Your weekly "Microsoft are ****s" wakeup call...

[Denyer]

http://grc.com/sn/notes-020.htm

Apply or don't apply, it's up to you. Be aware that any application that attempts to display a WMF file may currently execute arbitrary code -- viruses, trojans, keyloggers, etc.

[Impactor returns 2.0]

Good thing we have anti-virus and firewals etc...

[Denyer]

Currently it may not make much difference... there are so many ways code embedded into a file could be formatted and executed, it'll be down to heuristic detection. It's not based on handling of extensions -- Windows displays image files passed to it by headers, so you can embed malicious code in JPEGs or any other apparent filetype, it isn't restricted to *.WMF.

If you think you're safe, I can probably dig up some exploit pages for you to try your security out on... or just use one as my signature image. Which'll work irregardless of browser.

Yay for good design architecture, Microsoft...

[Impactor returns 2.0]

I dont belive any OS could be created that isnt 'hackable' to malicous exploit.

Ive seen loads of naughty ppl demonstrating that they can write virus's for Linux based systems for example - they just dont because there are more windows users. I mean seriously, an OS is so stupidly complex im never surprised it has exploitable areas.

I dont belive an OS as complex as windows would ever be released if it had to be 100% full proof - it just gos to show that the flaw found in your link above has existed for years yet it only recently came to light, that gos to show just how complex an OS is, even to ppl looking for exploits.

Perhaps if MS had an application like Norton Anti-Virus it would all be cool, but then they would get sued like the Internet Explorer case...

[Denyer]

I dont belive any OS could be created that isnt 'hackable' to malicous exploit.

Data in an image file should not be passed for execution as code under any circumstance. That's really, staggeringly basic stuff.

It has to do with architecture, and really comes down to: when the end of a requested and allocated buffer is reached, the operating system should terminate any flow of data, with no allowance for sloppy programming.

Microsoft are planning to enter anti-virus distribution this year. They'll come under attack only if they charge for it -- anything else would be profiting from their security mistakes. Other AV companies don't have a leg to stand on, as any challenge will be viewed as lobbying for Microsoft to deliberately maintain poor security.

None of which alters retroactive safety as a piss-poor way of managing threats. Take ports, for example. In any sane operating environment, they're closed unless specifically opened.

Guess what Windows defaults to?

[Bouncelot]

Ive seen loads of naughty ppl demonstrating that they can write virus's for Linux based systems for example - they just dont because there are more windows users. I mean seriously, an OS is so stupidly complex im never surprised it has exploitable areas.

There are some fundamental differences, though.

Firstly, Windows has security holes designed into it - users are, as default, given admin privileges, and it is incredibly easy to increase privileges. Linux, as a Unix-based architecture, has a much more rigorous and robust privileges system.

Secondly, Linux architectures are much more varied than Windows ones - there are hundreds of distributions, all set up in subtly differen ways so that even a relatively insecure machine could be immune to a particular virus or hack by nature of the build.

Thirdly, the open source methodology means that once security holes (and other bugs) are spotted, they get fixed an awful lot quicker.

In other words, the number of WIndows machines isn't the only factor that makes it less secure than Linux (and, indeed, Mac OSX).

[Impactor returns 2.0]

I do agree with what your both saying, I just find somethings strange.

For example u have this company that makes an OS, an OS that is pretty complex and easy to use.
Then I think about the guys who make this, the actualy programers, they must be bright ppl who have worked hard to get where they are etc.. but ppl seem to give MS alot of stick, like they are some evil bastards.

Apart from how i feel about that, I still think that Windows is vastly more complex then Lunix. by offering the user an OS that is 'easier' to use, im pretty sure that makes it more open to exploits.
On that same note I dont belive there this development team at MS, where they make thier OS, and these clever coders sit round talking about features, spending years trying to make it work, only to reach the end of its dev cycle and say "oh make sure its hackable because we are C**ts" - of course its more likely a mistake, and it can be argued that a company with so much money shouldnt make mistakes?

when u actually think, that ppl sit there all day trying to write a virus for windows, they arnt doing it for Lunix.
there is one thing, and one thing only a hacker wants, and thats his virus to get on the news or somthing, to reach the world. he wont achive noterity by bring down a lunix server.
By its nature I understand that its harder to write a virus for a lunix system, but I bet if Lunix was installed on 75% of the worlds computers it would be under constant attack to.

Roll on Vista...?

[Best First]

I do agree with what your both saying, I just find somethings strange.

For example u have this company that makes an OS, an OS that is pretty complex and easy to use.
Then I think about the guys who make this, the actualy programers, they must be bright ppl who have worked hard to get where they are etc.. but ppl seem to give MS alot of stick, like they are some evil bastards.

how a corporation acts and the integrity of individual employees are two entirely seperate things.

For every programmer who wants to do a good job and test the thing until it works you can have a manager who wants a rush job because he has told his manager it will be done by a certain deadline and so forth - the way a company operates dictates the quality of what it produces - the fact that there may be some 'hard working' or whatever people working there doesn't in any way suggest that a company shouldn't be held accountable for its output or even that the company itself cannot be ultimatlley considered 'evil' in some way, regardless of how it is composed - a lot of companies basically act like psychopaths in terms of their regard for you and me.

[Denyer]

ppl seem to give MS alot of stick, like they are some evil bastards.

That's because they are evil bastards -- the company, not its programmers.

Basic corollary/summary from the frontline:

"Microsoft simply makes some fairly mediocre software and charges a lot for it."

No.

Microsoft deliberately designs software that is inherently insecure and refuses to fix the fundamental design flaws no matter how bad the outcome is.

When Microsoft merged IE and the desktop, almost ten years ago now, I immediately acted to get IE and Outlook banned at work. Why? Because using the same APIs to operate on trusted (local) and untrusted (email, internet) objects makes every program that uses those APIs responsible for determining, independently, whether an object is trusted or not.

I and every security administrator I knew wrote Microsoft telling them this was a horrible idea. Nothing. They ignored the security community and went on to actually build IE in to the next release of Windows so you couldn't leave it out, as part of their game-plan to try and outflank the DoJ.

I didn't know what the result would be, but I knew it would be bad. I did what I could to discourage our users from running IE and Outlook, and waited.

We didn't have long to wait.

When the Melissa virus showed up, I thought, "OK, this should let them know they've got a problem. They'll pull out IE and settle, and we'll be able to secure Windows again". Boy, was I naive.

Here we are, it's 2004 instead of 1996, and there are still weekly exploits found in IE, Outlook, Windows Media Player, programs that use the MSHTML control. Get rid of that and you'd cut the virus problem by a factor of 10 or 100. 90-99% of the time spent fighting and cleaning up after viruses should be billed directly to Redmond, and because they did it to illegally avoid complying with the agreement they had with the DoJ, there should be criminal charges on top of that.

Microsoft doesn't merely charge a lot for mediocre software, they deliberately and knowingly force people to chew up lifetimes fighting a problem that should not exist, and they do it to win a little extra market share for a secondary product that they don't even charge money for.

That's just one global system library.

I bet if Lunix was installed on 75% of the worlds computers it would be under constant attack to.

It is under constant attack: Apache on Linux is world-favourite server software. And there's more money directly at stake in business situations, which means people are trying far harder to break the security than they are to compromise Windows home boxes and install spam bots.

Being a bigger target is a very small part of the equation. It's coding to best practises and releasing when programmers are ready (not a marketing department) that counts.

Roll on Vista...?

Mmm. Charge users to fix situations arising from the manufacturer's negligence, and make them the next generation of paying beta testers.

[Denyer]

Woo... escalation...

http://it.slashdot.org/article.pl?sid=0 ... 72&tid=218

It's been interesting to follow this for the last few days. Looks like more major news sources are starting to get hold of it...

Oh, and a video of a live exploit:

http://fak3r.com/articles/2005/12/31/this-is-a-picture

The file launches through an in-built image viewer, installs a piece of "anti-spyware" (which is, of course, spyware itself) and nags the user to pony up $40. And possibly does other stuff...

Development:

http://www.f-secure.com/weblog/

...and the first script-kiddy exploit makers are out there if you want to go looking.

[Impactor returns 2.0]

just commingback to the 'company is evil' thing for a bit, its an odd concept really, like BF was saying, the individuals arnt evil, but as a collective the company is, but a company is only a group of individual ppl?

Also, do u think the programmers actually know of faults that could lead to major exploits upon release?

I always wonder how hard it is to find one of these loop holes? some of them work in pretty obscure ways.

this new file extension one tho is pretty crazy!

[Guest]

just commingback to the 'company is evil' thing for a bit, its an odd concept really, like BF was saying, the individuals arnt evil, but as a collective the company is, but a company is only a group of individual ppl?

No. the company is a group of like-minded individuals working towards a common goal and following a set of procedures.

Also, do u think the programmers actually know of faults that could lead to major exploits upon release?

If they do not, then they have not completed the testing phase of their software development. Either that, or their testing phase was not thorough enough.

I always wonder how hard it is to find one of these loop holes? some of them work in pretty obscure ways.

Usually, it is due to poor development and testing, but sometimes it is just down to the application being run on a system it was not specifically designed for where minor differences in code execution by the hardware (e.g. Intel-geared app running on AMD architecture) result in major differences in expected output.


As a university lecturer of mine once put it:

"The problem with most OS designers is that they think like most microchip designers. That is to say that they take an existing system, tweak a bit here, twist a bit there, until it does what they want it to do more efficiently. what they fail to realise is that what then worked for someone else, will now not work how they intended it to, so they tweak and twist until it works for them. This then means that a third party will need to tweak and twist, followed by a fourth and a fifth, until eventually you end up with something that looks nothing like it started out as, and noone has any idea of what is going on."

Needless to say, this guy liked little about Windows and had reservations over Linux, but held Unix in high regard.

[Denyer]

a company is only a group of individual ppl?

People are employees of a company. People comprise a company. Two differing meanings of the term.



Another interesting thing is that a large company can be legally challenged by its shareholders for not prioritising profit at the expense of employees or public good.

do u think the programmers actually know of faults that could lead to major exploits upon release?

Quite often, yes. Anything that hasn't been checked against overrun vulnerabilities due to deadlines is candidate for being a security risk. Any time data is passed and evaluated as code, it's a shortcut -- a shortcut which any process running with the privileges of the local user can also make, at any time.

Any input from a user (and by proxy, an outside process) needs to be sanitised before being further manipulated... one example being a forum stripping HTML from replies (and POST/GET variables) before storing posts -- otherwise you can throw in <object> or <script> tags, possibly even <?php ?> if a coder's been really stupid. Once you get server-side code being executed, you can ferret out unprotected password directories, destroy databases, modify files, etc.

I always wonder how hard it is to find one of these loop holes? some of them work in pretty obscure ways.

I'd wager the WMF vuln has already been widely exploited by a few people who are now quite pissed off it's been made public. The behaviour's there by design, and is even published in specs for the format... Microsoft simply haven't audited some parts of their code since Windows 3.x was current.

As a really obvious one, the Windows Help subsystem used to include calls that could run and manipulate applications -- you clicked on a help topic, and it performed the action you'd asked about as a demonstration. Because the subsystem was based on the HTML control, and because of the Windows "internet zones" system, this paved the way for external websites to run and manipulate applications. (To say nothing of the fun people had by creating or modifying Windows Help documents to run gag applications or destroy data...)

[Bouncelot]

For example u have this company that makes an OS, an OS that is pretty complex and easy to use.

For those unused to computers it's no easier to use Windows than it is to use a Mac or a Linux installation with KDE or GNOME. The main reason Windows is easier to use is that people have been trained to use Windows.

Then I think about the guys who make this, the actualy programers, they must be bright ppl who have worked hard to get where they are etc.. but ppl seem to give MS alot of stick, like they are some evil bastards.

Well, IMO a company that has been convicted of abusing a monopoly in both the US and the EU (and they aren't the only places) deserves that kind of reputation.

Apart from how i feel about that, I still think that Windows is vastly more complex then Lunix. by offering the user an OS that is 'easier' to use, im pretty sure that makes it more open to exploits.

That depends how you define Linux. Technically, Linux is simply the OS Kernel and, yes, the kernel is simpler. But in practice a Linux distribution will include at least one graphical user environment which does everything that Windows does, with the possible exception of a couple of bells and whistles. Linux distributions tend to be much more complex as a whole than a new installation of Windows simply because there's so much bundled with them (though you don't have to install anything you don't need with Linux).

On that same note I dont belive there this development team at MS, where they make thier OS, and these clever coders sit round talking about features, spending years trying to make it work, only to reach the end of its dev cycle and say "oh make sure its hackable because we are C**ts" - of course its more likely a mistake, and it can be argued that a company with so much money shouldnt make mistakes?

But they certainly do leave in known security holes from previous versions of windows to preserve backwards compatibility. There are some security holes where if you were to fix them, you would break a lot of legitimate programs. When XP SP2 was released they fixed a few of these security holes and lots of people found that their programs didn't work anymore.

However, bugs are inevitable in such a large piece of software. You can minimise the number and severity by good programming practises, but you can't eliminate them completely.

[Impactor returns 2.0]

Well, IMO a company that has been convicted of abusing a monopoly in both the US and the EU (and they aren't the only places) deserves that kind of reputation.

Personaly what they got told off for IMO was unfair, if I buy an OS I expect it to do things like, oo like be able to navigate the internet... or play media files.
What I cant except is that the ppl who work at MS are all employed to be evil.

My point is, do MS sit there cackling like Mr Burns? or are they siting there genuinly thinking about how they can provide a good OS and other various products? - like any buiss u must consider profit. But the ppl who build the software must be proud of thier work, or want to be proud of what they build.

This is why I find it strange when I see ppl getting angry at MS, its just aload off ppl making software, who im pretty sure actually care about the software. if its 'hackable' or slightly bugged, I just think thats life, an OS is so complex it will always happen, and there will always be hackers.

On the subject of how hard an OS is to use, ive used Fedora and redhat, and for long periods of time, I found that Win or Mac OS always seemed far easier to use. they seem to work far more intuitvely.

Back to windows, for all its faults it never lets me down, it never crashs, I run far more software then the average user and ask my machine to perform more operation then the norm.
Ive never contracted a virus, and XP doesnt crash. couple with its ease of use - is MS really that bad, because it allows me to do pretty much anything?

[Denyer]

if I buy an OS I expect it to do things like, oo like be able to navigate the internet... or play media files.

Yes. Pre-loading bookmarks for specific sites and stores, however, is dangerous legal territory when you have a functional monopoly -- as is blocking interoperability (a company policy dating all the way back to DOS.) Penalising retailers for supplying additional products (such as other browsers and media players) in this context is also prohibited, with good reason: if retailer A gets charged $20 per OEM copy of Windows, and retailer B gets charged $40 per copy because they supply additional browser/player software along with the computer, that's anti-competitive and price-fixing.

do MS sit there cackling like Mr Burns? or are they siting there genuinly thinking about how they can provide a good OS and other various products?

Neither. Maximum return for minimum effort, and to hell with security. Followed by breaking compatibility, format-fixing and refusing to document formats and procedures in order to lock users into a particular platform in order to access their own data. No cackling, no malice, just simple apathy.

for all its faults it never lets me down, it never crashs, I run far more software then the average user and ask my machine to perform more operation then the norm.
Ive never contracted a virus

Well, you've never knowingly contracted a virus, which is something slightly different. There are some excellent-quality rootkits out there.

I also don't have stability problems with Windows (since 2000, anyway) and to the best of my knowledge the nasties have been blocked at the borders. (Not that most of the borders should ever have been open in the first place.) It's a f*cking pain in the arse needing to keep abreast of security developments because the OS vendor can't be bothered to patch major exploits for a week or more, though -- and hangs users of older products out to dry when it's the vendor's incompetence that has lead to the problem.

Despite a strong dislike of the OS X interface, this is likely to be the event that tips me in favour of never recommended a Windows-based PC to anyone again.

[Impactor returns 2.0]

Out of interest, as its not somthing im very famliar with, does OS X suffer security issues, or are they nice and secure?

Also, doesnt OS X have a built in internet navigator and so why dont they suffer the same penltys as MS, or do they?

[Denyer]

Out of interest, as its not somthing im very famliar with, does OS X suffer security issues, or are they nice and secure?

It's UNIX, stuff's locked down by default and there's an underlying architecture that's been hardened over years of corporate network use. The OS is designed from the bottom up to resist privilege escalation and function as a multi-user environment with separation of data; there's no analogue of ActiveX; things like that.

Apple threw away OS 9 when they shifted up a gear to OS X. Microsoft are still bundling old and untested Windows code (again, enabled by default) in current versions of their OS.

Most of Microsoft's problems come down to a philosophy of services being open unless explicitly closed. Which should be the other way around. Users should not be defaulted to administrative rights, nor should the OS or other software require users to be running as admin to perform common functions. In essence: poor security by design in the name of user-friendliness.

Also, doesnt OS X have a built in internet navigator and so why dont they suffer the same penltys as MS,

Market share. That's what monopolies are about.

Microsoft could have made things a great deal easier for themselves if they didn't bundle apps defaulting to services they derive revenue from -- eg, IE not defaulting to MSN Search when you type a text string into the address bar.

Also, Apple have never tried to penalise retailers for bundling an additional browser with machines.

[Bouncelot]

This is why I find it strange when I see ppl getting angry at MS, its just aload off ppl making software, who im pretty sure actually care about the software. if its 'hackable' or slightly bugged, I just think thats life, an OS is so complex it will always happen, and there will always be hackers.

They're usually mad either about Microsoft's monopoly methods, or about how Microsoft's products are utterly rubbish (especially wrt security issues) than the equivalents. The fact is that Microsoft uses dubious methods to sell its products (manufacturers are often billed for windows licenses for PCs that ship without Windows, for example) and that its software frequently doesn't match up to its competitors in terms of crucial things like security. Yes, it has more bells and whistles, but that's about it.

On the subject of how hard an OS is to use, ive used Fedora and redhat, and for long periods of time, I found that Win or Mac OS always seemed far easier to use. they seem to work far more intuitvely.

Of course Fedora and Red Hat are only two distributions of Linux (and one's a branch of the other anyway). And, of course, how the interface works depends a lot on the window manager - did you use KDE or GNOME, or did you try both? Also, what feels intuitive depends a lot on how you learnt how to use a computer. Personally, I've found using Red Hat (using versions available a couple of years back), Knoppix, and Debian (mostly via KDE) very intuitive from having been a Windows user. The only thing that took getting used to was mounting/unmounting removable devices.

Out of interest, as its not somthing im very famliar with, does OS X suffer security issues, or are they nice and secure?

OS X is a UNIX architecture (same as Linux), and is roughly comparable security-wise. Linux has a slight security advantage due to being open source and hence having bugs spotted and patched quicker. In other words, it's seriously more secure than Windows.

Also, doesnt OS X have a built in internet navigator and so why dont they suffer the same penltys as MS, or do they?

OS X doesn't have monopoly status - only a small proportion of computers use OS X, so Apple doesn't get in trouble for bundling a browser. Bundling a browser is only a competition problem when someone controls, say, 80% of the OS market because it makes it much more difficult for anyone to offer a competing product.

Plus, of course, Internet Explorer is one of the biggest security holes around because of the way it's integrated into the OS. An IE security hole is far more serious than an equivalent security hole in Firefox, Opera, or even Safari because of this.

[Impactor returns 2.0]

Doesnt Vista default to non admin status? - so u have to actually log in an admin account, instead of it being the default account. the opposite to what XP?

I still dont see why MS should be penalized for thier own success.
It would be like Ford reaching a point where they are so big they cant couple thier cars with 'ford tyres' as its not fair to michelin or somthing...

Essentially ppl want them to not be big, and let other ppl have a chance, but its buissness, and its not about that is it.
MS employ so many ppl, provide for so many millions of familys. they are responsible for a % of the US tax.
And Bill Gates gives away more money to charity then any other person on earth every year, he is practically fighting AIDS in africa single handedly because the US wont due to religon etc...

Anyhows. this is possible because Gates made a big company, clever boy, but nows he reached the point of what exactly? jelousy?

When u actually think about it, Gates saves 1000's of lives a year, probably more, and he can do this because of Windows. so for all of windows faults, that I dont actually ever see, it doesnt compare does it?
Some kidie scripter makes my windows mp3 player stop working, it gets fixed that week anyhows, id take that over the fact the Gates just saved 100 ppl, or provided for a million more.

BF asked me not to long ago why I feel the need to defend a huge coperation? - I think its stranger that ppl feel the need to attack a huge coperation because there are other ppl out there who try to hack thier products.

If you consider a world without MS, lets just say its all Apple Mac OS X, there would still be loads of hackers, and they would still be finding ways in.

Oh I used GNOME, I found mounting an un-mounting drives to be strange too.

There u go thats my 9am rant over with.

[Denyer]

Doesnt Vista default to non admin status?

It had better. For most users, not running as admin is the single most important security decision they could make. Unfortunately, the way Windows handles software installations, it's often very difficult to get anything done in 2000/XP if you aren't running as admin.

Vista isn't going to help 90%+ of users until they buy another computer. Ordinary Joes don't upgrade operating systems... they don't necessarily know what an operating system is. There'll be millions of unpatched spam zombies out there for years to come, due to the piss-poor decisions taken over the last five or six years by Microsoft.

Essentially ppl want them to not be big, and let other ppl have a chance

No, they want them to not do things that are categorically illegal, such as penalise retailers for selling products from other companies.

It's that simple -- Microsoft have used pre-installation and price-fixing (selling Windows OEM to retailers at the regular price only if the retailer doesn't install specific third-party software and doesn't remove Microsoft components from the harddrive after installation) to railroad consumers to their personal storefront and ad revenue channel.

That's what they're getting kicked in the knackers repeatedly for doing.

If you consider a world without MS, lets just say its all Apple Mac OS X, there would still be loads of hackers, and they would still be finding ways in.

People can keep repeating this generalisation all they want, but it is possible to write far more secure code. Microsoft simply don't -- they've judged that it isn't in their commercial interests to provide a good quality product.

Seriously, give it a moment's thought... the company make billions from upgrades. The number of new features that can usefully be added to an operating system or office suite is very few; they're currently trading primarily on the misery of users caught up in security issues created by poor quality control.

[Denyer]

Upwards of a week after it was identified, made public and exploits appeared... a patch...

Direct link:
http://www.microsoft.com/technet/securi ... 6-001.mspx

(Users running anything previous to Windows 2000 SP4 are out of luck, as expected. Microsoft's stance is that it hasn't been handed a live exploit for the same library in those versions of the OS on a plate, so no critical update.)

Publicity spin:
"testing has been completed earlier than anticipated and the update is ready for release. In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible."

Orwell:
"It appeared that there had even been demonstrations to thank Big Brother for raising the chocolate ration to twenty grammes a week. And only yesterday, he reflected, it had been announced that the ration was to be reduced to twenty grammes a week."

[Impactor returns 2.0]

Will anything actually change in the future tho? - ill still be using windows, and in time it will most likely be the No.1 OS... oh it is.

[Denyer]

Will what change anything? Millions of people will continue to lose data and leave computers to "those techy people".

If Microsoft suffer in any way for doing things that are unequivocally illegal, such as price-fixing, they're just getting a small measure of that karma back.

[Impactor returns 2.0]

I dont understand the price fixing thing myself.

I understand that for some users windows has its faults. for myself it has none tho because I understand it more.

So if Vista is an improvement over XP then one day ill upgrade to it.

[Denyer]

I dont understand the price fixing thing myself.

The effect is that they pay companies to not stock a competitor's products.

As an analogy, a company selling TVs triples the price per unit it charges a retailer if that retailer also sells VCRs. That prevents the retailer from selling VCRs, because it can't sell TVs at three times the price and break even.

[Impactor returns 2.0]

But Lunix is free, so u dont stock it, and Mac OS comes with umMacs. so they pay shops to not stock what exactly?

Also, f i waved a big check in front of your face not to stock a product that probaly wont sell due to advertising, wouldnt u take it?
I know its morally in-correct in some way but buiss is about money and all.

I guess theres Office, but PC world seems to stock other DTP software so im lost?

Im still aways drawn to the idea that XP has never failed me, it has a few flaws that hole dont effect the average user it just doesnt seam to matter. essentially the OS has more plus points to me then bad points.

seriously my XP has never failed, I have norton for my anit-virus and thats it, some odd lil fault I know nothing about gets patched most weaks when it becomes an issue due to some hacker whos spends to much time trying to find faults in a system for me to care!

Windows works for me - why should I change or care about faults that never effect me? why should I get angry with MS? they dont do anything for me to be anoyed about?

[Denyer]

But Lunix is free, so u dont stock it, and Mac OS comes with umMacs. so they pay shops to not stock what exactly?

Microsoft have increased the unit prices of their OEM software for retailers who pre-install other operating systems.

This is the basis of price-fixing: it's legally permissible to give another company a discount for purchasing in volume. It isn't permissible to set one price for one purchasing company and another price for another on the basis of whether they sell other stuff, contribute to a particular political party or eat cheese and pickle sandwiches.

why should I change or care about faults that never effect me? why should I get angry with MS? they dont do anything for me to be anoyed about?

Putting it politely, I don't care about you, your data or choice of operating system. As long as your boxen don't get 0wned and turned into a spam relays, I don't care about your machines, either -- but would certainly confess to a desire to see individuals who run open relays due to negligence face substantial fines, in line with the millions of hours and resources expended dealing with the fallout.