EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

05.31.10

Microsoft Finally Admits Numbers of Vulnerabilities It Reports Are Fake

Posted in Deception, GNU/Linux, Microsoft, Red Hat, Security, Servers, Windows at 6:14 am by Dr. Roy Schestowitz

Microsoft lies

Summary: Mike Reavey, the director of the Microsoft Security Response Center, admits that Microsoft is silently patching vulnerabilities without ever reporting the problem

IT’S official. Microsoft is a liar. Again. Now there is even admission from Microsoft, confirming an issue which we first raised some weeks ago. Whenever Microsoft says it patches x number of flaws with y number of patches/bulletins, Microsoft ought to be assumed to be lying. Microsoft’s silent patching is a subject we have been covering for years and it helps explain why one in two Windows PCs is believed to be a zombie PC, despite Microsoft’s claims that all of its flaws are being addressed. All those fake comparisons against platforms like Red Hat Enterprise Linux (where Microsoft stacks up and aggregates numbers of flaws) can be thrown into the wastebasket. If convincing proof is needed, here it is. Microsoft first tried to spin it (for weeks) and now it gives up and tells the truth.

Microsoft Official Admits to Quiet Security Patching

Microsoft doesn’t report all security vulnerabilities that it fixes in its software. Bug comparisons between vendors therefore paint an incorrect picture.

“We don’t document every issue found,” Mike Reavey, director of the Microsoft Security Response Center (MSRC), said at a meeting with reporters at the company’s corporate headquarters in Redmond, Washington.

Microsoft will issue a Common Vulnerabilities and Exposures (CVE) number to a vulnerability for flaws that share the same severity, have an attack vector and a workaround. If several flaws share all the same properties, they will not be reported separately, Reavey said.

The nondisclosure of fixes was brought to light early this month by a company called Core Security Technologies. After studying the Microsoft patches MS10-024 and MS10-028, it noticed three silent fixes. Security bulletin MS10-028 addressed a flaw that would expose a user of Microsoft Visio to a buffer overflow attack, which would allow an attacker to take over control of the system.

Finally. Thanks for the honesty. So how much damage has been caused by Microsoft’s lies so far. Microsoft has been denying this for years, but not exactly denying, either. It was spinning and avoiding the actual question. It’s the art of lying without practically lying, just evading. Adobe is at least honest about its proprietary software being insecure garbage. As far as we are aware, Adobe hasn’t a long history of systematic lying, unlike Microsoft.

“Microsoft smacks patch-blocking rootkit second time,” says another new report from Gregg Keizer.

For the second month in a row, Microsoft has tried to eradicate a mutating rootkit that has blocked some Windows users from installing security updates.

Here is another one (also here):

Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), said his team is looking into Raskin’s claims, but hinted that Microsoft wouldn’t be patching IE anytime soon. “I wouldn’t classify this as a ‘vulnerability’ though,” Bryant said in an e-mail answer to questions.

The followup says:

Will browser makers patch this? Unlikely. Microsoft’s Jerry Bryant, a general manager at the company’s security response center, said the issue isn’t a security vulnerability per se, and that Internet Explorer (IE) falls for the scam because that’s the way browsers work.

“Working with [Raskin's] proof-of-concept, as written, is expected,” he said in an e-mail Tuesday when asked whether Microsoft had a fix in mind for IE.

Let’s remember how much damage was caused this year because Microsoft had refused to patch known Internet Explorer flaws for five months [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12]. Where is the liability [1, 2, 3, 4, 5]? Watch what it happening in Denver right now.

Denver officials have asked the FBI, Denver police and Microsoft Corp. to help them identify the person or people who have hacked into the city’s website twice in the past week.

If Microsoft gets involved, then it almost must be a Windows server.

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

A Single Comment

  1. twitter said,

    June 1, 2010 at 5:52 pm

    Gravatar

    Microsoft was cornered in two ways. First, people noticed a “silent patch”. The more fundamental bust, however, is that no one with a clue ever believed the “get the facts” propaganda. Only someone with a financial interest will tell you that Windows and GNU/Linux security are equivalent. Only someone without free software experience will believe them.

    Microsoft will go on telling the same lies. “Get the Facts” was not some kind of subtle spin. It was a direct lie, constructed of fabricated evidence, relentlessly pushed anywhere and everywhere people with computer purchasing power and developers had a discussion. Each point of the lie was refuted almost as many times. Someone might get fired for getting caught and Microsoft will keep telling the world that Windows is the most secure software ever.

What Else is New

  1. Links 22/5/2012: Google/Motorola Deal Secured, Chrome Passes IE

    Links for the day

  2. Links - Explorer Goes Down, Oracle Judge is Coder



  3. Links 21/5/2012: Linux 3.4 Released, Dream Studio 12.04

    Links for the day

  4. Articles Against Software Patents and Patent Trolls

    An accumulation of recent articles on matters such as patent trolls, which mostly use software patents based on a recent survey

  5. New Zealand (NZ) Patent Debates Expand

    The kiwi (NZ) press turns its attention to a patent controversy other than the question of software patenting

  6. AOL Helps Microsoft Infiltrate, Harm Open Source Communities, Feeds Facebook With Google-Hostile Patents

    Microsoft is preying on AOL funds and patents

  7. 'Piracy' and 'Discount' Propaganda Used to Kick Free Software Out of Governments in Favour of Microsoft Deals

    A look at new tactics and moves which omit freedom and autonomy from nations foreign to Microsoft

  8. Sun: Interoperability More Important Than Patents

    An old position paper from Sun Microsystems helps shows a certain resistance to patents such as those which Oracle uses against Android

  9. In Motorola Case, Microsoft Boosters Use Slashdot for Anti-Linux/Android Patent Propaganda

    Covering what's right/correct -- not what's wrong/incorrect -- about the Microsoft case against Motorola/Android

  10. Microsoft Tax on Everything

    The company which hardly pays any tax is busy trying to tax GNU/Linux, Android, and all hardware in the OEM channel

  11. Links 19/5/2012: Mandriva Linux Freed, New Linux Mint RC

    Links for the day

  12. Apple Patent Wars Make Android Devices Less Attractive, Everyone Suffers

    Bits of patent news regarding Apple and its patents

  13. Defeat for Software Patents in the United Kingdom

    Wise words from a prominent Linux figure and news from the UK

  14. BSA and IDC Systematically Lie to the Public, Distort Press Coverage

    IDC and the Business Software Alliance (BSA) liaise once again in order to give ammunition to lobbyists of proprietary and copyright conglomerates

  15. Links 17/5/2012: “Bio Computer” Runs Linux, Raspberry Pi Grows

    Links for the day

  16. IRC Proceedings: May 11th-May 16th, 2012

    IRC logs for May 11th, 2012 (and subsequent days until May 16th)

  17. IRC Proceedings: May 5th-May 10th, 2012

    IRC logs for May 5th, 2012 (and subsequent days until May 10th)

  18. IRC Proceedings: April 29th-May 4th, 2012

    IRC logs for April 29th, 2012 (and subsequent days until May 4th)

  19. Android Under Patent Attacks From Nokia, Microsoft, and Oracle

    A roundup of patent news involving Android and the US patent/copyright system, which facilitates ridiculous patents or lawsuits over APIs

  20. Helping OpenSUSE is Helping Microsoft Tax GNU/Linux

    A short wave of calls to refrain from OpenSUSE promotion, which through the upstream is helping Microsoft, the sponsor

  21. Microsoft May Face Federal Action for Blocking Rival Web Browsers on ARM

    Mozilla's call for action is taken seriously by people at The Hill (Washington)

  22. Links 16/5/2012: 125,000 GNU/Linux Machines for Pakistani Students, Android 4.0 Rollouts

    Links for the day

  23. Links 15/5/2012: Linux 3.4 is Near, Mandriva to Have More Releases

    Links for the day

  24. Links - TPP Meeting Infiltrated, More Protest Needed.



  25. Europe Rules Against Monopolies on APIs

    The case against Android notwithstanding, the highest European court rules that APIs cannot be covered by copyrights

  26. Microsoft Versus Education

    A bit of news/commentary on Microsoft in education (indoctrination)

  27. Patents Are Never 'Open Source'

    The disinformation tactic which ascribes patents to FOSS as seen in the news

  28. Signs of Progress: Work for Microsoft, Get Ostracised From Panels/Public Consultations

    Convinced monopolist Microsoft has its moles' voice invalidated, based on the conflict of interest (Microsoft versus the public)

  29. Links 14/5/2012: Linux Kernel 3.3.5, Wine 1.5.4

    Links for the day

  30. Links 13/5/2012: Xfce 4.10, KDE 4.8.3, GNOME 3.5.1, GIMP 2.8

    Links for the day

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts