Windows: Insecure by design

Opinion I’ve been pointing out Windows security bugs since Windows for Workgroups showed up in 1992 and I showed how you could steal data from your coworker’s spreadsheets using Object Linking and Embedding (OLE). You’d think Microsoft would have figured security out by now.

But no. It’s only gotten worse – much worse.

In June 2023, Chinese hacking group Storm-0558 stole US government “secure” messages from Microsoft’s Exchange Online. I was only surprised that the Feds managed to catch them – Microsoft certainly didn’t figure it out.

Former senior White House cyber policy director AJ Grotto said it best: he asserted it was fair to classify Microsoft and its products as a national security concern.

Think about it for a minute. What other business could get away with having products that are so bad that every month – every month – we have a day, Patch Tuesday, devoted to the latest fixes to their seemingly endless flaws?

These problems don’t tend to be small corner cases either. No, take for example the latest one: CVE-2024-30080, a Microsoft Message Queuing (MSMQ) remote code execution (RCE) issue, which earned a 9.8 out of 10 CVSS severity rating. A 9.8 on that scale, for those who don’t know it, is a “Patch it now or you will be pwned” level.

Let’s not forget CVE-2024-30078, a Wi-Fi driver remote code execution hole, rated 8.8. Microsoft admitted this one could enable an attacker to hack your PC to remotely, silently, and wirelessly run malware or spyware.

Boy, does that make me feel warm and fuzzy about Microsoft or what!?

Really, that’s just life with Windows. In the decades I’ve been covering technology, I’ve seen this level of security crapola over and over again.

What’s really annoying me today is the security holes Microsoft is adding – by design – into Windows.

I mean of course Microsoft Recall. This delightful AI addition to the next generation of Windows PCs would have taken regular snapshots of everything you do on your computer.

Let me emphasize the word “everything.” Your bank account numbers, your passwords, your cheat codes, your My Little Pony porn stash, how much money you lost betting on real-life ponies, etc. What would your partner think if they could scroll through your entire online life? Your mom? Or your boss using Microsoft Purview?

GDPR? What’s that?

But, hey, who needs to worry? It’s all safe on your computer, right? No one could get into your PC over Wi-Fi and start hoovering up all your Recall data, right?

Oh, wait.

Recall, which will now be optional, is a security hole pretending to be a feature. Even if it were not such an invitation for privacy invasion, I’m hard pressed to imagine what practical use it would be for anyone. We have more than enough useless data clogging up our drives without adding even more.

Finally, thinking of over-filling our storage, in another “What were they thinking!?” moment, with the latest releases Microsoft made it nigh on impossible to install Windows 11 without a Microsoft online account. I’m not happy about that, but I could tolerate it.

What I can’t stand is Microsoft automatically sets up OneDrive to back up my folders whether I want it to or not. Not cool, Microsoft! Not cool at all. If I want to back up my files, I’ll decide where I want them to go – not you.

I only have 5GB of free OneDrive storage, while I have terabytes of data in my personal directories. And, no, I won’t be paying you for more storage, thank you very much. Instead, I’ll use one of my Rocky Linux servers running Nextcloud, and I won’t have to worry about Microsoft looking over my shoulder.

Besides, consider what the OneDrive automatic backup could do if paired with Recall? I, for one, don’t want all my files open to Microsoft or Windows hackers. Do you?

Is it any wonder I’ve been a Linux desktop user for over 30 years? The only question I have is: Will any of these latest Windows security fiascos finally get the rest of you to join me? I mean, how much punishment are you willing to take? ®