[iwar] Microsoft.changes.Windows.XP Product.Use.Rights

From: Charles Preston (cpreston@sinbad.net)
Date: 2002-02-25 09:59:40
Next message: Fred Cohen: "[iwar] [fc:An.Internet.outlaw.goes.on.record..Pleasant.Hill.student.tells.of.his.'hacktivism']"
Previous message: Fred Cohen: "[iwar] [fc:Risks.Prompt.U.S..To.Limit.Access.to.Data]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <iwar@yahoogroups.com>
Message-ID: <OCEDLLJFJEMAFJGHDCLNGEAEDCAA.cpreston@gci.net>
Importance: Normal
From: "Charles Preston" <cpreston@sinbad.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Mon, 25 Feb 2002 08:59:40 -0900
Subject: [iwar] Microsoft.changes.Windows.XP Product.Use.Rights
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

> Microsoft.changes.Windows.XP.online.'Product.Use.Rights

The Microsoft EULA also has this provision for individual users of XP, since
it is in the OEM version of Windows XP Pro. (see below for original article)

What are the security implications?

Here are some possibilities.

1. Change control for application software on workstations and servers is
useless unless you have change control on operating system code.  This
method of dynamic system patching would seem to invalidate any concept of
"meets C2 requirements in this specified configuration".  The whole idea of
an exhaustively examined and tested configuration appears to be thrown out
the Windows(TM).

2. Maybe you cannot use a firewall to prevent 24/7 access to any workstation
or server with XP, or at least anything other than the XP built-in packet
filter for incoming traffic.

3. Maybe you can't do egress filtering that prevents installed components
from initiating sessions with unspecified addresses.

4. Your installed applications or communications may suddenly quit working
in the middle of the night due to software conflicts.

5. Your server or workstation may remotely reboot, accidentally enabling
malicious software, or failing to start anything you forgot to make
automatic.

6. Without checksum integrity controls you may not even know your OS
software has changed.

7. Since security fixes have been applied automagically, is there any
pressure to release any information on them?  With public documentation,
system administrators of possibly affected systems that were compromised
before the patch could do a quick search for evidence of that particular
method of compromise, and take remedial action with their backups or data.

8. Isn't it possible that specific vulnerabilities that had been dealt with
might be suddenly re-enabled due to new bugs in new patches?  And that
relentless probing from hostile systems might find these known exploitable
holes before the system administrator?

9. You won't necessarily know when to test systems for functionality or
vulnerabilities,  which should normally be done after software changes.

10. Won't this justify an attacker in a large research expenditure to
compromise the update process, since tens of millions of systems might be
backdoor compromised at once?  This is different from the automatic OS
updates offered by other vendors, since higher security systems don't need
to participate.

11. Any disagreement over access to all of your systems could result in a
staggering financial loss to any particular company if it is forced by legal
action to immediately quit using XP due to violating the license.

12. The EULA specifically allows use of previous software versions(Windows
2000)
in lieu of the use of XP.  This would cover a case where Microsoft refuses
to sell an earlier version before customers are ready to upgrade.  The use
of that earlier software is now covered by the same XP access agreement,
superseding the license agreement that comes with earlier software.

13. Another provision of the EULA is that if you use Internet update
features, Microsoft will gather (language is "it is necessary to use")
unspecified information on your software, hardware and and system.  This
would seem to violate some security policies designed to limit intelligence
gathering on internal system configuration, and perhaps make this
information available at a central or less secure location.

14. An additional provision of the EULA is that if you choose to license any
content protected by Digital Rights Management (one example is Microsoft
Reader), Microsoft or their subsidiaries may download, (without limit)
security updates.
Possibly this would exclude servers, if they only distribute DRM content.


cmp



-------------------------Begin quote--------------------------
Message: 15
   Date: Thu, 14 Feb 2002 22:25:54 -0800 (PST)
   From: Fred Cohen <fc@all.net>
Subject: [fc:Microsoft.changes.Windows.XP.online.'Product.Use.Rights']

Microsoft changes Windows XP online 'Product Use Rights'

InfoWorld, 2/14/02
<a
href="http://www.infoworld.com/articles/op/xml/02/02/11/020211opfoster.xml">
http://www.infoworld.com/articles/op/xml/02/02/11/020211opfoster.xml>

BILL GATES SAYS security is Microsoft's top priority, but just whose
security does he have in mind? Consider some of Microsoft's recent
boilerplate legalese -- language you or your company might already have
unknowingly accepted -- and then decide for yourself.

The language is contained in the Product Use Rights (PUR) document that
can be found at www.microsoft.com/licensing/resources. As the PUR
document is part of most customers' volume license agreements and is
subject to periodic change, in theory Microsoft customers should check
it regularly to see what rights Microsoft has decided to grant or take
away.

You can be forgiven if you feel like you have better things to do with
your life than reading and rereading all this mind-numbing legal
gobbledygook. Fortunately, one Microsoft customer did review the PUR
document recently and noticed a change. In the section on Windows XP
Professional, he found the "Internet-Based Services Components"
paragraph that said in part, "You acknowledge and agree that Microsoft
may automatically check the version of the Product and/or its components
that you are utilizing and may provide upgrades or fixes to the Product
that will be automatically downloaded to your Workstation Computer."

The reader was stunned. "By changing that term in the PUR, Microsoft has
found a creative way to obtain authorization from users to access their
workstations at will," he said. "How many customers are going to review
this PDF file and realize they've given Microsoft this right? And all
the risk for the security and privacy violations due to this are neatly
put on the customer's shoulders, not Microsoft's."
-------------------------End quote--------------------------


------------------------ Yahoo! Groups Sponsor ---------------------~-->
Sponsored by VeriSign - The Value of Trust
Do you need to encrypt all your online transactions? Find
the perfect solution in this FREE Guide from VeriSign.
http://us.click.yahoo.com/vCuuSA/UdiDAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] [fc:An.Internet.outlaw.goes.on.record..Pleasant.Hill.student.tells.of.his.'hacktivism']"
Previous message: Fred Cohen: "[iwar] [fc:Risks.Prompt.U.S..To.Limit.Access.to.Data]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:03 PST