The Beast of Redmond

Trojan

Two interesting stories about M$ recently...

First off they're giving out about security sites:

It's time to end information anarchy

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/noarch.asp

Code Red. Lion. Sadmind. Ramen. Nimda. In the past year, computer worms with these names have attacked computer networks around the world, causing billions of dollars of damage.
They paralyzed computer networks, destroyed data, and in some cases left infected computers vulnerable to future attacks. The people who wrote them have been rightly condemned as
criminals. But they needed help to devastate our networks. And we in the security community gave it to them.

It?s high time the security community stopped providing blueprints for building these weapons. And it?s high time computer users insisted that the security community live up to its obligation
to protect them. We can and should discuss security vulnerabilities, but we should be smart, prudent, and responsible in the way we do it.

And it's high time Microslop copped the fuck on and stopped shipping crap bug-ridden excuses for server applications and learned how to apply their own updates and patches (Hotmail servers downed cos of CodeRed, etc).

And now to round 2:

Microsoft.com error reveals IDs, passwords

http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2818129,00.html

"The site that generated the error is being built using the beta version of Visual Studio 7.0. The programmers have also enabled detailed error dumps. The only code that I see that relates to Passport is for the purpose of checking whether the user currently has a valid session. The database information is for the local site's databases. The information includes the database server name, database names, username, and password for accessing the data."

Is Microsoft really building production Web sites with beta versions of its development tools? I understand the need to stress test its own products, but building production systems with beta tools isn't exactly the sort of practice that breeds confidence.

(Although some Microsoft detractors would argue that all Microsoft software, shipping or not, is beta.)

/me sighs ...

Comments on a postcard to the usual address...

Al.

Hobbes

heh heh, I laughed when I read MS report.

Trojan

Hey guess what?! Another Microsuck story.... it's also a privacy one to get that idea off the mark...

Basically if Office XP crashes ... trying in vain to hold back the laughter -- "if" ... ok, where were we? Oh yeah, the 4 times an hour Office XP crashes on you, it's gonna be sending either a part or the entire document you're working on back for Bill to have a read of, disguised as a bug report... entire article follows... one question I do have: if CompanyX's "confidential eye-only super-dooper" business plan gets shipped over the wire back to M$ without their knowledge, aren't they entitled to sue?

Office XP hole compromises personal data

Companies using Microsoft Office XP and Internet Explorer version 5 have been warned that documents containing personal information could be sent to Microsoft along with debugging information in the event of a program crash.

The Error Reporting feature sends crash and debug information back to Microsoft to help the company detect and fix bugs in its software. But the US Computer Incident Advisory Service (CIAC) has released a security bulletin claiming that the debugging information contains a memory dump, which may include all or part of the document being viewed or edited.

"If a sensitive document is resident in the memory dump, this could be sent to Microsoft," said Graham Cluley, senior technology consultant at antivirus firm Sophos. "This is not a serious problem but an interesting foible."

The CIAC bulletin states that the Error Reporting function is configured to "automatically" send debugging information to Microsoft, and claims that the relevant dialogue box does not make it obvious that the contents of the document being edited may be sent along with information about the programme crash.

But Microsoft contests that the reporting function asks for user permission before any information is forwarded, while additionally
offering the option of turning the feature off from all company desktops.

"We make it clear to customers that when a problem occurs, their Digital Product ID and Internet Protocol (IP) address will be
sent to us," said Neil Laver, Windows marketing manager. "The report could also contain customer-specific information which could be used to identify a person's identity, but will not be used." Microsoft additionally claims that it limits the number of people who have access to the bug reports.

The Error Reports are sent via a standard security protocol, which is sufficient in protecting confidentiality, according to Microsoft.
"This encrypts data sent over the Internet, but not the document," Laver clarified.

Cluley thinks it unlikely that many companies will be sending bug reports over the Internet, but warns that, "whenever any kind of communication takes place on the Internet, there is always the opportunity for people to intercept it."

ok, that's enough Microcrap bashing for me today.

Al.

Typedef

hehehe
Office Xp