. Microsoft says that it is its own biggest competitor, but in the absence of significant innovation, the real threat is customers defecting to less expensive alternatives . . .
University of Baltimore law professor Robert Lande says. ' Microsoft, like almost all monopolies, has become fat and lazy. Monopolies do not engage in innovation with the same urgency because they don't have to innovate to stay in business.'
Meanwhile, Microsoft continues to promise solutions for tomorrow that customers need today. . . Microsoft . . . products don't excite me anymore. I remember eagerly looking forward . . . only to be disappointed by comolex, buggy, and unimproved . . . There's kind of an angst. . .In its search for market share, dominance, and profits, Microsoft lost the ultimate battle. . .
Read on . . . is this the kind of company you want to do business with?
By Kieren McCarthy
Posted: 13/07/2001 at 14:50 GMT
Reports are coming in from our cousins in Australia that Microsoft
has extended its software licence crusade to include kids'
charities.
South Australian charity PCs for Kids - which hands out
second-hand PCs to poor and disadvantaged people - has
apparently been receiving calls from MS' lawyers insisting that
they cough up the Au$200 Microsoft per-PC tax aka software
licence.
PCs for Kids is the smallest of a number of charities in Australia
that hand out old computers to those that can't afford them in the
hope of bridging a poverty and skills divide. However while most
of the charities use open-source software like Linux to avoid the
licence agreements, PCs for Kids has been providing PCs with
Windows.
Which of course means that it is fair game and should be
hounded for every penny that these evil subversive elements owe.
In fact, the Australians - ever the pragmatic race - have been
turning away from Microsoft because of its controlling efforts and
without making much of a fuss. Universities have started loading
up Apache, Linux, Samba etc and even government departments
have started to think twice about the easy but expensive option.
Just this week, top IT news site down under It.mycareer reported
that the Labor government in opposition promised it would
encourage the use of open-source software if it came into power
because it increases innovation and cut costs.
Needless to say, the World's Greatest Luddite Senator ™
Richard Alston - the man behind a tranche of unbelievable
Internet legislation in the last few months - has condemned the
idea. Apparently it would leave a government open to litigation
because the government has signed "binding legal contracts" with
software suppliers.
====================================
There is a rather interesting article written by Charlie Demerjian entitled
The IT Industry is Shifting Away from Microsoft This article is dated Sunday 28 December 2003
Here are some choice lines from Mr. Demerjian article:
"We are experiencing a major IT industry shift right now . . .
Until very recently, Microsoft owned everything in the personal computer business, both low and high on
the food chain. . .The problem is that Microsoft just isn't trusted . . . That knowledge is spreading up
the executive ranks. Microsoft has a habit of promising users things, but not delivering. . .
The fact remains that Microsoft's entire infrastructure is based on fundamentally flawed designs,
not buggy code. These designs can't be changed. . . And if Microsoft does change its ways, what incentive
will you have to stick with Microsoft? If you have to start over from scratch to build your app in a
new, secure Microsoft environment, will you pay the hundreds or thousands of dollars to go the Microsoft
route . . . Atarting over from scratch nullifies the one advantage that Microsoft has. . . In light of the
won't do and can't do, Microsoft sits there, and watches its market share begin to erode. That's happening , . .
the snowbal is rolling. A few people are starting to look up the hill and notice this big thing barreling
down at them, and some are bright enough to step out of the way. . .The big industry change is happening,
and we are at the inflection point. Watch closely people, and carefully read each and every press release.
====================================
--------------------
Microsoft Monopoly Threatens U.S. Security
--------------------
By Winn Schwartau
Winn Schwartau, president of Interpact, Inc., a Florida-based security
awareness firm, and founder of InfowarCon, is author of several books,
including "Cybershock" and "Time Based Security."
February 11, 2003
The great late comedienne Gilda Radner's renowned "Saturday Night Live"
character Roseanne Rosanna-Danna ended each of her weekly editorial rants
with, "Y'know, Jane, it's always something."
And so it is in cyber space. It's always something, and "It" is not going to
go away anytime soon. In fact, things are going to get thunderously worse.
The "slammer" worm that crippled the World Wide Web earlier this month in a
virus-like attack on corporate and government servers is the most recent in
a long series of increasingly creative and disruptive assaults against the
Microsoft hegemony, e-commerce and the Internet as a whole.
We do know that much of the heart of cyber-security failings is caused by
Microsoft, as "Slammer" has shown. This is not a repeat indictment of Bill
Gates' much ballyhooed yet failed efforts at making Microsoft products
secure for business and home. Rather, it is the global techno-cultural
failure of buying everything Microsoft because it's the easy, rather than
secure, thing to do.
There is a simple analogy: If every lock to every door in the world were
made by the same company, and each of the companies' locks used the same
kinds of interchangeable tumblers and mechanical assemblies, what would the
result be? Sadly, it would make the criminal's job far easier because he
would only have to learn how to pick or bypass a limited set of locks.
Now for Microsoft. It owns 95 percent of the Internet browser market (which
includes e-mail software) and more than 90 percent of the operating system
and office suite market. Also, 28 percent of Web servers on the Internet are
run by Microsoft software. See the problem?
The hackers (criminal, miscreant, recreational or security mavens) go after
Microsoft products for a simple reason: The world is arrogantly dominated by
the most insecure software.
We used to live in a heterogeneous world where different computers used
different operating systems. That meant incompatible software, but it was
also an electronic world that was very difficult for the bad guys to break
into. We have evolved into a homogenous world, with Microsoft Milk in the
Middle, where all of the parts are interchangeable and any program can talk
to any other program. "Cut and Paste" is the mantra of globalization.
This approach solved previously incompatible operational nightmares, but
what has it wrought? Now nearly all the world's locks to the repositories of
the Information Age are made by the same company. Isn't that the height of
criminal stupidity? Every time a weaknesses or vulnerability to a Microsoft
product is discovered, the details are instantly broadcast around the globe,
surely to be exploited by the nethermongers of the 'Net.
The world's economic engines run on Microsoft products waiting for the next
"It's Always Something" to strike. The foundation of American defense is
Microsoft. Its products, which are used throughout the federal government,
including the Department of Defense, similarly await the next debilitating
cyberattack. Our national critical infrastructures, including
transportation, power, communication and first-response emergency services,
also sit in dire need of a workable balance between security, privacy and
efficiency. Whether it's harmless joyriding hackers gung-ho to help their
country or terrorists targeting an electronic Pearl Harbor, the results are
the same.
Suddenly the concept of cyber-monopoly, an efficient homogenous amalgam of
mouse-clicks and windows, has national security implications. I have never
been an advocate of Congress legislating against bad engineering, but
perhaps we have turned a historical corner that demands a revisit.
We need to broaden our view of the impact when three fundamental concepts
are uttered in the same breath: economic health, critical infrastructure
protection and Microsoft monopoly. Anti-monopolistic laws were originally
created to encourage capitalistic competition. From a security standpoint,
one technical monopoly today has the most significant national security
implications in this country's history. Repairing that will take vision and
courage.
Because we never know how we are going to get slammed the next time, maybe
our political foolhardiness is letting us slam ourselves.
Copyright (c) 2003, Newsday, Inc.
--------------------
This article originally appeared at:
http://www.newsday.com/news/opinion/ny-vpsch113125897feb11,0,322981.story
Visit Newsday online at http://www.newsday.com
====================================
How's this for a quote!
Friday 6 September 2002
Microsoft: "Our products aren't engineered for security"
Brian Valentine, senior vice-president in charge of Microsoft's Windows
development, has made a grim admission to the Microsoft Windows Server
.net developer conference in Seattle, USA.
"I'm not proud," he told delegates yesterday (5 September). "We really
haven't done everything we could to protect our customers. Our products
just aren't engineered for security," admitted Valentine, who since 1998
has headed Microsoft's Windows division.
In August the company put out eight security bulletins. This month it
has released two, so far, with the latest urging users to patch a flaw
in its digital certificate technology that could allow attackers to
steal a user's credit card details.
====================================
From: PETER COFFEE'S ENTERPRISE IT ADVANTAGE
A weekly newsletter from eWEEK Technology Editor Peter
Coffee focused on application development and technologies
at the cutting edge of enterprise-class computing
September 16, 2002 // Volume 2, Issue 34
WHAT WILL YOU WANT TO UNDO TOMORROW?
-- By Peter Coffee --
When we used to draw block diagrams of the PC architecture,
back in that other century, the operating system would be a
horizontal layer immediately above the hardware; the
applications would be the next tier up, a row of adjacent
blocks on top of the OS layer, having the status of peers
with each other and clients of the operating system.
If you updated a piece of the operating system, all of the
applications would see that new facility. If interfaces were
correctly preserved, the applications might all work better;
realistically, some of them would work better while others
(the ones that broke the rules, and coded to internals
instead of to published APIs) would be broken. But we all
knew what the rules were.
Alarmingly, it looks as if it's no longer possible to draw
these diagrams as horizontal layers, with the boundaries of
those layers clearly defined by published rules. The new
diagram looks more like the Towers of Hanoi, the classic
game (whose solution first taught me the concept of
recursion) that requires things on top to be removed before
anything farther down the stack can be changed. This says
nothing good about the future of desktop or mobile
computing.
(Visit About the Towers of Hanoi:)
http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eR4f0DDiOU0E4K0qbs0Ao
I'm talking, specifically, about the new approach to
modularity--or rather, lack thereof--that we see in the
remarks of Microsoft product manager David Caulton, who
explained the absence of an Uninstall procedure for Media
Player 9 with the following shocking example: "As with any
OS component you might upgrade, everything has to go back
sequentially together. If I install Windows Media Player 9
Series beta and Office, and I roll back, that would be to a
pre-Office state."
(Read "Windows Media Player 9--no uninstall?":)
http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eR4f0DDiOU0E4K0qbt0Ap
Oh.
So, it's now official: Not only is Office an "OS component,"
not a suite of applications, but the topology of Windows
really is one big giant hairball (officially, "a single,
integrated product"). If you want to replace the
next-from-outermost layer, you have to untangle the
outermost layer first. "The more users that can be informed
that's the method for going back, the better," emphasized
Caulton. He's right, but perhaps not in the way that he
intends: Platforms that don't impose this model may be the
beneficiaries.
I wonder if Caulton realizes how completely unacceptable
this attitude will be to enterprise IT. It comes from the
same company whose Undo facilities in applications can only
undo actions in sequence: If you think about it, when I
change a word and then change the style of a paragraph, for
example, I should be able to pull down a list of past
actions and undo the typing without affecting the subsequent
formatting action.
But it's no doubt easier to implement as a simple stack--and
within the context of editing a single document, we can
probably live with that. If we're supposed to take seriously
the ideas of Web services, however, with their potential
combinatorial explosion of interactions between cooperating
(or, perhaps, competing) distributed agents and processes,
then it's clear that we need to be able to change modules in
a mix-and-match manner--not be forced to undo an arbitrarily
long list of configuration changes to get at one that's
several steps in the past, only to rebuild the stack after
making the only change that we really wanted to make.
It's a matter of discipline. Buyers must demand it, or
expect that vendors will continue to be guided by their own
convenience.
====================================
Subject: Byte Article Sept, 2002
By Bill Nicholls
September 3, 2002
With all the publicity that Windows and Linux
get, you may be forgiven for not being aware of
a number of other operating systems. Yet there
are many other choices that I find interesting
and as useful alternatives.
Five Desktop Alternatives:
OS/2 Convenience Pack from IBM
eCS, OS/2 plus enhancements from
Serenity Systems
OpenBeOS, an open source version of the
OS developed by Be
BeOS 5 personal
Amiga, the phoenix of operating systems
Three Emulator/Virtual Machine Systems:
VMWare
Virtual PC
Bochs
The last three OSes on the list are qualitatively
different from the rest they are designed as
emulators or virtual machines that can run more
than one OS at a time, shared in one set of
hardware. Like the story about the dancing
bear, what is remarkable given the ancient x86
design is not how well they work, but that they
work at all.
Be aware that this short list is by no means
exhaustive. There are several more commercial
or open OSes that are mature and in use, but
even this list will be enough to digest at one
time.
In the interest of full disclosure, I have used
Microsoft Windows from 1.01 in 1985 to
Windows 3.1, and subsequently Windows 95/98
and NT. In the '87 '89 timeframe, I ran
DesQview and Windows together. From the
1991 beta of OS/2 2.0 up to today's eCS 1.0,
and including all versions between, OS/2 has
been my primary desktop. In addition, I
currently run NT, FreeBSD, and OpenBSD as
well as the occasional Linux.
The Development of OS/2
People new to computers in the '90s probably
don't know this background, and some may have
forgotten. Microsoft was OS/2's chief
competitor in the '90s, but it didn't start that
way. Way back in the '86 '87 timeframe, OS/2
was a cooperative effort between Microsoft and
IBM. Yep, the two goliaths were cooperating, in
principle at least.
OS/2 became an IBM-only project in 1989.
Microsoft chose to develop Windows further in
competition with OS/2. The cause of this battle
is debatable, but it ultimately evolved into
ownership of the desktop OS. The original
Windows 4.0 was predicted for delivery in
1993, then 1994. It then became Windows 95
and was finally delivered in August 1995 to the
accompaniment of extraordinary hype.
OS/2 began as an enhanced OS to run protected
mode programs, and multitask in the protected
mode of the Intel 286 chip. The choice of the
barely adequate 286 chip for this task caused
significant development delays, so by the time it
was available as OS/2 1.1, the 386 chip was
already popular.
OS/2 2.0 became a 386-only version at IBM. It
went beta in 1991, and shipped GA in 1992, just
around the time Windows 3.1 was delivered.
From early 1992 until August of 1995,
Microsoft had no OS that could really compete,
in terms of multitasking and reliability. Despite
this three year lead in technology, IBM was
unable to build a coordinated effort to sell OS/2,
and one result is that Microsoft has had an OS
monopoly on the desktop for almost a decade.
The full story of this battle is much more
complex and full of unusual events. For a
variety of reasons, IBM had, in theory, the
better team, more experience, better technical
capabilities, a much larger sales force, and entry
into the most businesses. So much for theory.
The OS/2 Contenders
The situation has changed a lot since IBM's
announcement, in 2000, that OS/2 was
end-of-life and would be supported with limited
enhancements and drivers through 2006. Due to
demand from a vocal business user base, IBM
has increased its support to deliver upgraded
Convenience Packs (CP) each year, reducing
testing and upgrade support costs for the
business community.
However, the strategy announcement for OS/2
in 2002 contains some significant changes to the
previous environment. Specifically:
IBM does not intend to provide
additional Convenience Packages in
the future. For more information
about Convenience Packages see
announcement letter 200-082 at
http://www.ibmlink.ibm.com/.
There's more bad news:
OS/2 Defect Support: Limited
warranty defect support will expire
for Warp Server for e-business on 31
May 2002 and for IBM WorkSpace
On-Demand 2.0 on 31 December
2002. IBM plans to provide Program
defect support for OS/2 Warp 4
Convenience Packages and for Warp
Server for e-business Convenience
Packages for customers with software
subscriptions through 31 December
2004. [DO NOT STOP READING HERE!!]
It looks like end-of-life has been accelerated.
But the good news is next.
As vocal as the OS/2 business users, but less
financially convincing, were the individual users
such as myself. Until 2001, it looked like CPs
were our only option. Then something unusual
happened. IBM licensed OS/2 for resale to
Serenity Systems, with the aim of supporting
individuals and small businesses.
Serenity Systems enhanced their offering by
improving the installation process, adding a
large selection (35 items) of independently
developed software and the Lotus Smart Suite
from IBM as part of eComStation (eCS), their
version of OS/2. They also included SMP as an
option for the workstation version.
eCS 1.0 shipped on April 2001 and has
continued development since then. Serenity
Systems has indicated that eCS 1.1 is expected
in the fourth quarter of 2002, after some
selected user testing. The list of enhancements
planned is significant and includes a new
installer, even better than the original eCS 1.0
installer, which was a big jump over IBM's
version.
eCS' site contains a lot of information patches,
new uploads, news, applications, and links to
other supporting sites. The support and FAQ
section is particularly useful, and it looks like
Serenity Systems will be our future support for
OS/2. Their performance in a tough business
environment gives me confidence for the future
of OS/2 in its eCS incarnation.
. . . This was not the end of the article; if you wish to read the entire
article or other articles by the author, please visit the Utility Infielder Index, or for updates between columns,
visit his web site: http://www.billswrite.com.
====================================
Ummm, now Microsoft has taken to false advertising . . .
http://news.bbc.co.uk/2/hi/technology/2329519.stm
Tuesday, 15 October, 2002, 11:10 GMT 12:10 UK
> Web users turn tables on Microsoft
Microsoft has been caught using a fake advert that claimed people were
switching from Macs to Windows PCs.
The advert debuted on Microsoft's website and supposedly recounted the
story of a former Apple Mac user who had converted to using Windows.
But investigative work by net users revealed that the supposed 'switcher'
actually worked for a marketing company employed by Microsoft.
The Microsoft advert was a response to the high-profile campaign run by
Apple which showcased people who have moved from Windows to a Mac.
Stock taking
The page documenting the switch was entitled 'Confessions of a Mac to PC
Convert' and debuted on the Windows XP Insider section of Microsoft's
site. It supposedly told the story of a "freelance writer" who had used a Mac
for eight years but who had now switched to using Windows. In it the switcher
declared: "Windows XP gives me more choices and
flexibility and better compatibility with the rest of the computing world."
Originally news of the article's existence was posted to the popular
Slashdot website as a joke, but eagle-eyed users of the site found grounds
to suspect the story behind it. They noticed that the picture of the woman
used to illustrate the story was a stock image from the Getty Library and
unlikely to be a genuine customer.
Investigative work by a reporter from the Associated Press tracked down
the person behind the story who turned out to be an employee of the Wes
Rataushk & Associates ad agency.
This was the company that was employed by Microsoft to draw up the adverts
about switchers.
Microsoft has now pulled the page from its website and said it 'regretted'
its action. But in its defence it said that the employee had definitely switched from
using a Mac to Windows.
====================================
Although the United States spends nearly $1 billion every
year to help Russia protect its vast storehouse of nuclear weapons
materials from theft or sale on the black market, few Americans know how
this aid helps strengthen America's own nuclear safeguards.
Russian experts at the Kurchatov Institute, the renowned
nuclear research center in Moscow, recently found what appears to
be a critical deficiency in the internal U.S. system for keeping
track of all bomb-grade nuclear materials held by the Energy
Department - enough material for tens of thousands of nuclear bombs.
Kurchatov scientists discovered a fatal flaw in the Microsoft
software donated to them by the Los Alamos National Laboratory. This
same software has been the backbone of America's nuclear
materials controlsystem for years. The Russians found that over time, as the
computer program is used, some files become invisible and inaccessible
to the nuclear accountants using the system, even though the data
still exist in netherworld of the database. Any insider who understood
the software could exploit this flaw by tracking the "disappeared"
files and then physically diverting, for a profit, the materials
themselves.
"Web services may be the next big thing, but a group of users, analysts
and even Web services vendors acknowledged last week at a roundtable on the issue
that significant barriers to using the technology remain.
Security concerns, interoperability, data trapped in legacy systems,
inadequate networks, general confusion over how to use XML, the immaturity of
current Web services protocols and slashed IT budgets were all cited as hurdles to
using Web services. The message from those attending the first Boston Area Web
Services Roundtable here: Be careful."
Comment:
We at Aviar believe that the web is fine for e-Mail, on-line purchasing,
and general surfing. But we strongly disagree that the web is up to the
complex tasks necessary for optimal CMMS performance.
You may be swayed by self-proclaimed Maintenance "Analysts, Experts and
Columnists" who advise you that web-based CMMS systems are the "only way
to go." In our opinion, they are wrong. Web-based CMMS systems will give you
headaches. The above article spells out many of the hurdles you wil
face with such a system. As it states, "Be careful."
We believe that the needs of Maintenance Management are best served by a
small, self-contained, network of Personal Computers dedicated to
Maintenance and ONLY Maintenance.
====================================
This is just a list of Microsoft flaws compiled since April.
====================================
August 29, 2002
Microsoft Says Found Security Flaw in Windows
Thu Aug 29, 7:06 PM ET
"SEATTLE (Reuters) - Microsoft Corp. said on Thursday that a security
flaw in all versions of its flagship Windows operating system software
released since Windows 98 ( news - web sites) could allow attackers to
delete digital certificates."
Microsoft discloses 'critical' security flaws Office, IE lapses
putmillions in danger of being hacked!
SEATTLE, Washington (Reuters) -- Microsoft Corp. said Thursday that
"critical" security lapses in its Office software and Internet Explorer
Web browser put tens of millions of users at risk of having their files
read and altered by online attackers.
====================================
August 22, 2002
Unsafe Functions in Office Web Components (Q328130)
Originally posted: August 21, 2002
Summary
Who should read this bulletin: All customers using Office Web
Components, which is available as a stand-alone download and included as
part of the Microsoft? products detailed below.
Impact of vulnerability: Three vulnerabilities, the most serious of
which could allow an attacker to run commands on the user's system.
Maximum Severity Rating: Critical
Recommendation: Customers using these products should install the
appropriate patches immediately.
Attackers could use vulnerability to gain access to buyer information.
By Dan Brekke, Tech Live
A San Francisco programmer has disclosed a potentially severe flaw in
how Microsoft's Internet Explorer browser implements a technology meant
to assure secure transactions over the Web.
====================================
August 16, 2002
Microsoft: SSL flaw is in operating system, not Web browser
Microsoft SQL Server Remote Buffer Overflow Vulnerability
BugTraq ID: 5411
Remote: Yes
Date Published: Aug 06 2002 12:00AM
Relevant URL: http://www.securityfocus.com/bid/5411
Summary: A vulnerability has been discovered in Microsoft SQL Server that could
make it possible for remote attackers to gain access to target hosts.
It is possible for an attacker to cause a buffer overflow condition on
the vulnerable SQL server.
This vulnerability reportedly occurs even before authentication can
proceed. Reportedly, this is due to a default system configuration.
====================================
August 13, 2002
Microsoft Exchange 2000 Post Authorization License Exhaustion Denial Of
Service Vulnerability
BugTraq ID: 5413
Remote: Yes
Date Published: Aug 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5413
Summary:
A vulnerability has been reported for Microsoft Exchange 2000.
Allegedly, Exchange 2000 will experience a denial of service condition
when an authenticated user makes many requests. The vulnerability is due
to IIS incorrectly allocating licenses to Exchange. Making numerous,
rapid requests will exhaust available licenses granted to Exchange by
IIS.
====================================
August 13, 2002
Microsoft Internet Explorer Invalid SSL Certificate Chain Vulnerability
BugTraq ID: 5410
Remote: Yes
Date Published: Aug 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5410
Summary:
A flaw has been reported in the handling of SSL certificates by
Microsoft's Internet Explorer web browser. It may be possible for a
malicious party to create SSL certificates for arbitrary domains, which
will be treated as trusted by the vulnerable browser.
====================================
August 13, 2002
Microsoft Windows Window Message Subsystem Design Error Vulnerability
BugTraq ID: 5408
Remote: No
Date Published: Aug 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5408
Summary:
A serious design error in the Win32 API has been reported. The issue is
related to the inter-window message passing system.
====================================
August 8, 2002
Passport Brings Microsoft New Headaches
The Federal Trade Commission has settled a case against Microsoft
involving its Passport Web service. The FTC says Microsoft's claim that
purchases made through Passport were more secure than typical E-commerce
transactions was bunk. It also says Microsoft did not employ "reasonable
and appropriate measures" to protect consumers' personal data.
Commissioners also charged that Microsoft did not fully disclose the
extent of personal data it collected on Passport users.
Under the settlement, Microsoft must beef up its Passport security and
have it inspected by an independent professional every two years.
Multi-platform flaw affects most operating systems
Security researchers have warned of a flaw in communications software
that could allow attackers to take over computers running Windows, Mac
OS X and Unix-based operating systems, as well as those with Kerberos
authentication systems. The problem is widespread because it affects
some implementations of XDR (external data representation) libraries,
used by many applications as a way of sending data from one system
process to another regardless of the system's architecture. The affected
libraries are derived from Sun Microsystems' popular SunRPC remote
procedure call technology.
http://www.cert.org/advisories/CA-2002-25.html
NOTE: No mention of OS/2 or eCS vulnerability
====================================
August 2, 2002
MS SQL 2000 resolution service, multiple vulnerabilities
Microsoft released MS02-039 ("MS SQL 2000 resolution service, multiple
vulnerabilities"). The resolution service included with MS SQL Server
2000 contains two remotely exploitable buffer overflows that allow an
attacker to execute arbitrary code under the privileges of the SQL
service account. A remote denial of service vulnerability exists, as
well.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-039.asp
Source: Microsoft (NTBugtraq)
http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0028.html
====================================
July 30, 2002
CERT Advisory CA-2002-22 Multiple Vulnerabilities in Microsoft SQL
Server
Original release date: July 29, 2002
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
Microsoft SQL Server 7.0
Microsoft SQL Server 2000
Microsoft SQL Server Desktop Engine 2000
Overview
The Microsoft SQL Server contains several serious vulnerabilities that
allow remote attackers to obtain sensitive information, alter database
content, compromise SQL servers, and, in some configurations,compromise
server hosts.
====================================
July 19, 2002
Cumulative Patch for SQL Server
Microsoft released MS02-034 ("Cumulative Patch for SQL Server"). MS SQL
Server and MSDE installations have three new vulnerabilities: a buffer
overflow in the bulk insert procedure; a buffer overflow in the password
encryption procedure; and insecure permissions on the SQL service
account registry key. The buffer overflows allow attackers capable of
running arbitrary SQL statements to elevate their SQL user
privileges and potentially execute arbitrary code.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-034.asp
Source: Microsoft (NTBugtraq)
http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0012.html
====================================
July 16, 2002
MICROSOFT DECLINES TO USE OWN SECURITY PRODUCT
A lab at Microsoft is using a competitor's product to protect against
worms and other threats. Microsoft's SQL Labs uses NetScreen
Technologies' 500 series security appliance even though the company
sells a competing product, Microsoft Internet Security and Acceleration
Server.
(Source: ITworld.com) With over half of the Internet's Web servers
potentially vulnerable, conditions are "ripe for an epidemic of attacks"
against sites running Microsoft Corp. Internet Information Server (IIS)
or the open-source Apache Web
server software, Netcraft of Bath, England, said in its monthly Web
Server survey released last week.
http://www.idg.net/go.cgi?id=712359
====================================
July 12, 2002
Security Flaw Found In Outlook Plug-In
Users of Network Associates' PGP Desktop Security 7.0.4, PGP Personal
Security 7.0.3, and PGP Freeware 7.0.3 are being warned that the popular
encryption software contains a serious security vulnerability that could
let attackers take control of their
systems, and even compromise secure communications if the attacker
installs keystroke-logging software as part of the attack.
The flaw doesn't affect the PGP, or Pretty Good Privacy, encryption
software itself but rather the PGP plug-in for Microsoft Outlook E-mail
used to encrypt sensitive E-mail messages, according to eEye Digital
Security. Outlook users who merely select a malicious E-mail containing
carefully crafted code could find their systems hacked, eEye says. PGP
Corporate Desktop users aren't affected, according to the advisory. PGP
is widely available for download on the Web as freeware and is used by
law-enforcement and U.S. intelligence agencies.
Network Associates has made a patch available for download at
http://update.informationweek.com/cgi-bin4/flo?y=eHxD0Bce7K0V20BfJx0Af
====================================
July 11, 2002
New bug found in Outlook, IE
By Robert Lemos
Special to ZDNet News
July 11, 2002, 4:15 AM PT
A Danish security researcher warned users of Microsoft's Internet
Explorer, Outlook and Outlook Express applications that a recently
discovered software flaw could leave their system open to malicious code
carried on Web pages or in e-mails.
In an advisory released Wednesday, Thor Larholm, a security researcher
and partner at risk-assessment company PivX Solutions, warned that HTML
objects embedded in Web pages and e-mails could carry code that allows
an attacker to check out victims' cookie files, read their documents,
and execute programs on their computer.
The bug, known as a cross-domain scripting flaw, was discovered on June
25, and information about it has been posted on several security lists since then.
Larholm also informed Microsoft of the bug the day it was
discovered.
"Gunsan has spread modestly since its discovery late last month. It
deletes files needed by antivirus and firewall products (including all
files that contain mcafee, softice, numega, antivirus, anti-virus,
win32dasm, sophos, catsclaw, claw95, lockdown, symantec, firewall,
virusscan, virus-scan, fprot, f-prot, zone labs, or atguard in their
path). Gunsan *only affects Windows PCs* and can cause system
instability by deleting important system files. "
NOTE: "only affects Windows PCs"
====================================
July 3, 2002
Microsoft Urges Users To Patch Commerce Server
The software maker issued a security bulletin warning of four
vulnerabilities that could enable a malicious hacker to take control of
the server.
MS SQL Server 2000 has been found to contain a buffer overflow in the
handling of the OpenDataSource() SQL function, letting an attacker
capable of running SQL queries execute arbitrary code on the SQL server
system.
From The New York Times Direct
Thursday, June 27, 2002
"Companies that sign up for Software Assurance are, in essence,
committing in advance to buying every upgrade -- without knowing whether
it will be any good, or even whether or not Microsoft will, in fact,
release any upgrades at all during the three-year contract."
====================================
June 27, 2002
Yaha-E Worm
The W32/Yaha-E worm is spreading in the wild. It arrives in an
attachment; the accompanying e-mail can have a variety of subject lines.
The worm attempts to turn of anti-virus and firewall protection.
Despite Microsoft's claims of a renewed focus on security, the
vulnerability-beleaguered company has issued 30 advisories for 40
vulnerabilities so far in 2002. While Microsoft's efforts to scour its
own code for security problems are commendable, the company is also
taking some risks by offering an automated update system and by
including new, activated features on update CDs.
MS distributes Nimda to Korean .NET developers
By Thomas C Greene in Washington
Posted: 14/06/2002 at 17:34 GMT
http://www.theregister.co.uk/content/4/25738.html
Somehow or other the Nimda worm has found its way into a file which
Microsoft is distributing to developers in Korea.
====================================
June 14, 2002
http://www.theregister.co.uk/content/4/25716.html
MS security hole extravaganza
By Thomas C Greene in Washington
Posted: 13/06/2002 at 17:58 GMT
"We've got a treat here; it seems MS has been sitting on a number of
security holes which it's decided to dump on us all at once. So, what do
you want to patch today? "
====================================
June 12, 2002
Malformed mail attribute Exchange 2000 DoS
Microsoft has released MS02-025 ("Malformed mail attribute Exchange 2000
DoS"). A remote attacker can send a malformed mail message to the target
Exchange 2000 server, which would result in a temporary CPU usage of
100%. Repeatedly sending malformed messages can result in a denial of
service attack.
GARTNER TELLS MICROSOFT CUSTOMERS TO PLAN FOR HIGHER COSTS
(Source: InfoWorld.com) Research company Gartner Group warned Microsoft
enterprise customers to review their software licensing contracts or
risk paying higher prices down the road as the software maker prepares
to make its full switch to a new
licensing program.
http://www.idg.net/go.cgi?id=687834
====================================
May 23, 2002
Windows debugger is, er, buggy
By John Leyden
Posted: 23/05/2002 at 09:08 GMT
Microsoft has admitted that its Windows debugging facility is itself
subject to a security bug.
In an advisory issued yesterday, Microsoft admitted the authentication
mechanism for the debugging facility is flawed in a way that allows
unauthorised programs to gain access to the debugger.
The upshot of this is, providing an attacker can log-in to a target
machine - and that's a big if - a cracker can screw your Windows box six
ways to Sunday.
====================================
May 22, 2002
Researchers Say Microsoft Patch Doesn't Do Its Job
Research indicates that the patch released for the six holesin
Microsoft's IE browsers 5.01, 5.5 and 6.0 only addresses the cross-site
scripting vulnerability in one of the browser versions, and leaves
another vulnerability unaddressed altogether.
The JS.Fortnight worm places an HTML file into the default signatures of
e-mail sent through Outlook Express; the worm attaches a link to an
adult site to all the outgoing Outlook e-mail. It also changes the
browser's home page, and adds sites to the favorites list.
The worm affects Windows 95, 98, NT, 2000, ME and XP.
Original release date: May 10, 2002
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
Microsoft Windows systems with one or more of the following:
Microsoft MSN Chat control
Microsoft MSN Messenger 4.6 and prior
Microsoft Exchange Instant Messenger 4.6 and prior
Overview
Microsoft's MSN Chat is an ActiveX control for Microsoft Messenger, an
instant messenging client. A buffer overflow exists in the ActiveX
control that may permit a remote attacker to execute arbitrary code on
the system with the privileges of the current user.
I. Description
A buffer overflow exists in the "ResDLL" parameter of the MSN Chat
ActiveX control that may permit a remote attacker to execute arbitrary
code on the system with the privileges of the current user. This
vulnerability affects MSN Messenger and Exchange Instant Messenger
users. Since the control is signed by Microsoft, users of Microsoft's
Internet Explorer (IE) who accept and install Microsoft-signed ActiveX
controls are also affected. The Microsoft MSN Chat control is also
available for direct download from the web.
II. Impact
A remote attacker may be able to execute arbitrary code with the
privileges of the current user.
====================================
May 6, 2002
Microsoft's Trojan Horse
Microsoft's digital rights management technology gives the software
giant unprecedented control over end user content, argues guest
columnist Curtis Karnow.
Microsoft released MS02-020 ("SQL extended procedure overflows"). SQL
server 7.0 and 2000 contain buffer overflows in various extended
procedures, thereby allowing an attacker who can submit queries to
the database to execute arbitrary code on the SQL server.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-020.asp
Source: Microsoft
====================================
April 29, 2002
John Dvorak: "There is something terribly wrong with this operating
system."
Microsoft Internet Explorer Self-Referential Object Denial of Service
Vulnerability
BugTraq ID: 4564
Remote: Yes
Date Published: Apr 20 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4564
Summary:
Microsoft Internet Explorer 6 (perhaps other versions as well) is
vulnerable to a denial of service due to an error in handling certain
self-referential