Bonum Certa Men Certa

Why Microsoft's Security Reports Are a Scam

Microsoft lies



Summary: Microsoft is caught lying again, by essentially patching serious flaws while hiding their very existence

TO PUT it bluntly but rather fairly or at least realistically, Microsoft is a company of systematic liars and nobody should ever trust a word that comes out of their mouths. They believe that these lies are acceptable because they serve some higher goal or that it's a white lie when it helps one's investors or bank account (or perceived sense of security). The examples we have given (e.g. [1, 2, 3, 4, 5]) are too many to list here exhaustively, so we won't attempt to list such examples in a more compelling way.



One point that we stressed and demonstrated several years ago is that Microsoft fakes its reports when it comes to security; people buy their software based on false premises, lack of disclosure, and outright lies.

Putting aside several examples from several years ago, we now have some new examples where Microsoft gets caught (which is hard to achieve because the code is secret). As Slashdot summarised it:

"Microsoft silently patched three vulnerabilities last month, two of them affecting enterprise mission-critical Exchange mail servers, without calling out the bugs in the accompanying advisories, a security expert said on Thursday. Two of the three unannounced vulnerabilities, and the most serious of the trio, were packaged with MS10-024, an update to Exchange and Windows SMTP Service that Microsoft issued April 13 and tagged as 'important,' its second-highest threat ranking. Ivan Arce, CTO of Core Security Technologies, said Microsoft patched the bugs, but failed to disclose that it had done so — which could pose a problem. 'They're more important than the [two vulnerabilities] that Microsoft did disclose,' said Arce. 'That means [system] administrators may end up making the wrong decisions about applying the update. They need that information to assess the risk.'"


Here is the corresponding article.

Microsoft silently patched three vulnerabilities last month, two of them affecting enterprise mission-critical Exchange mail servers, without calling out the bugs in the accompanying advisories, a security expert said today.

Two of the three unannounced vulnerabilities, and the most serious of the trio, were packaged with MS10-024, an update to Exchange and Windows SMTP Service that Microsoft issued April 13 and tagged as "important," its second-highest threat ranking.

According to Ivan Arce, the chief technology officer of Core Security Technologies, Microsoft patched the bugs, but failed to disclose that it had done so.


This has already been covered by The Register too:

A recent security patch from Microsoft silently fixed two severe bugs that were never disclosed even though they posed a risk to many of its customers, a security researcher said.

MS10-024 fixed two flaws that made it possible for adversaries to intercept victims' email messages sent by Exchange and Windows SMTP service, Nicolás Economou, a researcher with Core Security said. But the bugs - which made it "trivial" to spoof responses to domain name system queries - weren't disclosed and were never assigned a Common Vulnerabilities and Exposure identifier, sparking criticism that the critical bugs weren't properly disclosed.


Next time Microsoft shows any comparisons involving a number of flaws or severity of flaws, refuse to accept them. Microsoft is the boy who cried "Wolf!" and the above serves as an example of behaviour that has gone on for years (rarely detected though because it's hard).

Comments

Recent Techrights' Posts

Computers Got Smaller, So GNU/Linux Got Bigger
Many people here recognise the lack of urgency (or need) to get expensive new laptops
GNU/Linux Grows at Windows' Expense and Microsoft Trolls Infest and Maliciously Target Articles About It
Microsoft is - and has long been - organised crime
They Say I'm Mr. Bombastic
They didn't take good lawyers
 
Links 09/06/2025: Science, Hardware Projects, and Democracy Receding
Links for the day
BetaNews is a Plagiarism and LLM Slop Hub, the Chief Editor Isn't Addressing This Problem Anymore
SS Fagioli is basically a parasite leeching off or exploiting other people's work
Links 09/06/2025: Chaos in Los Angeles and Hurricane Season
Links for the day
Links 09/06/2025: Windows TCO and Many Data Breaches
Links for the day
Abuse Inside the Polish Patent Office (UPRP) - Part VI: Political Stunts by Former President Edyta Demby-Siwek and the Connection to Profound Corruption at EUIPO
it's like a money-laundering operation where one politician rewards another at taxpayers' expense
Gemini Links 09/06/2025: Pipelines and Splitgate
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, June 08, 2025
IRC logs for Sunday, June 08, 2025
Links 08/06/2025: Tiananmen Carnage Censorship Persists, North Korean Goes Offline
Links for the day
Gemini Links 08/06/2025: Love as an Ethnographic Method and Monitorix Gemini-Frontend v0.1
Links for the day
Links 08/06/2025: Exposure of More GAFAM Surveillance and Social Security Records Compromised
Links for the day
Linux Foundation is a Mediator for Microsoft et al, Not for Small Companies That Support Rather Than Attack the GPL
Many people still wrongly assume that because it is called "Linux Foundation", then it is pro-Linux and represents the same mindset
This Past Friday, Confirming What We Said All Along About Brett Wilson LLP: It's Shrinking, Has Considerable Debt, Loss of Net Assets Despite the Microsoft SLAPP Money
The documents only became publicly available less than 2 days ago
Some of the Many Reasons We Sued Microsofters for Harassment
perpetrators of harassment
For 20 Years Many People Were Sharecropping for Canonical's Oligarch, Now He's Deleting All Their Contributions
"Ubuntu has erased instead of archiving the trove of material at Ubuntu Forums"
There Was Always Too Much 'Crazy Stuff' Going on Around Freenode
What many IRC users lost sight of
Exposing Crime is Not a Crime (It Never Was)
In the eyes of rich and powerful people, those who speak about their crimes are the "criminals"
GNU/Linux Distros Abandoning Microsoft GitHub
Will curl be next to leave Microsoft GitHub?
Expect More XBox Mass Layoffs Soon If the Rumours Are True
From a Microsoft media operative
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, June 07, 2025
IRC logs for Saturday, June 07, 2025
Europe Needs to Move Away From GAFAM; The Sooner, the Better
Europe - not just the EU - must abandon GAFAM as soon as possible
The Issue Isn't GNOME's Promotion of Diversity But GNOME Corruption, Abuse, Censorship, and Worse
So-called "Conservative" (republican, pro-Trump, bigoted) people want you to think the problem with GNOME is politics
When the News Sources Become Scarce and Increasingly Full of Polluted/Contaminated 'Content' (With LLM Slop and Slop Images)
Integrity matters
"Linux" Sites That Spew Out LLM Slop
We're lacking enough material for another "Slopwatch"
Abuse Inside the Polish Patent Office (UPRP) - Part V: Breaking the Law, Just Like EPO
We'll hopefully cover some of the pertinent details later this year
Links 08/06/2025: Security Lapses, CISA Cuts, and More
Links for the day
Gemini Links 07/06/2025: Mime Types and Geminisphere Introduction
Links for the day
Links 07/06/2025: Slop Companies Retain All Private Data, More Books Banned in the US
Links for the day
Gemini Links 07/06/2025: "A Monk's Guide to Happiness" and "Wireless Earbuds"
Links for the day
Links 07/06/2025: More Rumours of Mass Layoffs in Microsoft's XBox Division, New COVID Variant
Links for the day
Drug Addiction is a Real Problem, It Destroys Families
a rather sensitive matter
Abuse Inside the Polish Patent Office (UPRP) - Part IV: Political Scrutiny and Errors/Inconsistencies in Official Documents
When such organisations receive scrutiny they start focusing on cover-up and muzzling of facts (or crushing people who say the truth)
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, June 06, 2025
IRC logs for Friday, June 06, 2025