Microsoft Pseudo-Hijacks

BusinessWeek describes behavior by Microsoft that it compared to being “perilously close to the browser hijacking that’s a characteristic of many spyware programs.”

Here’s what seems to have happened to your computers. On Feb. 8, as part of a huge batch of Windows security updates, Microsoft released a patch for a “critical” vulnerability in MSN Messenger that could allow hostile code to be hidden in an image. Within a couple of days, information on how to exploit the vulnerability was circulating on the Internet, and Microsoft decided it needed to take further, more drastic action to protect Messenger users. So it made installation of the patch mandatory.

Businessweek goes on to cite another “hijack”.

Microsoft should be ashamed of itself for trying to turn its own security flaw to its commercial gain. There’s no reason to believe that customers installing a mandatory security fix also want to change their browser home page to an MSN portal, and there’s even less excuse for trying to spring a change on the unwary.

Interestingly, the test version of Microsoft’s new AntiSpyware program does something similar. When it detects a browser hijacking, it attempts to change the home page to MSN rather than to a blank page or a page of the user’s choosing, in effect, hijacking the already hijacked page. It’s Microsoft’s privilege to set MSN as the default home page for Internet Explorer, but if the customer decides to change the setting, Microsoft should respect the choice and stop looking for sneaky ways to change it back.

I think hijack is a strong choice of words in this case. I do agree that using a mandatory security upgrade to sneak-in a pre-filled check box is pretty low.

About Wayne Porter

Wayne Porter is one of the original founders of ReveNews.com, and served as the CEO and founder of XBlock Systems a specialized research firm on greynets and malware research before being acquired by unified communications security leader, Factime Security Labs. His work includes serving as a panlist at the Federal Trade Commission to shape legislation on software and the creation of two patent-pending technologies for corporate networks. Wayne is a frequent speaker at e-commerce & business events including CJU, ASW and RSA and frequently cited in the press. He has been designated a Microsoft Security MVP three times and is recognized on Google’s Responsible Security Disclosure page- in addition to receiving the first Summit Legend Award. Wayne currently works as a Security Consultant on Social Media and operates a consultancy on digital worlds. His hobbies include reading science fiction, playing chess, fishing, writing, collecting shiny digital gadgets, playing racquetball and studying memetic engineering. He maintains a personal weblog at WaynePorter.com detailing his explorations in security, web 2.0, and virtual worlds.
You can follow Wayne on Twitter: @wporter.

Website: http://www.wayneporter.com