Press "Enter" to skip to content

Time to Take Advantage of Microsoft’s Vulnerabilities

The iron is hot. Microsoft has been caught.

This time I think it’s going to cost them dearly. Several years back they might have been able to wiggle out, but now their reputation is already tarnished. Soon we’ll see governments and the enterprise move away from Windows, Office and other Microsoft products, especially outside the U.S.

It wasn’t news to most of us in the FOSS world that Microsoft was one of the companies shoveling information over to the NSA’s project PRISM. As much as we’d like, we can’t fault them any more than anyone else in that sordid affair. Only Yahoo comes out with any degree of redemption, since they at least bothered to go to court to try to stop the No-Such-Agency guys.

Nor were many of us surprised to discover Microsoft was making it easy for U.S. spooks to monitor traffic on Skype. That news probably damaged the folks in Redmond a little more than the plain vanilla NSA/PRISM story, but there was still some wiggle room for Ballmer. It started before Microsoft’s ownership. My people hardly knew what was going on. We’ll fix it. Yadda. Yadda. Yadda.

The latest news though, which so far seems to have little to do with the NSA scandal but plenty to do with espionage, might be a Windows breaker. Ballmer & Friends might not be able to squirm their way out of this, especially if the commercial GNU/Linux players get in gear and get moving.

I’m referring to a story we first reported in Friday’s Week in Review after we saw it in Bloomberg. It appears that Microsoft has been giving information about unpatched security vulnerabilities in Windows and other MS software to U.S. intelligence agencies and the military. The information has then been used to patch government computers and to attack computers under the control of suspected terrorists and military foes. While there’s certainly nothing wrong with the former use, the later will undoubtedly be problematic for Microsoft now that the information is public knowledge.

For one thing, this is sure to awaken some old fears.

Microsoft
The Microsoft sign at the entrance of the German Microsoft campus. Photo courtesy of Wikimedia Commons.
A decade or so ago, some governments, especially China, were wary of putting all of their computing eggs in the Microsoft basket. Many countries, especially those with somewhat adversarial relationships with the U.S., worried that Microsoft might have installed secret back doors in their software that could be used by the U.S. government to surreptitiously collect data. The closed source nature of Microsoft products would make it very difficult to discover any back doors that existed.

The problem grew so great that Microsoft eventually allowed some of their source code to be inspected by foreign governments, which was a radical departure from their normal policies. Oddly, even though they evidently only opened bits and pieces of code, the ploy was successful. Foreign government IT specialists looked over source material offered-up by Microsoft, deemed it to be safe enough for government work, and the issue went away.

I suspect the issue will be returning to the table, now that they realize what they really needed to see wasn’t source code but security vulnerabilities and Microsoft’s policy for dealing with them. Many government clients are obviously going to see this as a betrayal of trust. Here they’ve been trusting Microsoft with their most sensitive data only to discover that their trusted friend Steve Ballmer has been handing over the keys to their computers to the U.S. spook community.

But not only might these old fears rise anew. There are other clients who might now take a second look at their dealings with Redmond as well.

Indeed, Microsoft might see more losses coming from losing foreign business clients than from the loss of foreign governments. As we noted in our “Week in Review,” part of the job of the U.S. government is to protect and to aid the economy, so it would not be entirely unreasonable to suspect our officials to unofficially do a little snooping for the benefit of Boeing or GE. I have no doubt that big foreign based corporations who compete directly with key U.S. companies, Airbus for instance, have already placed a phone call or two to Redmond demanding answers and reassurances. No matter what Ballmer told them, I doubt they’re very reassured.

GNU/Linux stands to gain from the situation, if the big Linux players don’t sit on their hands and let this opportunity pass. Even if we had nothing else going for us, we could gain just from the fact that we’re “not Microsoft,” meaning we have no previous betrayal of trust issues to overcome.

[yop_poll id=”18″]

Of course, we bring much more to the table than the fact we have no history of being untrustworthy. Most pertinent, in this case, is the openness that’s built into our very licensing model. Our source code is there, in human readable form, in its entirety, for everyone to see. Governments, corporations, OEMs, even lowly folk like you and me, can inspect every line of code and see there are no back doors or hidden intelligence gathering applications.

If I were Jim Whitehurst, I’d have every saleseperson I could muster wearing-out shoe leather and burning-up the phone lines making sales calls today on every Windows based company or organization who’s business I’d ever tried, and failed, to get. I’d have them explaining every Windows migration plan in the Red Hat arsenal, with reassurances that right now, at this moment, my developers in Raleigh are working on even better migration tools which will be rolled-out shortly.

Ditto for Canonical, which can take advantage of being a UK based corporation, with direct ties to South Africa, and no overly direct links to the United States. SUSE can also push their German location as an asset, in spite of their U.S. ownership.

It’s not just companies that develop and maintain Linux distros that can benefit from Microsoft’s faux pas. IBM, especially, is a major Linux player, even though by choice they don’t manage their own distribution. They can easily leverage their vast knowledge of Linux and open source enterprise software and combine that with their hardware offerings to offer the enterprise and governments alike attractive solutions that don’t include Redmond.

It’s also likely that players such as HP and Dell will also jump aboard the bandwagon to also play the we-can-move-you-away-from-Windows card.

At the same time, it wouldn’t surprise me if none of this happens. Why? Because our window of opportunity is narrow and companies, such as Red Hat, which stand to gain must begin working to widen it fast. If the hot iron isn’t struck, it will grow cold and the situation will blow over.

History is filled with examples of missed opportunities.

11 Comments

  1. Ihsan Ihsan June 25, 2013

    GLAD I’m using Linux! Windows’ new Security Essentials may probably have a few hundred purposeful vulnerabilities as well. Doesn’t anyone else think so? Who’s going to trust Microsoft anyway after this. AND they’ve bought over Skype!

  2. Mike Frett Mike Frett June 25, 2013

    In the Mobile world, Microsoft is barely a dot. They really don’t have much anymore and I hope what they do have shrinks to infinitesimal levels, it would be more than they deserve.

    For me, my friends and my family; Microsoft is last years news. We’ve all converted to Linux.

  3. Dietrich Schmitz Dietrich Schmitz June 25, 2013

    Linux’s single biggest strength is ‘Transparency’.

    None of the shenanigans which go on with proprietary Windows can go unnoticed in the open source world.

    Code gets reviewed with the scrutiny of a proctologist and that ensures the Linux will remain safe.

    At least no back-doors.

    Still Linux has been written with security in mind from the get go.

    Provided you’re staying in the gpg-keyring protected repository system of your Distro, you can be assured none of the Apps you get are ever tampered with (i.e., no trojan-laden games).

    The other benefit is that provided your Linux kernel is 3.5 or greater, Google Chrome employs the latest kernel security feature: seccomp-bpf.

    (Some Distros have backported this feature, Ubuntu has it beginning in 12.04 which uses a 3.2 kernel.)

    You can check the status of your Chrome seccomp-bpf sandbox by typing the following from your Chrome omni-box:

    chrome://sandbox

    It’s practically impossible for any exploit to escalate to gain administrative control of your system.

    And, pwnium 2013 proved that.

    And, if you use Distros like Fedora or Ubuntu, they also come equipped with SELinux and AppArmor respectively, the latest sandboxing technology.

    Be safe with Linux. Windows 8.1 x86 Legacy is a collander.

    –Dietrich

  4. freeweaver freeweaver June 25, 2013

    Hi Dietrich,

    I feel compelled to point out that this has never been about malicious attacks from 3rd parties, whether its the NSA or not, but about data retention. At least not from our lowly perspective. Indeed, even this article is stating as much, all be it indirectly.

    Sure, the NSA can and obviously does break into computers through freshly discovered bugs, but not even they have the manpower to sift through hundreds of millions of *personal* computers individually. In order to get that information they go for the big players, where breaking and entering results in the biggest ROI. Hence, they have the 9 biggest data collecting corporations in the world lined up for the milking. A fact and insight that could not possibly have been missed by yourself of late.

    Yet, you suggest moving to ChromeOS, which, wait for it… **is run by the BIGGEST data collecter in the world** – Google, you know, one of the 9 companies that has no choice but to give its data to the NSA.

    Whats worse though is that unlike just plain old GNU/Linux distributions, ChromeOS is set-up *SET-UP* to use GOOGLE SERVICES. Also, ChromeOS is not a community driven distribution and as such does not have the natural safeguards community driven distributions have. Sure, the sandboxing might be good, but that is NOT THE PROBLEM HERE!

    What in the world are you thinking? Your suggestion is exactly the opposite of rational. In fact I’m so annoyed at your ignorence spreading that I’d like to see Fossforce do the same to you as you have done to others on your own blog. (not me by the way)

    I’m really very interested in your response Dietrich.

  5. Dietrich Schmitz Dietrich Schmitz June 25, 2013

    @freeweaver
    I am not only a Linux Advocate, but also a staunch security and privacy advocate.

    Take what I say about ChromeOS with a ‘grain of salt’.

    I mentioned it in passing from the standpoint of security. No one could pwn it.

    If you’d like find ‘backdoors’ in ChromeOS, stop by the Chromium website and download the entire operating system and peruse the source code.

    Of course, you and I won’t do that, but that’s Transparency in action.

    The issue of on-line privacy is an issue, but a separate matter.

    I feel strongly (and have written on my site–I won’t backlink for repsect to Christine) about Google’s failed policy on Google Drive. Stop by and read it.

    In fact there are many stories you can read when taken in totality will give you a clearer perspective on where I stand on privacy.

    Rule of thumb for the general public which parallels what we do in the physical world:

    o Don’t discuss anything you don’t want repeated or used against you
    o Don’t wear a ski mask and expect to be treated without suspicion
    o Put anything you want to keep private for your eyes only under ‘lock and key’ securely stowed away.

    That’s common sense. And it applies to the Internet.

    Yet it is not observed.

    o We use clear text email. I wrote a recent story on that taking issue with remedies.
    o Google Drive and other ISP Cloud storage services which aren’t using Zero-Knowledge Encryption should not be used for anything you wish to keep private
    o Don’t discuss private matters in social circles as most (Facebook, Google, Myspace, !Yahoo) portals’ privacy policies do allow for sharing part or all of your activity streams.

    Those are my quick thoughts for you. I could go on ad. nauseam. But won’t.

    — Dietrich

  6. Mike Mike June 25, 2013

    Unfortunately, the NSA itself has helped develop lots of code, including large portions of SELinux. There’s no telling what might be hidden in the countless lines of code, and what sophisticated techniques may be used to obscure it.

  7. Dietrich Schmitz Dietrich Schmitz June 25, 2013

    @Mike
    That’s a strawman argument. Unsupported without evidence.

    Obfuscated code? That would never reach the kernel git mainline.

  8. Andrew Andrew June 26, 2013

    > None of the shenanigans which go on with proprietary Windows can go unnoticed in the open source world.

    Well that’s certainly not true.

    > Code gets reviewed with the scrutiny of a proctologist and that ensures the Linux will remain safe.

    So with that sort of scrutiny we would never miss anything from kernel 2.6.37-3.8.8 right?

    http://www.h-online.com/open/news/item/Exploit-for-local-Linux-kernel-bug-in-circulation-Update-1863892.html

    Oh.

    > At least no back-doors.

    None? Ever?

    http://www.metasploit.com/modules/exploit/unix/irc/unreal_ircd_3281_backdoor
    http://www.omgubuntu.co.uk/2009/12/malware-found-in-screensaver-for-ubuntu

    Oh.

    > Still Linux has been written with security in mind from the get go.

    Yet there is never room for complacency.

    > Provided you’re staying in the gpg-keyring protected repository system of your Distro, you can be assured none of the Apps you get are ever tampered with (i.e., no trojan-laden games).

    No, you can be assured that the maintainers have done their best – but you can not be assured that there is absolutely no way all apps are audited by every maintainer because they don’t have time to do that.

    To be fair most code is audited upstream, but you can’t blindly trust that nothing will ever go wrong because it can.

    http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt

    > The other benefit is that provided your Linux kernel is 3.5 or greater, Google Chrome employs the latest kernel security feature: seccomp-bpf.

    As long as there are no more local root exploits this is a good thing. The latest one has been in the kernel lived from Oct 12, 2009 to March 14 2013. It was so potent that SELinux could not block it (https://bugzilla.redhat.com/show_bug.cgi?id=962792#c15). Fortunately you could work around it the bug with system tap once it became known – but how long was it there before it was known?

    Right.

    > (Some Distros have backported this feature, Ubuntu has it beginning in 12.04 which uses a 3.2 kernel.)

    Security features don’t matter if you can go around them with relative ease.

    > You can check the status of your Chrome seccomp-bpf sandbox by typing the following from your Chrome omni-box:

    > chrome://sandbox

    > It’s practically impossible for any exploit to escalate to gain administrative control of your system.

    Until an exploit surfaces again that makes it easy.

    > And, pwnium 2013 proved that.

    pwnium proved little really, if I were a bad person who had a collection of vulnerabilities that I was using to exploit people, do you really think I would use them to win a medal? Which would be the more lucrative proposition?

    > And, if you use Distros like Fedora or Ubuntu, they also come equipped with SELinux and AppArmor respectively, the latest sandboxing technology.

    See my note earlier about how helpful SELinux is in the event of a local root exploit in the kernel. Yes, these tools help protect a system – but they are just contributors to a defense in depth strategy.

    > Be safe with Linux. Windows 8.1 x86 Legacy is a collander.

    Be safe by learning to protect yourself, as any operating system can be vulnerable to attack. There is no excuse for complacency, and no truly security or privacy minded person would simply say they are secure “because Linux”.

  9. Andrew Andrew June 26, 2013

    FOSS Force, any way we can edit comments to correct grammar mistakes? I really butchered that one (not enough caffiene). XD

  10. Eddie G. Eddie G. June 28, 2013

    Well in my humble opinion, I would have to say that M$ has always been a company that has “suffered’ from lots of security leaks, and while the old mantra is true: “If someone can build it….soneone can BREAK it”…i would still give a more confident nod to Linux. Granted there are flaws and glitches, and all kinds of “things-that-can-go-wrong” when it comes to Linux and the various distributions do nothing ti alleviate the fears of a first timer, but having been on Linux since 2002, and learning the ins and outs of the different distros, I feel confident in saying Linux is quite more secure than M$. Also it’s a bit of a dilemmna, that a lot of people I know use Chrome as their browser touting speed and security, but for my needs it just doesn’t work for me, I will stick with FF, Epiphany, and Midori, they have serve me well, work as needed, when needed, and do not give me headaches or problems when it comes to Flash, Java, and whatnot. I am not a fan-boy, but i DO recognize “good work” and the guys and gals who crank out the Linux distros on a weekly, monthly, or yearly basis deserve accolades for their efforts, which are quite impressive!

  11. Peter Peter June 30, 2013

    Christine & All,

    Thank you so much for this timely article as well as the (the well-thought-out I mean) comments of fellow readers.

    There is one VERY critical issue unaddressed by this article which *needs* to be pointed out which is/was ADVAPI.dll (early vers in c:\windows\system) and is now ADVAPI32.dll in c:\windows\system32. This is critical and a very thorough from Heise Security (and old! This is from 1999!) explanation can be found at (link vetted as safe): http://www.heise.de/tp/artikel/5/5263/1.html

    So MS has been doing this since late 1995 and has been built-in to every OS of Redmond’s ever since. I (although being an infosec geek) don’t think I qualify for the ‘tin-foil-hat crowd’ but this piece of (very) old news lends all the credence needed to, quite literally, Windows in any iteration being properly, concisely and beyond reasonable doubt to be qualified as malware.

    End of story. Good-bye MS; can’t say it’s been fun.

    -Peter

Comments are closed.

Breaking News: