Why Hasn’t Microsoft Fixed This 20 Year-Old Vulnerability?

Category: Security , Windows

A security flaw in Windows allows anyone to steal usernames and passwords of logged-in users or even infect Facebook with malware simply by tricking users into visiting a specially-crafted Web page. Microsoft has known about the vulnerability since at least 1997, but the company has no plans to close this gaping hole. Read on to learn why, and how to easily protect against this threat...

No Security Patch For You!

This Windows flaw has been around for almost 20 years, and the folks in Redmond were reminded of it by a demonstration at the Black Hat 2015 hackers conference. So why hasn't Microsoft fixed it?

The exploit relies on a Windows feature called XML External Entity Injection (XXE). Essentially, XXE makes it possible to create a Web page that can read the contents of any file that can be referenced by a URL, including the file on your PC that contains your Windows password and username.

It’s not a major disaster if a hacker in Brazil knows the log-in credentials of a Windows PC in Chicago. What’s he going to do with that information? But the XXE exploit is rapidly gaining popularity among hackers as Microsoft requires users to create online Microsoft.com accounts and use their credentials to log into the company’s products and services.

Windows - gaping security hole

Using XXE, a hacker can easily gain control of your Microsoft account from anywhere on Earth. From there, he can hack your PC, Xbox, Hotmail/Outlook.com email, Microsoft Office, Skype, and other Microsoft products. Also, a Microsoft account may be used to log in to other, non-Microsoft services; it’s not as widely accepted by Web services as Google or Facebook accounts, but Microsoft’s game plan is to change that.

In fact, Facebook paid out the largest “bug bounty” in history to a security researcher who uncovered an XXE vulnerability in the social network’s vast universe of home-grown software. That bug would have allowed a hacker to execute any malicious code he wished on certain Facebook servers that are for the company’s internal use; apparently, internal servers were not as well protected as those that face the Internet.

Another trick made possible by XXE is a denial-of-service attack (DoS). The poisoned Web page may fool your browser into trying to read a fictitious file of infinite size, quickly consuming all of your system’s resources and causing it to freeze.

How To Avoid The XXE Exploit

Fortunately, there is a simple, painless solution that prevents XXE exploits from affecting your devices. Just avoid the Internet Explorer or Edge (Windows 10) browser, and the Microsoft Outlook email program. Firefox and Google Chrome browsers are not vulnerable to XXE. (Undoubtedly, readers will suggest Linux or other alternatives to Windows as equally good solutions to this problem.)

The fact that competing browsers have closed the XXE hole proves that Microsoft could do likewise. But the company’s spokesperson told Ars Technica in response to an inquiry:

"We're aware of this information gathering technique, which was previously described in a paper in 2015. Microsoft released guidance to help protect customers and if needed, we'll take additional steps."

The “guidance” was issued to third-party software developers, telling them how to “program around” the XXE flaw. I guess they didn't send that memo to the programmers inside Microsoft, because they haven't "programmed around" the flaw in their own product. Imagine a carmaker telling the public, “We’re aware of this tendency of our brakes to fail, but if you press only the right-hand side of the brake pedal with only your big toe, you’ll be fine.”

I think it’s more likely the public would ensure its safety by buying someone else’s car. And to extend that analogy, Microsoft Windows users can ensure their safety by using someone else's software for web browsing and email. This is yet another reason to avoid Internet Explorer, as well as the new Edge browser for Windows 10.

You'd think Microsoft would be quick to fix a flaw that's not only dangerous, but also sends customers running away from their flagship browser, email and operating system products.

Windows is riddled with unresolved flaws like XXE. Gigabytes of “guidance” have been issued to software developers, who are only human and overlook workarounds now and then. Unless something like a billion-dollar fine motivates Microsoft to clean up its own mess instead of telling others to “just walk around it,” we will continue to see XXE exploits and their consequences will become exponentially greater.

Your thoughts on this topic are welcome. Post your comment or question

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 18 Aug 2016


For Fun: Buy Bob a Snickers.

Prev Article:
Geekly Update - 17 August 2016

The Top Twenty
Next Article:
Postpone The Windows 10 Anniversary Update

Most recent comments on "Why Hasn’t Microsoft Fixed This 20 Year-Old Vulnerability?"

(See all 34 comments for this article.)

Posted by:

noseitall
18 Aug 2016

I never did trust logging in to a Microsoft account to access my own computer, therefore I've always used a local account.
And isn't it strange that Microsoft developed their highly-touted Edge browser to replace the (presumably) more insecure Internet Explorer, without fixing this known vulnerability?
So think twice before storing anything valuable on Microsoft OneDrive. Without a firm commitment to security, all of Microsoft's offerings are risky.


Posted by:

Daniel
18 Aug 2016

Whoa now, hold on buddy. Are you trying to tell me that people still use IE? Just kidding. I still have a couple of specific web sites that only work with IE. Somehow, even chrome's IE emulator won't work. That's the only time it is ever opened.


Posted by:

Leah
18 Aug 2016

Maybe it's not fixed to make it snap-easy for microsoft to peruse a system at will? Backdoors come in all sizes and shapes.


Posted by:

Tom McElvy
18 Aug 2016

The fix is simple - get a Mac!


Posted by:

Elizabeth Perilloux
18 Aug 2016

Is browser Bing vulnerable to this XXE?

EDITOR'S NOTE: Bing is a web site, not a browser. So, no.


Posted by:

David Hickman
18 Aug 2016

Apart from Windows 10 I am a Microsoft free zone. I use Chrome, EM Client have a gmail address and use Office Libre. The only reason I stick with Windows is that I'm too old or too lazy to change.


Posted by:

Dave Fox
19 Aug 2016

Bob, great article. I just dumped Microcrap and went with Chrome a couple of days ago, in the process of changing everything over, could not stand Edge & outlook any longer.


Posted by:

Dave Fox
19 Aug 2016

P.S. - You were the 1st account I changed over to gmail, needed to keep all the good info coming.


Posted by:

Dave
19 Aug 2016

I truly believe that Linux is in my future. I won't even have to worry as much about my privacy concerns. I upgraded from Win 7 to Win 10, but I already realize I made a mistake. While I enjoy the upgrade Op System I feel that my privacy is completely gone. Yes, and it is really nice to know that Microsoft cares so much about its faithful users' security. I must say that I have owned a Pro version of every version of the Microsoft products (at least those that had Pro versions) since the beginning of Windows. I suppose I have been beting on the wrong horse.


Posted by:

Shujuana
19 Aug 2016

Thank you for this very informative article. I am reading this article with Microsoft Edge Browser which I opened up through a link via Outlook! I will be shutting down the Edge browser and Outlook even though I like the way they work, but it's not worth the risk.


Posted by:

SamG
19 Aug 2016

My distrust with MS began with them ditching Outlook Express and their updating Directx. OE was a wonderful mail program with which one was able to totally customize easily. After new directx, game controllers became useless on games.
Then amd bought ati and video cards and tv tuners became obsolete. Along with analog tv signals. MS and amd didn't work together on Windoz 7. Buy new hardware. New drivers were not written. MS offers cloud storage. Gigs worth. Decides to cut amount of storage, like it or not.
I bought a Windoz phone with 8.1 OS. MS promised an upgrade to W10. Then said phone didn't have enough memory. This guy is done with MS's OSes. I will/am using dual boot with XP and 7. With Linux Mint. Would rather put up with learning Linux and it's quirks than pay more money to MS. Just cashed in most of Bing search rewards for Amazon gift cards before the Sept. 6th deadline. Raspberries to MS support forums which sidestep solutions. Cutting their own throat?


Posted by:

JohnnyQ
19 Aug 2016

Lately, with all the things pushed on us by Microsoft, it is my opinion that the biggest computer flaw is Windows. One of the basic changes in the way Windows 10 does things has made one of the programs installed on my computer basically useless. And it is a paid program requiring a yearly subscription. The program is now useless on Win 7 and Win 8.1, as well as Win 10, due to changes the software maker had to make in order to deal with the way Windows deletes files now.


Posted by:

William
19 Aug 2016

Yes, Microsoft is cutting their own throats, but does not seem to know or care. I bet they do not even read computer information/advice sites such as this and others. It would seem that Microsoft fits the basic definition of a bully. As several have mentioned, I am another one who is moving to Linux.
I have always used every free program I can find to
avoid the expensive MS programs.


Posted by:

thomr
19 Aug 2016

Unless it involves putting w10 on ones computer, Microsoft just doesn't care.


Posted by:

Bob Pegram
19 Aug 2016

This kind of thing from Microsoft is one of the reasons I switched to Linux Mint a number of years ago.


Posted by:

E Coot
20 Aug 2016

I tried your link to My Turbo Pc and found it to be a bait and switch. It did nothing to repair anything but tried to sell me something that was advertised as free. I would not recommend this type of company to anyone.


Posted by:

JimN
20 Aug 2016

As is usually the case with these corporate black hole companies (MS & Dell esp.) they are buying smaller hardware companies and hoping to squeeze every last drop of blood out of us stones before they go belly up, work an angle for more money and less service or start selling inferior, as compared to products before the buyout, hardware and gadgets.


Posted by:

HA
22 Aug 2016

Reading this on Ubuntu, and feeling good.


Posted by:

Elwood J.
30 Aug 2016

I use Linux in different flavours almost exclusively now, although I am writing this on an Android Tablet I bought a few years ago. I am starting to avoid MS like the Disease it has become!!!


Posted by:

SkeeterVT
30 Aug 2016

I wish I could remove Internet Explorer from my computer, but unfortunately, it's embedded in the Windows 7 operating system and if I remove it, I would no longer receive Windows updates.

Moreover, I rely on Outlook Mail (formerly Hotmail) as my primary email server, as Gmail and Yahoo! both have terribly inefficient anti-spam filters.


There's more reader feedback... See all 34 comments for this article.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.
[an error occurred while processing this directive]


Article information: AskBobRankin -- Why Hasn’t Microsoft Fixed This 20 Year-Old Vulnerability? (Posted: 18 Aug 2016)
Source: http://askbobrankin.com/why_hasnt_microsoft_fixed_this_20_yearold_vulnerability.html
Copyright © 2005 - Bob Rankin - All Rights Reserved