HOME
TOPICS
SEARCH
ABOUT ME
MAIL

 
Which does Microsoft need, a lesson in English or a lesson in life?
  technofile
Al Fasoldt's reviews and commentaries, continuously available online since 1983

More security leaks in Windows, and more Alice in Wonderland talk from Microsoft


Oct. 31, 1999

By Al Fasoldt
Copyright ©1999, Al Fasoldt
Copyright ©1999, The Syracuse Newspapers

    Microsoft's Swiss-cheese Web browser made history again last week. A European free-lance security expert demonstrated how anyone on the Internet can break into your computer and read your files whenever your PC is on the Web.
    The revelation about the latest security holes in Internet Explorer was announced by Bulgarian bug hunter Georgi Guninski. It was confirmed within a few hours by Microsoft itself. The company had no immediate fix but said it was working on the problem.
    Microsoft insists the latest bug isn't as bad as the one reported the previous week, because this one doesn't let strangers delete files. All they can do is read them.
    You heard it right. Microsoft says gaping holes in the security of your PC aren't as bad as you might think, as long as the people who stick their noses into your personal files don't delete them.
    I'm not making this up. Here's part of the actual statement from Microsoft: "This could allow a malicious web site operator to read the contents of files on visiting users' computers, if he or she knew the name of the file and the folder in which it resided. The vulnerability would not allow the malicious user to list the contents of folders, create, modify or delete files, or to usurp any administrative control over the machine."
    This is bizarre.
    Microsoft says the bad buys who break into your PC can only read the contents of a file if they know where the file is and what it's called. Guess what? Of course the bad guys know where the files are. Of course they know what they're called. Doesn't Microsoft know this?
    Windows has hundreds and hundreds of files with specific names that do not vary from PC to PC, all in the same locations on every Windows computer. I know exactly where your computer stores all sorts of important configuration files. I know exactly where your PC lists all the Web sites you've visited over the last seven days. (Are you worried yet?) I know where it keeps your passwords. (Are you finally nervous about this?)
    I know these things because I know how Windows works. Imagine all the extra stuff I might know if I spent my free time breaking into computers.
    This gets better. The flaw, Microsoft says, won't let someone "usurp any administrative control over the machine."
    This is nonsense for two reasons.
    First, if I break into your house but your car is locked in the garage, I can't steal your car. But if I break into your house and then steal the car keys that are sitting out in plain sight on the kitchen table, I can then steal your car. You know that and I know that. Which does Microsoft need, a lesson in English or a lesson in life?
    Anyone who breaks into your computer can do anything at all - I mean take-your-pick anything, do-what-you-want-with-me anything - just by looking up the appropriate information and using it in nefarious ways. If I steal your Internet passwords, I can steal you blind. If I know how to masquerade as you, I can do anything I please with your computer and your Internet account. I can even do all sorts of bad-guy things while masquerading as you, and you'll get blamed.
    Think I'm exaggerating? If I could break into your computer just once, really quickly, while you're visiting a Web site, I could steal a smidgen of information. I could then use that information to break into your computer on a more massive scale another time. And I could do anything I want to get you in trouble. I could dump kiddie porn pictures into your hard drive and then call the cops on you. I could make it seem like you were stealing credit card numbers by copying a few hundred stolen ones into your maze of Windows system folders, where you'd never see them.
    Think about it.
    Second, remember what Microsoft said. It used the phrase, "usurp any administrative control." Get this: Microsoft is claiming that Windows has some sort of administrative control. But Windows doesn't have any such thing. Ask anyone who is in charge of a large office network system. Windows has no security and no control at all. I can walk up to a Windows PC and break into it in less than 30 seconds, even if it has a password.
    This Alice in Wonderland approach to computer security is making Microsoft the butt of jokes throughout the computer industry. But Microsoft hasn't fixed Windows yet. It can afford to pay talented engineers a lot of money to find the same kind of security gaps that Bulgarian hackers can find. It can do this. You know it can.
    But Microsoft isn't doing it. Microsoft's standard way of dealing with complaints about Windows 95 and Windows 98 is to tell all of us to upgrade to Windows 2000 when it comes out next year.
    Will Windows 2000 solve these security bugs? Will it make Windows act like a trustworthy operating system?
    I don't know. Microsoft's track record is so bad that only a dunce would believe what the company is saying without evidence to back it up. Windows 2000 is going to be almost two years late, so the company might be doing the right thing and holding it back to fix bugs and security leaks.
    Or it just might be facing the same delays that made Windows 95 so late. When Windows 95 finally came out, it was buggy and had no security, and Windows 98 is the same way.
    If you want to jump into Windows 2000 early, you can order a beta version from Microsoft. That's a version that's not finished. And one that's not guaranteed.
    Come to think of it, that describes Windows 3.1, Windows 95 and Windows 98, too. Some things never change.