About | Buy Stuff | News | Products | Rants | Search | Security
Home » Resources » Rants

No Flaw

Week of November 23, 2004

They know best!

Microsoft, Windows XP Service Pack 2, and that paragon of software engineering excellence Internet Explorer have been hit again.

In a no-brainer effort to bypass the incredible lock Microsoft now have on security, security firm Finjan managed to get Bad Stuff™ onto a Microsoft computer with Advanced Security Technologies.

Microsoft's response? The Finjan claim was 'misleading and possibly erroneous'. Which everyone should take at face value, as Microsoft know more about security™ than anyone else in the world™.

Why is there no authentication and access control on the very folder that ensures the survival of malicious software on the host machine?

But on 22 November the French K-otik followed the impolite lead of Finjan by publishing the actual code needed to make the exploit work.

Microsoft's response? The claim is still 'misleading' because 'significant user interaction and user interface steps have to occur before any malicious code can be executed' - and again, everyone should take the truth of these words for granted, as Microsoft know more about security than anyone else in the world.

But didn't K-otik and Finjan demonstrate it was possible to bypass the impregnable defences of Fortress Windows? Yes they did. What did Microsoft say about that?

'Microsoft is investigating this method of bypassing the Internet Explorer download warning and will take appropriate action to cover this scenario in order for customers to be properly advised that executables downloaded from the Internet can be malicious in nature.' [sic]

Ah. And to whom is the above quote attributable? Microsoft are not saying. It's another one of those 'anonymous' quotes. Open source - you never know who writes it; Microsoft - you never know who says it.

But there's a catch - and with Microsoft there always is: the 'hack' places an executable in the Windows Startup folder. [<-- Read that again and shake the clue tree.]

Microsoft's response?

'The user must go to the folder containing that executable and choose to run it, or log off and log back onto the computer if the attacker attempted to save the malicious executable into the user's Windows start-up folder.'

Bloody brilliant. But it gets better.

According to Microsoft, this is not a security vulnerability - it's only clever social engineering.

According to Microsoft.

But perhaps this is why so many people have had so many difficulties with so many Microsoft programs for so many years: Microsoft truly and unbelievably enough do not get it.

For why is there no authentication and access control on the very folder that ensures the survival of malicious software on the host machine?

Security pro Richard Starnes told CNET that legislation should be used to force Microsoft to take matters seriously - despite their impeccable record in protecting their customers - legislation that can make Microsoft legally (financially) liable.

'I wonder how solid Microsoft's coding would become if strategic governments around the world removed the liability shield that software manufacturers now currently enjoy. They would then have some real financial incentive to get it right the first time, instead of this Computer Science 101 coding they are continually churning out. Most commercial releases of software today wouldn't have made it out of beta 20 years ago.'

True - but 20 years ago was 1984: the Macintosh had just come to market; Steve Jobs was on his way to Redwood City; Linus was still in high school; and it would be 7 more years until he asked for advice and help with his Unix/Minix rewrite.

And Microsoft were still a bunch of small-time wankers and crooks in a high-rise in Seattle, with the first release of their wannabe Windows a whole year off.

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.