Bonum Certa Men Certa

Microsoft Finally Admits Numbers of Vulnerabilities It Reports Are Fake

Microsoft lies



Summary: Mike Reavey, the director of the Microsoft Security Response Center, admits that Microsoft is silently patching vulnerabilities without ever reporting the problem

IT'S official. Microsoft is a liar. Again. Now there is even admission from Microsoft, confirming an issue which we first raised some weeks ago. Whenever Microsoft says it patches x number of flaws with y number of patches/bulletins, Microsoft ought to be assumed to be lying. Microsoft's silent patching is a subject we have been covering for years and it helps explain why one in two Windows PCs is believed to be a zombie PC, despite Microsoft's claims that all of its flaws are being addressed. All those fake comparisons against platforms like Red Hat Enterprise Linux (where Microsoft stacks up and aggregates numbers of flaws) can be thrown into the wastebasket. If convincing proof is needed, here it is. Microsoft first tried to spin it (for weeks) and now it gives up and tells the truth.



Microsoft Official Admits to Quiet Security Patching



Microsoft doesn't report all security vulnerabilities that it fixes in its software. Bug comparisons between vendors therefore paint an incorrect picture.

"We don't document every issue found," Mike Reavey, director of the Microsoft Security Response Center (MSRC), said at a meeting with reporters at the company's corporate headquarters in Redmond, Washington.

Microsoft will issue a Common Vulnerabilities and Exposures (CVE) number to a vulnerability for flaws that share the same severity, have an attack vector and a workaround. If several flaws share all the same properties, they will not be reported separately, Reavey said.

The nondisclosure of fixes was brought to light early this month by a company called Core Security Technologies. After studying the Microsoft patches MS10-024 and MS10-028, it noticed three silent fixes. Security bulletin MS10-028 addressed a flaw that would expose a user of Microsoft Visio to a buffer overflow attack, which would allow an attacker to take over control of the system.


Finally. Thanks for the honesty. So how much damage has been caused by Microsoft's lies so far. Microsoft has been denying this for years, but not exactly denying, either. It was spinning and avoiding the actual question. It's the art of lying without practically lying, just evading. Adobe is at least honest about its proprietary software being insecure garbage. As far as we are aware, Adobe hasn't a long history of systematic lying, unlike Microsoft.

"Microsoft smacks patch-blocking rootkit second time," says another new report from Gregg Keizer.

For the second month in a row, Microsoft has tried to eradicate a mutating rootkit that has blocked some Windows users from installing security updates.


Here is another one (also here):

Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), said his team is looking into Raskin's claims, but hinted that Microsoft wouldn't be patching IE anytime soon. "I wouldn't classify this as a 'vulnerability' though," Bryant said in an e-mail answer to questions.


The followup says:

Will browser makers patch this? Unlikely. Microsoft's Jerry Bryant, a general manager at the company's security response center, said the issue isn't a security vulnerability per se, and that Internet Explorer (IE) falls for the scam because that's the way browsers work.

"Working with [Raskin's] proof-of-concept, as written, is expected," he said in an e-mail Tuesday when asked whether Microsoft had a fix in mind for IE.


Let's remember how much damage was caused this year because Microsoft had refused to patch known Internet Explorer flaws for five months [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12]. Where is the liability [1, 2, 3, 4, 5]? Watch what it happening in Denver right now.

Denver officials have asked the FBI, Denver police and Microsoft Corp. to help them identify the person or people who have hacked into the city's website twice in the past week.


If Microsoft gets involved, then it almost must be a Windows server.

Comments

Recent Techrights' Posts

Open Source Initiative (OSI) Privacy Fiasco in Detail: The OSI Does Not Respect Anybody's Privacy
The surveillance mafia that bans dissent or key people (even co-founders) with dissenting views
The LLM Bubble is About to Implode, Gimmicks and Financial Shell Games Cannot Prevent That, Only Delay It
To inflate the bubble MElon is now doing the classic trick of buying from oneself for a fictional value
 
LLM Slop Piggybacking News About GNU/Linux and Distorting It
new examples
Links 31/03/2025: Press and Democracy Under Further Attacks in the US, Attitudes Towards Slop Sour
Links for the day
Gemini Links 31/03/2025: More X-Filesposting and Dreaming in Emacs
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, March 30, 2025
IRC logs for Sunday, March 30, 2025
Links 30/03/2025: Security Breaches, Crackdowns on Dissent/Rival Politicians
Links for the day
Gemini Links 30/03/2025: London Soundtrack Festival, Superbloom, gmiCAPTCHA
Links for the day
Phasing Out Vista 10 in Nations Where ~90% of Windows Users Still Rely on It
Recipe for another Microsoft disaster
The Cost of Pursuing the Much-Needed Reform/Shield Against Strategic Lawsuits Against Public Participation (SLAPPs)
“It is curious that physical courage should be so common in the world and moral courage so rare.”
Links 30/03/2025: Contagious Ideas, Signal Leak, and Squashing Lousy Patents
Links for the day
Links 30/03/2025: "Quantum Randomness" and "F-1 Visa Revoked" in US
Links for the day
Gemini Links 30/03/2025: US as a Threat, Returning to the WWW
Links for the day
Links 30/03/2025: Judge Blocks Dismantling Of VOA, Turkey Arrested Many Journalists
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, March 29, 2025
IRC logs for Saturday, March 29, 2025
Judges Would Never Rule for Men Who Strangle Women or Against Women Who Merely Wrote Articles About Abuse They Had Received From Men
We don't intend to do "trial by media", so we won't be disclosing claims and defences until it's over
Windows is an Unnatural Disaster, It is Also Avoidable
there's a wide window of opportunity opening
Gemini Links 29/03/2025: Less YouTube and More Station
Links for the day
In Some Countries, Such as Thailand, Firefox is Already Measured at Less Than 2% (One Day Firefox Will Get Blocked, Not Only Lack Support)
Web consolidation around Chrom-isms will doom the Web as we know it
Killing the News With Spam and Slop Benefits Those Whose Desire is an Uninformed Population
adoption of Free software depends indirectly on political activities/activism
Links 29/03/2025: Trademarks Battles, Fires Destroy More Than 3,000 South Korean Homes
Links for the day
Open Source Initiative (OSI) Privacy Fiasco in Detail: An Introduction
Perhaps tomorrow or perhaps next week we'll share more information about what happened and what was reported to the California Privacy Protection Agency
Links 29/03/2025: More Crackdowns on Science, "Hey Hi" Slopping is Flopping
Links for the day
IBM's BS (Bait, Switch) Regarding Ways to Stay Onboard
PIPs, RTOs, and forced relocations are just an illusion of choice (or ability to recover)
Costa Rica Almost Bankrupt Because of Microsoft
the incidents in Costa Rica are Windows incidents
Gemini Links 29/03/2025: Art of Looking, Wireguard, EMacs
Links for the day
Links 29/03/2025: Attacks on Social Security and War Updates
Links for the day
Banned evidence: Ars Technica forums censored email predicting DebConf23 death, Abraham Raji & Debian cover-up
Reprinted with permission from Daniel Pocock
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, March 28, 2025
IRC logs for Friday, March 28, 2025