-----BEGIN PGP SIGNED MESSAGE-----
In most parts of the world, the Microsoft EULA is not enforceable.
Most users don't buy their software from Microsoft, either. It's
preinstalled on their PC, and Microsoft disclaims any support.
NOTE: This has nothing to do with ISPs.
Also, there is somewhere in the neighborhood of > 65M MS hosts
"out there" that are either illegally or improperly licensed, and
which cannot use Microsoft Update (due to the Genuine Advantage
While they can download each patch individually through a series
of acrobatic exercises, this sorta contributes to the whole
end-system compromise problem.
Again, not that this has much real bearing on the discussion, but
figured I toss that into the mix.
- - ferg
p.s. I forget exactly where the >65M figure came from, but I'm pretty
sure it Microsoft a few months back...
At the prior ISOS conference in Redmond, Microsoft made assurances even systems failing Genuine Advantage verification can enable automatic udpates to obtain critical updates. One of the attendees remarked privately this automation works only for English versions of XP. : (
With vulnerabilities created by Microsoft, such as:
- cloaking files and processes
- cloaking shell script extensions (even when show enabled)
- requiring scripts for basic browser functionality
- preventing removal of their exploitable browser
- inadequate provisions for temporarily privilege escalation
- unfortunate network defaults
- reliance upon perimeter security
It seems such negligence might make Micos0ft vulnerable to class actions, especially from ISPs bearing the burnt of related support. With the FBI recommendation, another very deep pocket might be add.
The paper provided by Google should give anyone cause.
"A popular exploit we encountered takes advantage of a
vulnerability in Microsoft’s Data Access Components that
allows arbitrary code execution on a user’s computer .
The following example illustrates the steps taken by an ad-
versary to leverage this vulnerability into remote code exe-
• The exploit is delivered to a user’s browser via an
iframe on a compromised web page.
tiveX object that is not normally safe for scripting.
trieve an executable.
• Adodb.stream is used to write the executable to disk.
• A Shell.Application is used to launch the newly written
* Douglas Otis:
At the prior ISOS conference in Redmond, Microsoft made assurances
even systems failing Genuine Advantage verification can enable
automatic udpates to obtain critical updates. One of the attendees
remarked privately this automation works only for English versions of
XP. : (
Yeah, I couldn't install the latest security update today; I was
forced to run WGA first. I have to admit that I didn't try very hard
to bypass it since WGA was already installed on that machine.
Microsoft has been quite successful in associating security updates
with piracy. Perhaps not at a technical level, but definitely in
people's minds. 8-(