Зарегистрируйтесь сейчас для лучшей персонализированной цитаты!

Windows: Still insecure after all these years

15 декабря 2022 г Hi-network.com

For longer than some of you have been alive, I've been preaching the gospel of using more secure desktop operating systems. You see, Windows has been insecure since 1985's Windows 1.0, really an MS-DOS extension, rolled out the door. Then, as now, there were more secure options. Then it was Unix desktop operating systems. Today it's Linux desktops.

See also

  • How to install Ubuntu Linux (It's easy!)
  • How to run a Windows app on Linux with Wine
  • How to get started with Git on Linux
  • How to kill a process in Linux

Why hasn't Microsoft ever gotten its security act together? The fundamental problem is that Windows was never, ever meant to work on a network. It worked as a standalone PC operating system. And, even today, 37 years later, the same pre-internet problems keep showing up. Unix and Linux started with the premise that there's more than one user on the system, and you need to secure accounts and programs from other users, local or remote. This has served these operating systems well.  

In addition, the developers from Redmond may say they rewrite Windows code from the bottom up to make it more secure. But, they don't. 

Take, for example, Microsoft recently patched zero-day remote code execution Windows Scripting Languages Remote Code Execution Vulnerability, CVE-2022-41128, With a  Common Vulnerability Scoring System (CVSS) rating of 8.8, it's a baddie. This is a Windows JavaScript scripting language security hole. Specifically, it's a hole in Internet Explorer (IE) 11's JScript9 JavaScript engine. 

Also: Hackers are still finding -- and using -- flaws in Internet Explorer

It's a nasty one. It affects every version of currently supported Windows. That includes everything from Windows 8.1 to all the various Windows Servers and Windows 11. Since it showed up, North Korean hackers exploited it to infect South Korean users with malware.

It works by presenting the victims with a malicious document. When an innocent opens the document, it then downloads a rich text file (RTF) remote template. The HTML inside would then be rendered by the IE engine. Then -- ta-da! -- you've got a case of some malware or the other. 

The Google Threat Analysis Group (TAG) that found it said, "This technique has been widely used to distribute IE exploits via Office files since 2017. Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser."

Oh, guys, it is so, so much older than that. I described this kind of problem in the long-defunct magazine PC Sources in 1992 when I found it in Windows for WorkGroup 3.1. Then, as now, Windows and its native programs treated document data as programming instructions. 

That's why according to Atlas VPN, "Microsoft Office remains the most widely exploited software for malware delivery." How bad is it? Try 78.5% of all attacks. Office on your PC, Office 365, it doesn't matter. They're all open to attacks. 

Now, then, what's the elephant in the room I haven't mentioned yet? It's that IE retired back in June 2022. It's been replaced by Microsoft Edge. 

Also: The best Linux laptops 

So, why the heck are all versions of Windows vulnerable to an IE attack in late 2022? Isn't it history? I mean, IE was never in Windows 11, anyway. You'd like to think that, but no matter what version of Windows you're using, the IE engine is still in Windows and still ready to run JavaScript attacks.

Windows's fundamental security flaws have never been fixed. They never will be. Backward compatibility is far more important to Microsoft than security. So, the company continues to play patch a hole. 

If, like me, you favor security over backward compatibility, you'll run Linux. Despite what you've heard, Linux is not that hard to use. But, if you'd rather not go to the effort, just buy a Chromebook. Anyone can use a Chromebook, and, since it's based on Linux, it's a lot more secure. 

Related Stories:

  • Microsoft Patch Tuesday fixes six critical vulnerabilities
  • Microsoft's Internet Explorer browser is finally gone. But not everyone is happy about it

Featured

New iPhone 15 Pro overheating reports: Still too hot after iOS 17.0.3 and fresh issues arise after the updateGenerative AI will far surpass what ChatGPT can do. Here's everything on how the tech advancesiPhone 15 Pro review: Prepare to be dazzledThe best USB-C cables for the iPhone 15: What the experts recommend
  • New iPhone 15 Pro overheating reports: Still too hot after iOS 17.0.3 and fresh issues arise after the update
  • Generative AI will far surpass what ChatGPT can do. Here's everything on how the tech advances
  • iPhone 15 Pro review: Prepare to be dazzled
  • The best USB-C cables for the iPhone 15: What the experts recommend

tag-icon Горячие метки: Технологии и оборудование Безопасность и охрана

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.