Thursday, February 26, 2009

Microsoft serves up security spin

Bad security spin, as it turns out. There has been a monstrous security hole in Windows for years, where Windows will silently and automatically execute software off of USB devices. Malware has increasingly targeted this ability, and has caused a lot of recent infection on classified military networks.

It has not been possible to disable this "Autorun" feature sufficiently to prevent infection. You can imagine the "discussion" that the DoD had with the Lads from Redmond. So now there's a patch that fixes this enormous security hole - you know, the one that malware used to infect military computers.

Except it's not a security patch:
Ironically, Microsoft describes the fix as a "non-security update," and it offers this explanation: "In this case, we are communicating the availability of an update that affects your ability to perform subsequent updates, including security updates. Therefore, this advisory does not address a specific security vulnerability; rather, it addresses your overall security."
Huh? Classified computers got infected. I-N-F-E-C-T-E-D. But no security fix to see here. Move along, folks.

This episode doesn't pass the sniff test. The fact that they feel the need to spin us speaks volumes about their attitude towards security.

2 comments:

TisDone said...

I still don't understand why there hasn't been a massive class action lawsuit against those Redmond folks. Surely there are a few lawyers who are willing to crack away at the EULA's disclaiming responsibility and nail the Redmond folks for the countless $$$$$ that government and industry have spent cleaning up after their mess ... sigh ...

Borepatch said...

TisDone, most license agreements (EULAs) only warrant that the CD actually contains the software.