Why Hasn’t Microsoft Fixed This 20 Year-Old Vulnerability?
A security flaw in Windows allows anyone to steal usernames and passwords of logged-in users or even infect Facebook with malware simply by tricking users into visiting a specially-crafted Web page. Microsoft has known about the vulnerability since at least 1997, but the company has no plans to close this gaping hole. Read on to learn why, and how to easily protect against this threat...
No Security Patch For You!
This Windows flaw has been around for almost 20 years, and the folks in Redmond were reminded of it by a demonstration at the Black Hat 2015 hackers conference. So why hasn't Microsoft fixed it?
The exploit relies on a Windows feature called XML External Entity Injection (XXE). Essentially, XXE makes it possible to create a Web page that can read the contents of any file that can be referenced by a URL, including the file on your PC that contains your Windows password and username.
It’s not a major disaster if a hacker in Brazil knows the log-in credentials of a Windows PC in Chicago. What’s he going to do with that information? But the XXE exploit is rapidly gaining popularity among hackers as Microsoft requires users to create online Microsoft.com accounts and use their credentials to log into the company’s products and services.
Using XXE, a hacker can easily gain control of your Microsoft account from anywhere on Earth. From there, he can hack your PC, Xbox, Hotmail/Outlook.com email, Microsoft Office, Skype, and other Microsoft products. Also, a Microsoft account may be used to log in to other, non-Microsoft services; it’s not as widely accepted by Web services as Google or Facebook accounts, but Microsoft’s game plan is to change that.
In fact, Facebook paid out the largest “bug bounty” in history to a security researcher who uncovered an XXE vulnerability in the social network’s vast universe of home-grown software. That bug would have allowed a hacker to execute any malicious code he wished on certain Facebook servers that are for the company’s internal use; apparently, internal servers were not as well protected as those that face the Internet.
Another trick made possible by XXE is a denial-of-service attack (DoS). The poisoned Web page may fool your browser into trying to read a fictitious file of infinite size, quickly consuming all of your system’s resources and causing it to freeze.
How To Avoid The XXE Exploit
Fortunately, there is a simple, painless solution that prevents XXE exploits from affecting your devices. Just avoid the Internet Explorer or Edge (Windows 10) browser, and the Microsoft Outlook email program. Firefox and Google Chrome browsers are not vulnerable to XXE. (Undoubtedly, readers will suggest Linux or other alternatives to Windows as equally good solutions to this problem.)
The fact that competing browsers have closed the XXE hole proves that Microsoft could do likewise. But the company’s spokesperson told Ars Technica in response to an inquiry:
"We're aware of this information gathering technique, which was previously described in a paper in 2015. Microsoft released guidance to help protect customers and if needed, we'll take additional steps."
The “guidance” was issued to third-party software developers, telling them how to “program around” the XXE flaw. I guess they didn't send that memo to the programmers inside Microsoft, because they haven't "programmed around" the flaw in their own product. Imagine a carmaker telling the public, “We’re aware of this tendency of our brakes to fail, but if you press only the right-hand side of the brake pedal with only your big toe, you’ll be fine.”
I think it’s more likely the public would ensure its safety by buying someone else’s car. And to extend that analogy, Microsoft Windows users can ensure their safety by using someone else's software for web browsing and email. This is yet another reason to avoid Internet Explorer, as well as the new Edge browser for Windows 10.
You'd think Microsoft would be quick to fix a flaw that's not only dangerous, but also sends customers running away from their flagship browser, email and operating system products.
Windows is riddled with unresolved flaws like XXE. Gigabytes of “guidance” have been issued to software developers, who are only human and overlook workarounds now and then. Unless something like a billion-dollar fine motivates Microsoft to clean up its own mess instead of telling others to “just walk around it,” we will continue to see XXE exploits and their consequences will become exponentially greater.
Your thoughts on this topic are welcome. Post your comment or question
This article was posted by Bob Rankin on 18 Aug 2016
|For Fun: Buy Bob a Snickers.|
Geekly Update - 17 August 2016
The Top Twenty
Postpone The Windows 10 Anniversary Update
There's more reader feedback... See all 34 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Why Hasn’t Microsoft Fixed This 20 Year-Old Vulnerability? (Posted: 18 Aug 2016)
Copyright © 2005 - Bob Rankin - All Rights Reserved