05.07.10
Why Microsoft’s Security Reports Are a Scam
Summary: Microsoft is caught lying again, by essentially patching serious flaws while hiding their very existence
TO PUT it bluntly but rather fairly or at least realistically, Microsoft is a company of systematic liars and nobody should ever trust a word that comes out of their mouths. They believe that these lies are acceptable because they serve some higher goal or that it’s a white lie when it helps one’s investors or bank account (or perceived sense of security). The examples we have given (e.g. [1, 2, 3, 4, 5]) are too many to list here exhaustively, so we won’t attempt to list such examples in a more compelling way.
One point that we stressed and demonstrated several years ago is that Microsoft fakes its reports when it comes to security; people buy their software based on false premises, lack of disclosure, and outright lies.
Putting aside several examples from several years ago, we now have some new examples where Microsoft gets caught (which is hard to achieve because the code is secret). As Slashdot summarised it:
“Microsoft silently patched three vulnerabilities last month, two of them affecting enterprise mission-critical Exchange mail servers, without calling out the bugs in the accompanying advisories, a security expert said on Thursday. Two of the three unannounced vulnerabilities, and the most serious of the trio, were packaged with MS10-024, an update to Exchange and Windows SMTP Service that Microsoft issued April 13 and tagged as ‘important,’ its second-highest threat ranking. Ivan Arce, CTO of Core Security Technologies, said Microsoft patched the bugs, but failed to disclose that it had done so — which could pose a problem. ‘They’re more important than the [two vulnerabilities] that Microsoft did disclose,’ said Arce. ‘That means [system] administrators may end up making the wrong decisions about applying the update. They need that information to assess the risk.’”
Here is the corresponding article.
Microsoft silently patched three vulnerabilities last month, two of them affecting enterprise mission-critical Exchange mail servers, without calling out the bugs in the accompanying advisories, a security expert said today.
Two of the three unannounced vulnerabilities, and the most serious of the trio, were packaged with MS10-024, an update to Exchange and Windows SMTP Service that Microsoft issued April 13 and tagged as “important,” its second-highest threat ranking.
According to Ivan Arce, the chief technology officer of Core Security Technologies, Microsoft patched the bugs, but failed to disclose that it had done so.
This has already been covered by The Register too:
A recent security patch from Microsoft silently fixed two severe bugs that were never disclosed even though they posed a risk to many of its customers, a security researcher said.
MS10-024 fixed two flaws that made it possible for adversaries to intercept victims’ email messages sent by Exchange and Windows SMTP service, Nicolás Economou, a researcher with Core Security said. But the bugs – which made it “trivial” to spoof responses to domain name system queries – weren’t disclosed and were never assigned a Common Vulnerabilities and Exposure identifier, sparking criticism that the critical bugs weren’t properly disclosed.
Next time Microsoft shows any comparisons involving a number of flaws or severity of flaws, refuse to accept them. Microsoft is the boy who cried “Wolf!” and the above serves as an example of behaviour that has gone on for years (rarely detected though because it’s hard). █
Yuhong Bao said,
May 9, 2010 at 12:09 pm
Ars had an article about it:
http://arstechnica.com/microsoft/news/2010/05/the-potential-dangers-of-microsofts-secret-patches.ars
And MS is not the only culprit, from http://it.slashdot.org/comments.pl?sid=226603&cid=18365343 :
“or if he finds it first it never gets announced (see the ntalkd scandal years ago).”
Dr. Roy Schestowitz said,
May 9, 2010 at 12:19 pm
Yuhong,
I will write more about this tomorrow (with more references).