Join the Campaign!

Security (or lack of it) Issues Concerning Microsoft Products

Main Index

*** NEWS ***
UK Education
Network Computers
WinCE & Portables
Inefficient Coding
PR Hype
Direct X
Sound & Graphics
The Year 2000
The Internet


One of the biggest problems with Microsoft Windows is that it has a number of rather worrying security loopholes in it, not mentioning the unstability of it's actual running. How many times does your machine crash or do something unexpected, or just suddenly pop up a 'software wizard' to recommend that you do something or other?

It's a very worrying thought to ponder how many manhours of productivity have been lost through people having to perform mundane 'system operations' on their computer in order for it to work correctly. Compared to more stable platforms like Linux, Unix or Acorn Risc OS, Windows is like playing Russian Roulette with your important work.

There are some serious security loopholes in Microsoft's internet products, especially their Internet Explorer. The purpose of this page is not to do anything malicious to your computer, but merely to alert people to the possibility that there are ways in which less scrupulous people could damage data on your system while you are using the Internet.

For example, one such 'feature' is called the "Page Redirect" bug and affects both Windows95 and WindowsNT. This allows web authors to extract your name and password when you are re-directed from one site (where you may have entered user authentication) to another. This 'bug' is in both Explorer 3.0.2 AND Explorer 4 so it makes you wonder whether it is really a bug or an 'undocumented feature'.

The big problem is, that as soon as a security problem is exposed to the public, Microsoft soon release a patch and a short apology stating that it was a bug. Yet, soon afterwards further examples are often discovered by people (such as myself) who like examining what their machine is up to. There are a number of problems concerning a 'buffer overflow' problem within MSIE (Microsoft Internet Explorer) which allow certain URLs of more than 256 characters to run over buffer space and potentially execute specified commands on the PC accessing the site. It makes you wonder if something as 'conveniently coincidental' as this is actually a bug or some covert design feature. Most badly written code will generally crash the machine if a buffer overflow occurs. Why should MSIE try executing arbitrary code?

There are also ways in which you can tell a remote PC running MSIE to execute specific pieces of code and thus modify the target users machine. Code exists to alter your "autoexec.bat" file for instance, or even to exit Explorer and shut down Windows. This latter procedure can be executed by hiding a small Active-X applet on an html page. Most of the serious world is heading the reliable, security conscious way of Java - initiated by Sun Inc., but now Microsoft wants to try to steal Java and manipulate it for it's own means.

This is currently the subject of ongoing court action with Sun, as Microsoft broke their contract with Sun under their original Java licence. This is why Microsoft are trying to challenge Java with their own alternatives in order to try and upstage Java and impose their own standards on the world - such as J++ and Active-X. Both of these Microsoft inventions have serious security loopholes.

It is perhaps seriously worth considering upgrading to Netscape Navigator if you want true compatibility with all aspects of the internet as well as the superior security that authorised Java can offer.

For more technically literate people, who would perhaps like to examine the various Javascript and Active-X applets which exploit Microsoft's security weaknesses, I have an area on my BBS (01705 871531, 8N1) dedicated to sharing security information on Microsoft products.

Some other links highlighting
Microsoft Explorer's Security Flaws