EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

05.07.10

Why Microsoft’s Security Reports Are a Scam

Posted in Boycott Novell, Deception, Microsoft, Security at 3:32 am by Dr. Roy Schestowitz

Microsoft lies

Summary: Microsoft is caught lying again, by essentially patching serious flaws while hiding their very existence

TO PUT it bluntly but rather fairly or at least realistically, Microsoft is a company of systematic liars and nobody should ever trust a word that comes out of their mouths. They believe that these lies are acceptable because they serve some higher goal or that it’s a white lie when it helps one’s investors or bank account (or perceived sense of security). The examples we have given (e.g. [1, 2, 3, 4, 5]) are too many to list here exhaustively, so we won’t attempt to list such examples in a more compelling way.

One point that we stressed and demonstrated several years ago is that Microsoft fakes its reports when it comes to security; people buy their software based on false premises, lack of disclosure, and outright lies.

Putting aside several examples from several years ago, we now have some new examples where Microsoft gets caught (which is hard to achieve because the code is secret). As Slashdot summarised it:

“Microsoft silently patched three vulnerabilities last month, two of them affecting enterprise mission-critical Exchange mail servers, without calling out the bugs in the accompanying advisories, a security expert said on Thursday. Two of the three unannounced vulnerabilities, and the most serious of the trio, were packaged with MS10-024, an update to Exchange and Windows SMTP Service that Microsoft issued April 13 and tagged as ‘important,’ its second-highest threat ranking. Ivan Arce, CTO of Core Security Technologies, said Microsoft patched the bugs, but failed to disclose that it had done so — which could pose a problem. ‘They’re more important than the [two vulnerabilities] that Microsoft did disclose,’ said Arce. ‘That means [system] administrators may end up making the wrong decisions about applying the update. They need that information to assess the risk.’”

Here is the corresponding article.

Microsoft silently patched three vulnerabilities last month, two of them affecting enterprise mission-critical Exchange mail servers, without calling out the bugs in the accompanying advisories, a security expert said today.

Two of the three unannounced vulnerabilities, and the most serious of the trio, were packaged with MS10-024, an update to Exchange and Windows SMTP Service that Microsoft issued April 13 and tagged as “important,” its second-highest threat ranking.

According to Ivan Arce, the chief technology officer of Core Security Technologies, Microsoft patched the bugs, but failed to disclose that it had done so.

This has already been covered by The Register too:

A recent security patch from Microsoft silently fixed two severe bugs that were never disclosed even though they posed a risk to many of its customers, a security researcher said.

MS10-024 fixed two flaws that made it possible for adversaries to intercept victims’ email messages sent by Exchange and Windows SMTP service, Nicolás Economou, a researcher with Core Security said. But the bugs – which made it “trivial” to spoof responses to domain name system queries – weren’t disclosed and were never assigned a Common Vulnerabilities and Exposure identifier, sparking criticism that the critical bugs weren’t properly disclosed.

Next time Microsoft shows any comparisons involving a number of flaws or severity of flaws, refuse to accept them. Microsoft is the boy who cried “Wolf!” and the above serves as an example of behaviour that has gone on for years (rarely detected though because it’s hard).

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

2 Comments

  1. Yuhong Bao said,

    May 9, 2010 at 12:09 pm

    Gravatar

    Ars had an article about it:
    http://arstechnica.com/microsoft/news/2010/05/the-potential-dangers-of-microsofts-secret-patches.ars
    And MS is not the only culprit, from http://it.slashdot.org/comments.pl?sid=226603&cid=18365343 :
    “or if he finds it first it never gets announced (see the ntalkd scandal years ago).”

  2. Dr. Roy Schestowitz said,

    May 9, 2010 at 12:19 pm

    Gravatar

    Yuhong,

    I will write more about this tomorrow (with more references).

What Else is New


  1. Links 2/4/2020: Linux 5.6.2, Qt Creator 4.11.2, LineageOS ROM Based on Android 10

    Links for the day



  2. OIN in 2020 Resembles Linux Foundation in 2020 (Corporate Front Group Piggybacking the Linux Brand)

    We regret to say that the Open Invention Network seems not to care at all about Software Freedom; to make matters worse, it is a proponent of software patents and a voice for companies like IBM and Microsoft, not the "Community" it fancies misrepresenting



  3. Inside the Free Software Foundation (FSF) - Part IX: Semi-Happy Ending

    Richard Stallman is here to stay and the FSF will let him stay (as chief of GNU); we want to close the series on a positive note



  4. IRC Proceedings: Wednesday, April 01, 2020

    IRC logs for Wednesday, April 01, 2020



  5. Upcoming Articles and Research Areas

    Although we've failed to write as much as usual, we're still preparing some in-depth articles and maintaining Daily Links (in spite of unforeseen ordeals like a forced laptop migration)



  6. Links 2/4/2020: ProtonMail Bridge for Linux, GTK 3.98.2 and Red Hat DNF 4.2.21

    Links for the day



  7. Links 1/4/2020: Linux 5.7 Merges, Qt 5.14.2, GhostBSD 20.03, Linux Mint 20 Ulyana Plans, WordPress 5.4 “Adderley”

    Links for the day



  8. IRC Proceedings: Tuesday, March 31, 2020

    IRC logs for Tuesday, March 31, 2020



  9. Techrights to Delete Articles From All Past Years to Save Disk Space

    What if we deleted over 25,000 posts?



  10. IRC Proceedings: Monday, March 30, 2020

    IRC logs for Monday, March 30, 2020



  11. Links 30/3/2020: GNU Linux-libre 5.6, WireGuard 1.0.0

    Links for the day



  12. IRC Proceedings: Sunday, March 29, 2020

    IRC logs for Sunday, March 29, 2020



  13. Links 30/3/2020: Linux 5.6, Nitrux 1.2.7, Sparky 2020.03.1

    Links for the day



  14. The Fall of the UPC - Part IX: Campinos Opens His Mouth One Week Later (and It's That Hilarious Delusion Again)

    Team Campinos said nothing whatsoever about the decision of the FCC until one week later, whereupon Campinos leveraged some words from Christine Lambrecht to mislead everybody in the EPO's official "news" section



  15. Pretending EPO Corruption Stopped Under António Campinos When It is in Fact a Lot Worse in Several Respects/Aspects (Than It Was Under Benoît Battistelli)

    Germany's eagerness to keep Europe's central patent office in Munich (and to a lesser degree in Berlin) means that politicians in the capital and in Bavaria turn a blind eye to abuses, corruption and even serious crimes; this won't help Germany's image in the long run



  16. IRC Proceedings: Saturday, March 28, 2020

    IRC logs for Saturday, March 28, 2020



  17. Links 28/3/2020: Wine 5.5 Released, EasyPup 2.2.14, WordPress 5.4 RC5 and End of Truthdig

    Links for the day



  18. IRC Proceedings: Friday, March 27, 2020

    IRC logs for Friday, March 27, 2020



  19. The Fall of the UPC - Part VIII: Team UPC Celebrates Death, Not Life

    Team UPC plays psychological games now; it is trying to twist or spin its defeat as good news and something to be almost celebrated; it is really as illogical (and pathetic) as that sounds



  20. Links 27/3/2020: GNU/Linux Versus COVID-19 and Release of GNU Guile 3.0.2

    Links for the day



  21. When Your 'Business' is Just 'Patent Portfolio'

    Hoarding loads of patents may seem impressive, but eating them to survive is impossible if not impermissible



  22. LOT Network is a One-Man (Millionaire's) Operation and Why This Should Alarm You

    The ugly story of Open Invention Network (OIN) and LOT; today we take a closer look at LOT and highlight a pattern of 'cross-pollination' (people in both OIN and LOT, even at the same time)



  23. Faking Production With Fake Patents on Software

    The EPO with its illegal guidelines (in violation of the EPC) can carry on churning out millions of fake patents that European courts would only waste time on and small companies be blackmailed with (they cannot afford legal battles)



  24. With the Unified Patent Court (UPC) Out of the Way Focus Will Return to EPO Corruption

    Expect the European Patent Office (EPO) to receive more negative attention now that the ’cause’ of UPC is lost and there’s no point pretending things are rosy



  25. IRC Proceedings: Thursday, March 26, 2020

    IRC logs for Thursday, March 26, 2020



  26. Links 27/3/2020: qBittorrent 4.2.2, Krita 4.2.9, pfSense 2.4, Bodhi Linux 5

    Links for the day



  27. IRC Proceedings: Wednesday, March 25, 2020

    IRC logs for Wednesday, March 25, 2020



  28. Still Work in Progress: Getting Those 2,851 Pages of Police Report About Arrest for Pedophilia in Home of Bill Gates

    It’s extremely difficult to get those police records, which were requested exactly one day before the media started attacking Richard Stallman (associating him with pedophiles based on a deliberate distortion)



  29. Links 26/3/2020: Plasma Bigscreen, New Kubernetes, Fedora's New Identity and Bodhi Linux 5.1.0

    Links for the day



  30. Guest Article: Window Managers, Github and Software Disobedience

    "Walking away from monopolies is the essence of freedom"


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts