Update I'm not as frothing-at-the-mouth against Microsoft as I used to be. Heck, I even started using Windows 2000 because I finally thought Microsoft had a stable, powerful enough operating system that I could have almost as much power as I had under Linux. Now Microsoft is even admitting their operating system has bugs and releasing frequent fixes, something they never did in the early days. That kind of honesty surprised me and I'm softening up to them. Maybe they don't suck after all. Maybe this page can be a snapshot of what Microsoft used to be like. Maybe. Just Maybe. - Tue Sep 16, 2003 Why Microsoft Sucks This is an informal hogde-podge of anecdotal information lending credence to the hypothesis that Microsoft is a disgraceful, unreliable, dishonest company. And sometimes just plain bone-headed, too. Most of the information is actually from the moderated USENET Newsgroup comp.risks, which is a reasonably reliable source of technical information. FLASH! The "Halloween" Documents, a collection of leaked internal Microsoft memos from late 1998 that are self-testimonials to the dishonest tactics that are normally used by this company, in response to their deep fear that Linux and other Open Source Software might blow Microsoft out of the water over the next few years. First, some links to other people that agree with me. Other "Microsoft Sucks" links This is just a very small sampling of the pages around the world that already have the title Microsoft Sucks. A much more extensive and up-to-date list can by generated by going to Google and searching for the string "Microsoft sucks". I'm not sure why I was surprised at the number of pages that already exist on the topic... Survey proves: Microsoft sucks 14.77 times as much as Apple sucks My list of examples of why Microsoft sucks [1] RISKS DIGEST 18.64 Date: Mon Dec 02 14:47:15 EST 1996 From: Tim Panton Subject: Web-based auto update of Microsoft's Java support [Here is a frightening snippet from Microsoft's website I'm not sure I understand the full implications of it, but I don't doubt that there are risks involved.] http://www.microsoft.com/java/sdk/getstart/javac007.htm : Updating the Java Support on a User's Machine If you are placing an applet that uses COM on an HTML page accessible from the Internet, you must ensure that any users who encounter that page have a version of the Java Support for Internet Explorer that fully supports Java/COM integration. To do this, you must insert the following tag on the HTML page containing your applet (or on the introductory page of your Web site): This tag causes the user's Internet Explorer to check the version of its Java support. If the version installed on the user's machine is not up-to-date, Internet Explorer downloads the latest version of Java support from http://www.microsoft.com and updates the user's machine. - - - - The potential risks are endless. Say I know of a security hole in a specific version of IE, I can automatically get visitors to my website to install it, then attack them through the hole. Some questions: Does it ask the user first ? Can I force a 'down'grade, i.e., install an older version ? What happens if the user uses two sites that require different versions? Is the code signing strong? (i.e., stronger than MS's CD keys ?), can I fake a CAB file? Tim Panton, Westhawk Ltd, Frederik Hendriklaan 89, 2582BW Den Haag. The Netherlands tpanton@ibm.net +31 6 5348 1795 http://www.westhawk.co.uk ************************************************************************** [1] RISKS DIGEST 18.65 Date: Tue, 3 Dec 1996 13:25:24 -0500 From: Bob.Price@cwi.cablew.com Subject: MS-Access Runtime trashes WFW Unless especial pains are taken, 16-bit MS-Acess runtime disks made on a Windows-95 machine with 16-bit Access will cause near-irreparable harm when installed on a WFW or Windows 3.1 machine. The reason is that some 32-bit system .DLLs are copied to the distribution diskettes (or network distribution set) along with the 16-bit files, and because the 32-bit files have the same names as the 16-bit files, the 16-bit platform no longer works properly. I'm told the official Microsoft paper on the subject says to format the hard drive and re-install everything. I was able to "recover" by upgrading to Windows-95; others have had success ferreting out the specific files and replacing them. Reinstalling WFW didn't fix anything. Bob Price Cable & Wireless Inc. bobp0303@hotmail.com (703)760-3071 ************************************************************************** [1] RISKS DIGEST 18.80 Date: Sat Feb 01 19:07:45 EST 1997 Date: Fri, 31 Jan 1997 12:51:38 -0800 From: Geoff Kuenning Subject: Spelling checkers and inconsistent interfaces A posting on the Orchestra List once again highlights the RISKS of inconsistent interfaces: > From: Symph@uwyo.edu (Michael T. Griffith) > To: orchestralist@hubcap.clemson.edu (ork) > Subject: spellcheckers ... > I know some of you have been amused (at best) by my spellchecker episodes > in the past few weeks (Hindemith came out as Hindmost was the worst). If > you're interested, I've discovered the problem, and will share it with > Microsoft Mail users out there. > > In MS Word, if the spellchecker highlights a word it doesn't know, like > Hindemith, you can click on "add" and it puts Hindemith into its dictionary ... > In MS Mail, if it highlights a word it doesn't know, and you click on "add," > it puts the highlighted correction it offered into the dictionary as a > permanent correction. Since "Hindmost" was the first offered correction, it > permanently noted that every time I type Hindemith, it would substitute > Hindmost. So in one interface, "add" means "add this word, as-is, to the dictionary." In the other, "add" means "add this suggested replacement to the dictionary and never ask me again." Incidentally, ispell users have been asking for the latter feature for years, but I have stubbornly refused because I think that automated replacement is far too RISKy to trust a computer. Geoff Kuenning g.kuenning@ieee.org geoff@ITcorp.com http://fmg-www.cs.ucla.edu/geoff/ [Hindemith wrote "Mathis der Maler". Hindmost wrote "MS der Mauler", seemingly applicable in English (one who mauls). Although not quite echt deutsch, there are several potentially pertinent interpretations as well. PGN] ************************************************************************** [1] RISKS DIGEST 18.84 Date: Fri Feb 21 19:04:08 EST 1997 Date: Fri, 21 Feb 1997 11:46:11 -0800 (PST) From: fc@ca.sandia.gov (Fred Cohen) Subject: Re: MS on the CCC ActiveX virus (RISKS-18.83) Re: SBN Wire: News Flash, Brad Silverberg > You may have heard reports about a malicious software program created and > demonstrated recently by the Chaos Computer Club (CCC) in Hamburg, Germany. > I want to personally assure you that Microsoft(R) Internet Explorer 3.0 has > the appropriate safeguards to protect against this type of threat. By using > its default security level (High) that comes pre-set, Internet Explorer 3.0 > will not download and run any "unsigned" control such as the one from the > CCC. I appreciate your insightful opinion on this matter, however... Anyone can get a signature key without authenticating their legitimacy. It's relatively easy to break into a system and take a legitimate key. The default may be changed by the user for one use and remain changed. Other flaws in Explorer may be used to turn that feature on - then look out. > The CCC demonstrated its malicious executable code running on Microsoft > Internet Explorer 3.0, though they could just as easily have demonstrated a > similar attack on any other browser. While it is unfortunate that hackers > have created this harmful program, it does point out the need for users to > act cautiously and responsibly on the Internet, just as they do in the > physical world. I appreciate your insightful opinion on this matter, however... This is not accurate. The very nature of ActiveX makes it impossible to operate it securely. Unlike other vendors who make attempts at providing improved protection, ActiveX is a hole waiting to be exploited. > Malicious code can be written and disguised in many ways - within > application macros, Java(tm) applets, ActiveX(tm) controls, Navigator > plug-ins, Macintosh(R) applications and more. For that reason, with > Internet Explorer 3.0, Microsoft has initiated efforts to protect users > against these threats. Microsoft Authenticode(tm) in Internet Explorer 3.0 > is the only commercial technology in use today that identifies who published > executable code you might download from the Internet, and verifies that it > hasn't been altered since publication. I appreciate your insightful opinion on this matter, however... No disguise is needed for malicious ActiveX programs. Any ActiveX program can potentially - either maliciously or by accident or even as a result of configuration differences, cause a system crash, the corruption or destruction of information and/or unlimited leakage and it doesn't depend on some hard-to-find hole in an otherwise secure application. It is a direct result of the methods used by Microsoft, cannot be easily cured with any bug-fix. > If users choose to change the default security level from High to Medium, > they still have the opportunity to protect themselves from unsigned code. > At a Medium setting, prior to downloading and running executable software on > your computer, Microsoft Internet Explorer presents you with a dialog either > displaying the publisher's certificate, or informing you that an "unsigned > control" can be run on your machine. At that point, in either case, you are > in control and can decide how to proceed. I appreciate your insightful opinion on this matter, however... Even if you choose wisely, ActiveX is a hole waiting to be exploited and provides essentially no protection. As the folks at Microsoft know well, impediments are easily and commonly removed - and the use of the display box for popular applications is likely to result in the question being turned off in favor of easy access. > As you know, Microsoft is committed to giving users a rich computing > experience while providing appropriate safeguards. Most useful and > productive applications need a wide range of system services, and would be > seriously limited in functionality without access to these services. This > means that many Java applications will have to go "outside the sandbox" to > provide users with rich functionality. By signing code, a developer can > and integrity safeguards they need. Other firms such as Sun and Netscape > are following our lead, and have announced that they will also provide code > signing for Java applets. Microsoft will also be providing an enhanced Java > security model in the future, giving users and developers flexible levels of > functionality and security. I appreciate your insightful opinion on this matter, however... "...while providing appropriate safeguards" is just not true. Microsoft has a long history of providing systems with no protection, and only recently introduced the first system with even mild protection in it's NT product. Java provides a lot of functionality within the "sandbox", but I am not an advocate of Java either. The syle of computing being pushed out to consumers is inherently risky and must be implemented with substantial controls There is nothing wrong with having signatures, but it is no guarantee either. > Microsoft takes the threat of malicious code very seriously. It is a > problem that affects everyone in our industry. This issue is not tied to > any specific vendor or group of people. All of us that use computers for > work, education, or just plain fun need to be aware of potential risks and > use the precautions that can insure we all get the most out of our > computers. For this reason, we are committed to providing great safeguards > against these types of threats in Internet Explorer. We expect hackers and > virus writers to get increasingly sophisticated but we pledge we'll continue > to keep you and us one step ahead of them. I appreciate your insightful opinion on this matter, however... Microsoft still has not addressed Word Macro viruses, PC viruses, Windows viruses, etc. The claim that "Microsoft takes the threat of malicious code very seriously" is ludicrous on its face. This is the same company that has distributed viruses to its customers because it didn't do adequate checking of its distributions for known viruses. This is the company whose Windows installation deleted all of the README files on a system when the user upgraded. This is the same company that continues to ship software with inadequate protection. All of this "perception management" doesn't change the fact, and it shouldn't sway the readers of this letter either. FC [Fred Cohen can be reached at tel:510-294-2087 fax:510-294-1225] ************************************************************************** RISKS-LIST: Risks-Forum Digest Saturday 31 May 1997 Volume 19 : Issue 20 Date: Thu, 29 May 1997 12:04:45 -0400 From: "Mich Kabay [NCSA]" Subject: Microsoft and Privacy >From Computer Privacy Digest Wed, 28 May 97, Volume 10 : Issue: 026 Date: 27 May 1997 14:45:37 -0600 >From: cooler Subject: Microsoft and Privacy Yesterday I became aware of an online privacy issue involving Microsoft, and I hope to bring an awareness of this issue to anyone who can take that awareness further. The issue is this: Microsoft has begun to set up a series of "Sidewalk" sites, ostensibly to provide local information for various cities. One example is at http://www.newyork.sidewalk.com/ . If you visit that site, you can see a link (toward the right) to "Terms and Conditions". The link is to a page explaining the "Terms of Use" of the Sidewalk site. This is rather unusual; I don't know any other site that has "Terms of Use". Reading through six paragraphs of fine print you will see that they are asserting that your usage of their site entitles them to sell your e-mail address together with any demographic data they might gather about you. I believe there is a serious online privacy issue because: 1) Few visitors will be aware that they have implicitly consented to allow the sale of their personal data. 2) Providing local information about cities increases the chance that your personal data will be tied to geodemographic data. 3) Microsoft also makes a browser. We have no way to know that they can't grab your e-mail address with it. Indeed, their new browser integrates seamlessly with the information on your desktop, so the potential is there for them to grab much more data. While the selling of personal data is nothing new, I believe that Microsoft has an unusual advantage here. Their willingness to gather and sell this data, together with the intimacy of their browser, presents a new and possibly dangerous threat to personal privacy. ************************************************************************** alt.humor.best-of-usenet (moderated) #8191 (0 + 0 more) [1] From: Toby Speight [1] [comp.emacs] Re: RMS is being a weenie Followup-To: alt.humor.best-of-usenet.d Date: Sun Oct 19 13:55:53 EDT 1997 Organization: best of usenet humor Lines: 34 X-Disclaimer: The "Approved" header verifies header information for article + transmission and does not imply approval of content. See .sig + below. X-Submissions-To: ahbou-sub@acpub.duke.edu X-Posting-Moderator: Peter Simons X-FAQ-Is-At: ftp://rtfm.mit.edu/pub/faqs/best-of-usenet-humor X-For-FAQ-Mailto: ahboufaq@eey.org X-Moderator-Review: thumps-up Subject: Re: RMS is being a weenie From: David Kastrup Newsgroups: comp.emacs Rich Pieri writes: >>>>> "JAB" == John Arley Burns writes: JAB> Grow up? Stop using windoze - that's maturity! ;) > Yeah, right. OS flames are really mature. > > Ever hear of the concept of using the right tool for the job? Of course you're right. Nothing like Windows for programmers into heavy masochism (oh, yes, Master Gates, I have failed to adapt to your latest secret API. Punish me. Give me the Global Protection Fault. Give my hard disk freely to others via one of the many holes you pierced in my ActiveX. Boot and reboot me, again and again. Make me say "industry standard", then whack me with unexpected changes just when I'm feeling safe. Come up with faster ways to use my inputs and outputs (cd http://www.i2osig.org), but let never again let me know freely about how to work with them). Use the right tool for the right Job [sic]. Sorry, this was too hard to resist. I promise to be a good boy from now on (at least for a while). Sob. ************************************************************************** Date: Wed, 12 Nov 1997 13:46:29 -0500 From: Harvey Newstrom Subject: Re: Why Microsoft is a Threat to Freedom Michael Lorrey wrote: > there's a route to take for personal choice....Or you could buy a Mac, > pay twice as much for the same performance you get in your PC. There's > another choice. Actually, price/performance ratios for Macs are the same or better than Intel PCs. Keep in mind that Macs come with built in ethernet, stereo sound, video capability, music synthesizers, voice recognition, and other items that aren't included in some PC prices. It's also hard to compare prices on the fastest Motorola or Alpha chips with Intel chips because Intel can't go that fast yet. If you need the fastest machines, the price of Intels become infinity (= not available). At 21:23 3-11-97 Lee Daniel Crocker wrote: > > Anbody that tries to make a M$ competing product will be aquired by MS or > > will be cut of with technical incompatibility tricks. That failing, the This has been my experience with Microsoft products. I am currently trying to build web pages that are standard HTML and compatible with every browser. I downloaded Microsoft Internet Explorer to my Macintosh and installed it. In the "README.TXT" file it explained that it changed the data format of my "Internet Config" control panel, which is used by all TCP/IP programs on my Mac. It them explained that other programs may not be compatible with the "newer" version. Basically, they reformatted another product's data files in such a way to make it MS-compatible only, and broke it for other products. Another example just occurred at IBM where I work, also involving Microsoft and Web Pages. The Microsoft servers wouldn't feed graphics correctly to Netscape browsers. They claimed that the Netscape browser can't view the file, but that Internet Explorer can. Upon investigation, it turns out that the files are readable by Netscape, but that the Microsoft Server refuses to serve to Netscape clients. When one of our engineers tried to retaliate by making his webserver refuse to serve to Microsoft Internet Explorer, we discovered that the Microsoft browser will misrepresent itself to gain access. It first claims to be Microsoft Internet Explorer. If access is denied, it then claims to be Netscape Mozilla to gain access. There also are many examples of Microsoft products opening back doors on machines to allow their servers to gain access, or for their anti-piracy software to check for stolen products on your machine. Some of these I have discovered will open listening sockets on the network, even when networking appears to be disabled and all access permissions are denied. This latter example occurred with a wordprocessor program on a "non-networked" machine that was causing network problems for other machines. There was no way to open a document file without the machine turning on the network and communicating data about the local machine to other Microsoft products on the network. As a Network Security consultant, I recommend that my clients do not use products that deliberately sabotage other products, lie to security filters to gain access to other machines, or open back doors to the network that are neither documented or part of the product's normal function. - -- Harvey Newstrom (harv@gate.net) --- Date: Thu, 13 Nov 1997 11:46:16 -0500 From: Harvey Newstrom Subject: Re: Why Microsoft is a Threat to Freedom Michael Lorrey wrote: > Haven't been shopping for PCs lately huh? Of course I have. I wouldn't have made a statement about price comparisons if I hadn't actually compared prices. I have recently purchased six PC's, 3 Macs, and 2 Unix Workstations for my home lab. > What do you mean "another products data files"? Do you mean that it made > IE the default browser for .html files for that computer? Duh, thats > merely a matter of file format association. No, I mean the installer opened up private preferences files for other non-Microsoft products that were previously installed on the computer and changed the data in those files such that the original applications couldn't use their own files any more. Internet Config is a seperate product for configuring IP on the Mac. No other product is supposed to write to those files, although the product will feed information from those files to other applications. By changing the data formats in this file, Microsoft caused competing products to start failing with corrupted data while Microsoft products continue to work with the new format. Restoring the Internet Config file from backup reenables the other products to their original functionality. > Here's an idea. Netscape could, GASP, do the same thing, impersonate an > Explorer browser to gain access to a MS webserver.... Gee why didn't I > think of that... I dunno, it must be because I don't work for > microsoft..... Sure they could do the same thing. But as a Network Security consultant, I take a dim view of software deliberately providing false information to queries in an attempt to access server areas that the server administrator is clearly trying to withhold from that software. Just as any hacker caught trying to get in under false pretenses could be banned from the site, any software that lies to try to bypass security under false pretenses could also be banned. Of course my preferred solution is that my clients beef up their own security the way they want, and then they don't have to worry about what client do to try to break in. >> There also are many examples of Microsoft products opening back doors on >> machines to allow their servers to gain access, or for their anti-piracy >> software to check for stolen products on your machine. > I'd like to see more about this. Any system administrator would find > this a useful tool, and this data must be how many of the network > oversight applications operate. A good way to make sure your coders and > data entry weenies are working and not playing solitaire or sending each > other joke email....I'm sure my boss would like to have that capability > over me... he he... Yes, it would be a wonderful tool if it were documented and if the Network Administrators had access to this data. Instead, it is undocumented, and only Microsoft software uses this information to gather data about someone else's network without their knowledge. Any knowledgeable network engineer can analyze these interactions with a sniffer and write their own code to access the same listening ports (backdoors) to gather information about PCs. For each PC, you could tell what time an application started and what time it ended. You could even choose to deny any specific (Microsoft) application by telling it that its copy is illegal. The Microsoft product will override the local user's desire with the directives received over the network. > As a network consultant, I recommend that others in the field find out > more about how PCs work in background operations to expand their > horizons past their Mac blindered knowledge... I have discovered this stuff using packet sniffer tools to detect anomolous behaviors occurring in the background of most software vendors products. Much of my research has been part of top secret DoD projects, for which I was specifically brought in because of my investigations into backdoors deliberately created by software vendors. None of my research is second-hand or unsubstantiated. (Long-time readers of this list will remember when I left the Government arena to found my own company in 1994.) Besides consulting for DoD security projects, I also pull six figures per year from IBM for researching their PC networking difficulties. I assure you that my knowledge of PC networking is not slight or biased. But why argue with me? Anybody can buy the products, and then reverse engineer them to see what they are really doing in the background. If you are a network consultant, you should probably have the tools to do this already. Did you actually investigate any of these items before you decided to disagreed with them, or do you merely have the "faith" that Microsoft would never do anything underhanded with their software? - -- Harvey Newstrom (harv@gate.net) ************************************************************************** [1] RISKS DIGEST 19.53 Date: Fri, 12 Dec 1997 19:16:15 -0000 From: Ken Tindell Subject: Re: What really happened on Mars Rover Pathfinder (Jones, R-19.49) >This scenario is a classic case of priority inversion. So classic that it has happened before many times in many projects. And I fear will continue to happen. Today, people are building critical real-time systems based on Windows NT. But NT doesn't implement priority inheritance. Instead it contains a "priority randomizer" which randomly selects tasks and alters their priorities in the hope that eventually the priority inversion goes away. Whilst this may be adequate for a general-purpose computer in a workstation environment, this is unlikely to be adequate for a critical real-time system. >For the record, the paper was: >L. Sha, R. Rajkumar, and J. P. Lehoczky. Priority Inheritance Protocols: An >Approach to Real-Time Synchronization. In IEEE Transactions on Computers, >vol. 39, pp. 1175-1185, Sep. 1990. I must point out that their work appeared much earlier in technical reports and conference proceedings and was widely cited before the 1990 paper appeared. Interested readers might like to read the following paper, which gives an historical perspective on when major results were made available: "Fixed Priority Scheduling: An Historical Perspective", Audsley, Burns, Davis, Tindell, Wellings, Real-Time Systems journal, March 1995, Volume 8, No. 2/3, pp. 173-198. I find it outrageous that engineers in 1997 are building critical systems that contain serious defects that were detectable and correctable ten years ago. I do wonder at what point failure to be aware of these risks constitutes negligence. ************************************************************************** From: Matt Robinson Date: Tue, 24 Feb 1998 15:49:26 -0500 Subject: Internet Explorer 4.0 for Solaris is out (long) Microsoft has released Internet Explorer 4.0 for Solaris. Note that this is the "final" release and not a "beta" or "preview" release. I've played with it a bit and can offer the following insights. One Line Summary: of course it's free - you have to be nuts to pay for it! Suspicious Release Schedule: currently available for Solaris and nothing else. HP-UX expected by the "end of the year". Now I know it is popular in the PC world to play-up the incompatibilities between various implementations of Unix, but this just reeks of incompetence. Most major implementations and many minor ones are largely POSIX-1003.1 compatible or they're close enough that porting work is minimal to nil. At least Netscape, despite other deficiencies, seems to understand this - when they release one Unix version of their browser, they release it for a large number of versions (at a quick glance: AIX 4, Digital Unix, HP-UX 9 and 10, Irix 5.3 and 6.2, Linux 1.2 and 2.0, SunOS 4.1.3, Solaris 2.4 and 2.5.1 and Solaris x86 2.4 for Communicator 4.04). This is either a ploy (to make Unix systems look worse than PCs), incompetence (in not understanding how to make something remotely portable) or both. How Not To Do Things On A Unix System: - Create a font cache the first time you run on a particular combination of X server and font path. This is only done once but takes a heck of a long time as it forces the X server to load every single font in its font path, sometimes multiple times if the font has more than one name. Microsoft claims that this is to be able to quickly find font matches on the fly. While the font rendering does seem to be a little better than Netscape (perhaps just a better choice of fonts) it is not clear that this is particularly useful or necessary. Microsoft obviously got some complaints about this since the preview release since they have included a number of pre-fabricated caches for common configurations. - Replicate large chunks of the Win32 API. Installed package is about 43Mb, Communicator 4.04 is about 16Mb. - Store configuration data in a human-unreadable binary file. IE actually keeps a couple of registries, apparently in the Win32 format. While this was almost certainly done to avoid changing parts of the IE code, it does mean that you cannot edit the configuration outside of the IE program. Thus some of the tricks we could do with Ariel accounts and Netscape setup (i.e. installing a preferences file) cannot be done here. Mind you, Microsoft does sell an Internet Explorer for Unix Administration Kit for over $70CDN. Most other programs do not provide such a package for any price, since there are free third party configuration programs available, called (depending upon your preferences) ed, vi or emacs. - Determine the maximum size of your disk cache based upon a percentage of the partition size. Now who came up with this? I mean, you have to really make an effort to make a bonehead decision like this. I hope for the so-called "engineer"'s sake that they were blindingly drunk or had accidentally mixed medications when they put this in. I would hate to believe that somebody had deliberately set up the controls this way. (Aside: according to the readme.txt file, this feature doesn't even work and the limit is hard-coded to 1% of the partition size.) - Scrolling seems to be slower in many cases than Netscape, but has less flicker. The middle button is used in a misguided attempt to emulate the IntelliMouse wheel. I can just see this causing great confusion; when you click the middle button once, the mouse goes into "scrolling" mode where moving the mouse scrolls the page rather than moving the cursor. Clicking the mouse again exits the mode. - Java support is just broken. It crashes very easily - just scrolling back and forth quickly over an applet kills the browser. - Busy wait. When running Java applets, the browser would suck up at least 6-7% of the CPU on tiger, even if you weren't doing anything and nothing was actually running. The browser (according to truss) seems to keep trying to wait on a condition variable with a ridiculously short timeout. At other times, the browser still sits and spins (albeit less gratuitously) while it poll()s some file descriptors (often in multiple chunks) and also ioctl(FIONREAD)s others - all with short timeouts. - Memory usage is obscene. Opening a few pages (but only one window) and running a Java applet, ended up with an image of 33Mb (26Mb resident). Navigator 4 under similar conditions had 21Mb (16Mb resident). It also produces nice large core files, usually upwards of 11Mb. - Read local files, but not local directories. Trying to read a local file (e.g. file:/cs/home/tech1/matt/www/index.html) works, but trying to read a local directory (e.g. file:/cs/home/tech1/matt/www/) fails with a "File System Navigation Not Implemented" response. Mind you, FTP directories work fine (ftp://matt@localhost/cs/home/tech1/matt/www/) and we all know that the output from a "dir" command under FTP is radically different from an ls command on a local filesystem (sarcasm). - Dumps about 600k or so of junk in ~/.microsoft including a 400k registry file. - Microsoft's requirements: 32Mb of memory (64Mb recommended). - multiple instances (same user, same host, different display) work but seem to be related in some weird way as a crash in one crashes the other. Not As Bad Things: - although the exec memory usage is poor, it seems as though X resource usage is significantly better than Netscape 4.0. ************************************************************************** [1] Risks Digest 19.94 Date: Fri Sep 04 15:54:13 EDT 1998 Date: Thu, 27 Aug 1998 14:08:15 -0600 (MDT) From: Bear Giles Subject: MS databases lose data; MS loses source code to DOS It's bad enough that Microsoft databases lose data, but now Microsoft claims, in court, that it has lost the crucial source code necessary to prove Caldera's allegation that Microsoft did in fact, as implied by an internal 30 September 1991 that which Microsoft does not dispute, actively sabotage Windows 3.1 if it is launched from any competitive product to MS-DOS. Caldera is involved as the current legal owner of DR DOS, an increasingly popular alternative to MS-DOS which was knocked out of the market after the introduction of Windows 3.1 due to the flakiness of the DR DOS/Windows 3.1 combination. (Not to imply that MS DOS/Windows 3.1 was particularly stable.) Since it lost the source code, Microsoft appears to be claiming that there's no contempt of court in failure to provide the documentation (since it no longer exists) and the judge should dismiss the case as without merit. No word on whether Microsoft's next defense will be that it stored the source code for Windows 3.1 in an Access database. As an historical footnote, it's my understanding that the smoking gun memo was discovered in the 1995 DoJ investigation of Microsoft's business practices. That raises some obvious questions about what the current round will uncover. References: Wall Street Journal (27 Aug 1998?) http://www.news.com/News/Item/0,4,25763,00.html?st.ne.4.head http://www.zdnet.co.uk/news/1998/34/ns-5364.html http://www.caldera.com Bear Giles ************************************************************************** From: risko@csl.sri.com (RISKS List Owner) [1] Risks Digest 20.01 Date: Thu Oct 01 20:21:52 EDT 1998 Date: Fri, 25 Sep 1998 23:48:27 -0400 From: Joe Thompson Subject: Re: "Windows NT security" There was a forum on InfoWorld Electric (http://www.infoworld.com/) about this about a month or so ago. The actuality of NT's C2 certification is dependent on the following: * One of two or three (I seem to remember two Compaqs and one Digital system) very specifically detailed hardware configurations must be used. These do not include any kind of external connectivity (network card, modem). * The version of NT that was certified was NT 3.5 with Service Pack 3 applied, and no networking or comm drivers installed. 3.51 is not certified, nor is 3.5 without SP3. 4.0 has not, to anyone's knowledge, begun the process of certification, and Microsoft declined to comment. The forum was started by InfoWorld columnist Nicholas Petreley, who spoke with a fellow named Ed... I can't recall his last name, but he headed up Lone Star Systems, the company which developed the testing software that Microsoft used to gain the seal of approval. He alleges that Microsoft has both actively and passively misrepresented the security of NT to, among others, government agencies, and that Microsoft reneged on promises to distribute his compliance-testing software. It was a very interesting forum. Petreley sent a comprehensive list of questions to Microsoft and their answer was a blanket "no comment." Most of the questions were not even speculative in nature, but were seeking comment on facts that could easily be verified independently (e.g., details about Microsoft displays at various trade shows). Nicholas will be happy to comment I'm sure, and the forum discussion should still be archived (I'd provide direct addresses and URLs, but my copy of Netscape is flaky today). -- Joe ************************************************************************** [1] Risks Digest 20.03 Date: Fri, 9 Oct 1998 09:55:45 -0400 (EDT) From: "Daniel P. B. Smith" Subject: Unreliable reception of e-mailed WP documents Some unpleasantness occurred in a meeting recently. Person A said that the reasons he hadn't performed a task was because he was still waiting for Person B to supply some needed information. Person B said he'd supplied it a week ago in a specific memo which he'd distributed via e-mail. Person C said, "I got it and I'm almost sure I saw A on the distribution list." Person A said "I got the earlier version where all of those numbers were blank, but I've never gotten anything that had the numbers." Person B said "What version where the numbers were blank?" Person E said "You know, the one you sent out about a week ago. I never got the one with the numbers filled in, either." On comparing notes, it turned out that a single version of the memo had been e-mailed, and when opened by about half the participants a critical table was complete and had information visible in all columns, and about half of them had a column in which all cells were blank. All recipients of the damaged version had simply assumed that the blank cells were intentional. Incidentally, this was a 100%-pure-Microsoft situation, involving no version of Word more than a year old (no version skew of more than one version) and involved RTF format which is the format Microsoft specifically designates for document transfer. There was no obvious pattern to the problem; the originator used Word 97 on a PC, and some receivers using Word 98 on a Mac received it correctly while some receivers using Word 97 on a PC got blank columns. We don't know the full story but it is suspected that the set of fonts installed, the OS version, the screen dimensions and resolution, and the kind of printer the user is connected to may all play some part in this crazy equation. The RISK here is the same as with any other kind of unreliable communication that is falsely _assumed_ to be reliable. Notice that, in general, when you send a word-processing document to someone else, _the sender has no reliable way to confirm what the receiver will ultimately see and print. Unless the user guesses there is something wrong and complains, the problem is likely to go undetected. Even when the problem is detected, it is usually hard to resolve, because nothing in the system logs all the configuration information that would be needed to resolve it. Unless the recipient is a colleague in an adjacent cubicle and is willing to experiment with you in real time, problems of this kind are likely to remain unsolved. Daniel P. B. Smith ************************************************************************** RISKS-LIST: Risks-Forum Digest Friday 29 January 1999 Volume 20 : Issue 18 >From: "Daniel P. Stasinski" Subject: Microsoft Hotmail I contacted Microsoft/Hotmail asking them to close the account that was listed in the backdoored tcp wrapper source code. I also forwarded the offending code. The word back from them is that they will not close it. Theft of passwords and hacking does not violate their terms of service. Daniel P. Stasinski, Software Engineer, Karemor International, Inc. 2406 South 24th Street, Phoenix, AZ 85034 dannys@karemor.com ************************************************************************** RISKS-LIST: Risks-Forum Digest Monday 2 August 1999 Volume 20 : Issue 51 Date: Fri, 23 Jul 1999 15:32:18 -0700 From: Thomas_Gilg@ex.cv.hp.com Subject: 2nd-class invitation in Outlook One of our engineers has decided to leave and go back to school to complete her Ph.D. and enter teaching, a career move we all wish her the best in. Before a going-away party could be scheduled however, she ended up in an unusually contentious software design meeting with four other momentarily-combative engineers, including myself. It was ugly! As I pondered whether or not I was out of line during the meeting, and how we could reconcile our differences so she could leave on a high note, our administrative assistant used Microsoft's Outlook/Exchange "meeting request" feature to schedule a lab-wide going away party. Unlike most engineers in the lab, I and one of the other combative engineers quickly hit the "accept" button which converts the e-mail based meeting request into a calendar item and sends a RSVP back to the meeting organizer. A day later, an update was issued on the same meeting request, and I scanned the request for the change. While the lab-wide mail list alias "Lab.All" was still on the "Required Attendance" line, I and one other combative engineer were now explicitly listed, by name, on the "Optional Attendance" line. My heart sunk at the thought that some of us were no longer welcome at her going away party. Good friends for so long, how could one lousy meeting drive us apart? After some tactful asking around though, it became clear that there were no hard feelings and no one had tagged anyone as optional. Ah, enter another Microsoft Outlook/Exchange feature. If a meeting request is sent to a mail list alias, and then individuals accept the request *and* use the option to e-mail back a yes/no response to the meeting organizer, Outlook/Exchange does not recognize that the individual(s) are part of the original mail list alias. If an update is then issued on the same meeting request, Outlook/Exchange treats the unrecognized names as optional attendees. Depending on the issue at hand, being explicitly listed as "optional" can take on a whole lot of extra meaning. Who needs enemies when you have Outlook/Exchange ;-) Thomas Gilg, R&D Software Engineer, Hewlett-Packard tomg@cv.hp.com ************************************************************************** RISKS-LIST: Risks-Forum Digest Weds 1 December 1999 Volume 20 : Issue 66 Date: Tue, 30 Nov 1999 17:59:03 +0000 From: main@radsoft.net Subject: Expanding, Embracing, Devouring: IE 5.0 Task Scheduler Elevates Re: http://www.ntsecurity.net/go/load.asp?iD=/security/tasksched.htm What this article will demonstrate is that installing a web browser from Microsoft changes the topology of the underlying operating system - even on Windows NT. Ken Thompson used to say, "keep your hands off the drivers." With all the ridiculous crashes IE4 and IE5 have been guilty of, it's obvious Microsoft has never heeded that good advice. Instead, they now muck about with the innards of your operating system when all they're really supposed to do is install a user mode application. The mind boggles. RA Downes, Radsoft Laboratories http://www.radsoft.net ------------------------------ Date: Thu, 25 Nov 1999 14:08:50 +0000 From: main@radsoft.net Subject: No bounds checking in Microsoft RTF controls I am speechless. Totally speechless. And for reasons which might become clearer later, I have a lump in my throat. This is not funny anymore. Dammit, it is not. I am mad. The morning mailbox contained a newsletter on NT security, and this newsletter had an article about an attack on the Microsoft Rich Edit (RTF) controls. The URL given is: http://www.ntsecurity.net/go/load.asp?iD=/security/richedit1.htm As there are a few discrepancies in the RTF code reproduced there, I made the mistake of assuming that this was a limited problem. But after disconnecting and thinking about the matter a bit (thinking still does have its advantages, even in this age when, thanks to Microsoft, information is at your fingertips) I realized it was "easy peasy" to crash any of Microsoft's Rich Edit (RTF) controls any time I wanted, and set about doing so. But let's make sure everyone is up to speed before we continue. RTF is a Microsoft invention (or so they claim) for formatting text. RTF stands for "Rich Text Format", thereof the description "Rich Edit" often used to describe this "technology". Microsoft encapsulates this "technology" all over the place, in their Office suite, in FrontPage, and in two resident system DLLs, RICHED32.DLL and RICHED20.DLL. Again, the attack works on _any_ version of the DLL, and not just one or the other as the article at the above URL implies. RTF consists of a number of "tokens" all introduced with the (you guessed it) backslash. An RTF file is always enclosed in braces (what good this does no one knows, next question please) and after the initial opening brace the token "\rtf1" should follow immediately. (The article online at the URL above incorrectly gives this token as "\rtf" - the '1' on the end, to the best of my knowledge, is necessary.) As the article states, the buffer used for interpreting RTF tokens seems to be 36 bytes. This is such a ridiculous magic number it's not funny. I can't get past this one at all. The backslash is regarded as part of the token in this context: thus any character sequence beginning with a backslash and continuing with at least 35 characters before the next token will send the control south. Also, RTF tokens are considered to conform to the American alphabet: any non American alphabetic character in a token will in effect break the token and avoid the attack. Another tidbit that might prove beneficial to readers: the initial MS Rich Edit control, Riched32.DLL, was written in C, the follow up, Riched20.DLL (sic) is written in C++, and Microsoft probably regards this latter DLL as a vast improvement, which it is not. But as this attack works on all generations of the control it can be concluded that the same brain dead code snippet is in effect here in all cases. The buffer for parsing an RTF token is 36 bytes (including backslash character) - and no checks are used in the code to make sure the buffer does not overflow. There is evidence in the disassembly of a character pointer being incremented with the postfix ++ operator - that the loop not check that this pointer is within bounds really and truly boggles the mind. I can think of hundreds, thousands, hundreds of thousands of loops I have written and seen over the years, everyone of course having a bounds check built in. I mean, this is very _basic_ programming, isn't it? for (cp = buf; cp < buf + BUFSIZE; cp++) /* * */ I mean, this is all really very _elementary_, isn't it? Tell me I'm wrong! Please, someone, _anyone_, tell me I'm wrong!!!! I used to think so. But now that "Redmond RuleZ", who knows what goes anymore? The real pity is that in a week, as everyone becomes aware of this issue and what is behind it, that people will just end up _accepting_ it. Crimenee!!!! This RTF control in all its generations is one of the most used controls from the Microsoft arsenal. That this control be subject to the kindergarten programming practices of Redmond is more than at least this author can stomach. This is absolutely horrendous. I feel literally physically sick. This is not funny any more. RA Downes PS. As this affects almost everyone using any kind of PC program anywhere, I guess I'll just have to devote the rest of this day to writing a wrapper to protect us. The idea is simple: send all references to RTF editors to the wrapper instead, which will first parse the file for evidence of malignant tokens, and then pass the file on to the target editor if all is in order - or otherwise issue a warning and drop the matter entirely. Drop me a line if you have any ideas. As Microsoft will probably handle this "issue" as so many others - i.e. ignore it - and as I rather trust my own code at this point far more than I trust Microsoft's (nil trust there to be honest) I think we have to take matters into our own hands. RA Downes, Radsoft Laboratories http://www.radsoft.net ************************************************************************** RISKS-LIST: Risks-Forum Digest Monday 29 May 2000 Volume 20 : Issue 89 Date: Fri, 19 May 2000 11:41:41 -0700 From: "Gary Cattarin" Subject: Junk-mail filters [NOTE: Entire item in RISKS-20.89x. See below. PGN] This I'm sure has been covered before, but here's an interesting example of filters gone awry. I recently upgraded (?) to MS Office 2000, which, among other things, lets you have more than 8 e-mail filters active at once. In my glee I started turning things on, including junk mail filtering. Surprise! I found 8-10 important messages -- all replies to a query I sent out to a personal mailing list -- all dumped into the Junk Mail folder. What was it? I'm riding in a charity bicycle ride, and I needed to tell my pledge-ees that I needed their money now. So I sent them an e-mail updating my training status and asking them to send their checks. Obviously, this message had at least one dollar sign "$" in it -- and because I'm an excitable guy it had at least one multiple exclamation mark "!!", and since, at the end, I chided my manager to make good on my exaggerated version of his pledge: >> Mark, didn't you promise $5,000 or something like that? ...we also hit the magic phrase ",000". Now, the fine folks in Redmond have determined that if these three elements converge, you have received Spam. The actual rule (from their web site) is: Body contains ",000" AND Body contains "!!" AND Body contains "$" Who'd have guessed? In fact, even looking at their filter list, it took me a long time to figure out which rule I'd hit. (OK, I'm slow sometimes.) I guess the rule is (a) don't get too excited ! -- one "!" at a time! (b) specify your currency as "USD", and (c) use European periods ("5.000") instead of North American commas in large numbers. OK, that's silly. But just as silly is the fact that any spammer can read the list of rules and tailor their e-mail to avoid them. Of course, you might never read this, because if you have junk e-mail filtering turned on, Outlook will catch THIS message and do with it as you've requested for junk mail. Two other interesting points: (1) In the adult filters you'll find these two: (1) In the adult filters you'll find these two: Subject contains " sex" Subject contains "free" AND Subject contains "sex" The first is set up with a leading space to only accept the *word* "sex", so those of us who live here in Middlesex county don't lose any local-related mail. But the writer of the second wasn't so careful -- what if the Middlesex News offers free subscriptions? That's Spam, yes, but not porn (I guess that's why that newspaper changed its name...). (2) Don't address your dear friend as such -- note the rule: Body contains "Dear friend" My golly! I can't send some good old-fashioned heartfelt feelings to my dear friends!! (oops, double "!!" -- I got excited!) This stuff can be very dangerous... The entire list is at http://officeupdate.microsoft.com/Articles/newfilters.htm I included it here, but the moderator may choose to cut it from the journal in the interest of space. ************************************************************************** Personal example: Wed Jun 28 17:36:27 EDT 2000 From: Wayne Hayes Tried using Microsoft Word for the first time in many years. Tried printing to an HP postscript printer. Didn't work. Tried printing postscript to a file. That's when I noticed that Word isn't generating standard postscript. It's some other sort of screwed up postscript of their own. Just what the hell is wrong with these people? Postscript is a STANDARD. That means it's supposed to be, well, STANDARD --- DUH, which means the same for everybody. I have crappy free software that can generate correct postscript. Why the hell can't Word do it? The programmers of Word are either incompetent, or intentionally fucking with the standard for some reason. ************************************************************************** Wed Jul 4 20:56:59 EDT 2001 From: Wayne Hayes Microsoft Excel from Office 2000 (and presumably all earlier versions, and I'll bet any more recent version as well) contains a numerical limitation: if you try to take the geometric mean of a bunch of numbers greater than 1, you can get Infinity as the answer even if the *actual* geometric mean is perfectly representable. After some experimentation, it appears that they're computing the geometric mean using the mathematically correct but numerically naive algorithm: multiply the N numbers together, then take then Nth root. If the multiplies result in an overflow, then the Nth root is still an overflow. A similar problem arises if all the numbers are less than 1; an underflow results, and you get 0 as the result. This makes Excel useless for any data reduction where you want to take the geometric mean of a modest list of numbers. In my case, it was only about 300 numbers, each less than 100, and the actual geometric mean was about 80. The solution to this problem is utterly trivial, has been understood since the advent of numerical computing (let's be generous and say the mid 1960's), and should be well-known to anybody who's taken an undergraduate introductory numerical analysis course. You note that the logarithm of the product of a bunch of numbers is equal to the sum of their individual logarithms, and replace the above algorithm with the following: add the logarithms of the N numbers together, divide by N, then exponentiate. I sent this bug report and suggested fix by e-mail to Microsoft technical support, and received back an informationless form letter; apparently the tech support person reading it had no understanding of mathematics. I re-sent it, saying that if they didn't understand what I was saying, that they should simply forward it to a supervisor, or directly to the Excel developers responsible for the mathematical computations of Excel. I received the same form letter back. I gave up. It is distressing to realize that, with all the nice glitter and ease-of-use of Excel (I'll admit that it has quite a nice and intuitive interface, at least for simple tasks), the basic numerical algorithms underpinning it all are at the level of a mediocre high-school student. ************************************************************************** 1 1