EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

05.31.10

Microsoft Finally Admits Numbers of Vulnerabilities It Reports Are Fake

Posted in Deception, GNU/Linux, Microsoft, Red Hat, Security, Servers, Windows at 6:14 am by Dr. Roy Schestowitz

Microsoft lies

Summary: Mike Reavey, the director of the Microsoft Security Response Center, admits that Microsoft is silently patching vulnerabilities without ever reporting the problem

IT’S official. Microsoft is a liar. Again. Now there is even admission from Microsoft, confirming an issue which we first raised some weeks ago. Whenever Microsoft says it patches x number of flaws with y number of patches/bulletins, Microsoft ought to be assumed to be lying. Microsoft’s silent patching is a subject we have been covering for years and it helps explain why one in two Windows PCs is believed to be a zombie PC, despite Microsoft’s claims that all of its flaws are being addressed. All those fake comparisons against platforms like Red Hat Enterprise Linux (where Microsoft stacks up and aggregates numbers of flaws) can be thrown into the wastebasket. If convincing proof is needed, here it is. Microsoft first tried to spin it (for weeks) and now it gives up and tells the truth.

Microsoft Official Admits to Quiet Security Patching

Microsoft doesn’t report all security vulnerabilities that it fixes in its software. Bug comparisons between vendors therefore paint an incorrect picture.

“We don’t document every issue found,” Mike Reavey, director of the Microsoft Security Response Center (MSRC), said at a meeting with reporters at the company’s corporate headquarters in Redmond, Washington.

Microsoft will issue a Common Vulnerabilities and Exposures (CVE) number to a vulnerability for flaws that share the same severity, have an attack vector and a workaround. If several flaws share all the same properties, they will not be reported separately, Reavey said.

The nondisclosure of fixes was brought to light early this month by a company called Core Security Technologies. After studying the Microsoft patches MS10-024 and MS10-028, it noticed three silent fixes. Security bulletin MS10-028 addressed a flaw that would expose a user of Microsoft Visio to a buffer overflow attack, which would allow an attacker to take over control of the system.

Finally. Thanks for the honesty. So how much damage has been caused by Microsoft’s lies so far. Microsoft has been denying this for years, but not exactly denying, either. It was spinning and avoiding the actual question. It’s the art of lying without practically lying, just evading. Adobe is at least honest about its proprietary software being insecure garbage. As far as we are aware, Adobe hasn’t a long history of systematic lying, unlike Microsoft.

“Microsoft smacks patch-blocking rootkit second time,” says another new report from Gregg Keizer.

For the second month in a row, Microsoft has tried to eradicate a mutating rootkit that has blocked some Windows users from installing security updates.

Here is another one (also here):

Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), said his team is looking into Raskin’s claims, but hinted that Microsoft wouldn’t be patching IE anytime soon. “I wouldn’t classify this as a ‘vulnerability’ though,” Bryant said in an e-mail answer to questions.

The followup says:

Will browser makers patch this? Unlikely. Microsoft’s Jerry Bryant, a general manager at the company’s security response center, said the issue isn’t a security vulnerability per se, and that Internet Explorer (IE) falls for the scam because that’s the way browsers work.

“Working with [Raskin's] proof-of-concept, as written, is expected,” he said in an e-mail Tuesday when asked whether Microsoft had a fix in mind for IE.

Let’s remember how much damage was caused this year because Microsoft had refused to patch known Internet Explorer flaws for five months [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12]. Where is the liability [1, 2, 3, 4, 5]? Watch what it happening in Denver right now.

Denver officials have asked the FBI, Denver police and Microsoft Corp. to help them identify the person or people who have hacked into the city’s website twice in the past week.

If Microsoft gets involved, then it almost must be a Windows server.

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

A Single Comment

  1. twitter said,

    June 1, 2010 at 5:52 pm

    Gravatar

    Microsoft was cornered in two ways. First, people noticed a “silent patch”. The more fundamental bust, however, is that no one with a clue ever believed the “get the facts” propaganda. Only someone with a financial interest will tell you that Windows and GNU/Linux security are equivalent. Only someone without free software experience will believe them.

    Microsoft will go on telling the same lies. “Get the Facts” was not some kind of subtle spin. It was a direct lie, constructed of fabricated evidence, relentlessly pushed anywhere and everywhere people with computer purchasing power and developers had a discussion. Each point of the lie was refuted almost as many times. Someone might get fired for getting caught and Microsoft will keep telling the world that Windows is the most secure software ever.

What Else is New


  1. Samsung Does Not Say Why It's Dropping DeX, But the ASUS EEE Story Might Offer Clues

    It's not at all outlandish or unreasonable to suggest that Microsoft used patents or bribes or kickbacks as incentives for Samsung to abandon GNU/Linux as a desktop platform



  2. EPO: It's Only Getting Worse

    Inhaling Seagull meme for EPO presidents



  3. It Has Begun: EPO Staff Protests Against António Campinos (Starting Wednesday)

    Wednesday marks the resumption of EPO protests; it’s happening for the first time under Campinos and only a year after he took Office. Even Battistelli, the notorious thug, lasted longer before such escalations/actions or — put another way — he did better than that (if one checks the timeline of his presidency)



  4. Links 20/10/2019: GNU/Linux at Penn Manor School District, Wine-Staging 4.18, Xfce 4.16 Development, FreeBSD 12.1 RC2

    Links for the day



  5. Guest Post: Understanding Autism for More Complete Inclusion

    "...assuming that autistic people are all the same isn't only technically wrong, it is misleading and leads to harmful and needless misunderstandings."



  6. Guest Post: Free Software Freedom is Not a Freedom of Choice

    The concept of "Freedom of Choice" and how the ruling class uses it to give a false impression of "Freedom"



  7. Guest Post: Free Software Developers and Pursuing 'Market Share'

    "The only people interested in software freedom are (almost always) free software developers. And users are interested in freedom to a very limited extent: the "free beer" side. Even many free software developers are only interested in the "free beer" part of free software."



  8. The Assertion That Microsoft Uses Communist Tactics Against GNU/Linux and Free/Libre Software

    A study of Taistoism might help understand how Free/libre software is being undermined



  9. European Patent Office and US Patent and Trademark Office Cranks Discovered Buzzwords, Stopped Worrying, Started Granting Patents They Know to be Fake

    The world's patent repositories are being saturated with loads of junk patents or patents that have no legal bearing but can still be leveraged for extortion purposes; the EPO is resorting to lies and artificially-elevated buzzwords to justify granting such fake (yet ruinous) patents



  10. IRC Proceedings: Saturday, October 19, 2019

    IRC logs for Saturday, October 19, 2019



  11. “The True Hypocrite is the One Who Ceases to Perceive His Deception, the One Who Lies With Sincerity,” Said André Paul Guillaume Gide (Nobel Prize in Literature)

    Lies flow like water in the realm of EPO and its publishers, whose sole role is dissemination of deliberate falsehoods, misnomers and misinformation



  12. The EPO Cannot Guard Fake European Patents From Scrutiny (in the Long Run)

    Legal certainty associated with newly-granted European Patents is already pretty low and as long as the EPO refuses to acknowledge that its courts (or boards) lack autonomy the EPO merely brushes a growing problem under the rug



  13. Links 19/10/2019: DeX Discontinued, DXVK 1.4.3 and Wine 4.18 Released

    Links for the day



  14. 'Corporate Linux' Will Not Protect Software Freedom

    The corporate model is inherently not compatible with software that users themselves fully control (or Software Freedom in general), so we must rely on another model of sovereignty over code and compiled code (binaries)



  15. IRC Proceedings: Friday, October 18, 2019

    IRC logs for Friday, October 18, 2019



  16. 26,000 Posts

    We want to thank those who help spread the word; it gives us moral support and morale.



  17. The Myth of 'Analysts'

    People with exaggerated roles (exaggerated by corporate media and corporations that control them) distort public perceptions about their clients; they're in effect just elevated marketing or Public Relations (PR) operatives



  18. The FSF Has Two Acting Presidents Now

    Alexandre Oliva, who acted as a sort of deputy of Richard Stallman in recent weeks, sheds some much-needed light on the current situation



  19. Should Anybody Dictate the Free Software Movement?

    "There's a great myth, as Jagadees reminds us, that advocacy doesn't produce software. That myth is corporate, and proper advocacy has at times produced the greatest software in the history of computing. If we want great Free software to continue, we need advocacy more than ever."



  20. Links 18/10/2019: More KDE Events and OpenBSD 6.6

    Links for the day



  21. We Don't Know Who Will Run the Free Software Foundation, But We Know Who Will Run the GNU Project

    Software Freedom is under a heavy and perhaps unprecedented attack; some people out there are paid by the attackers to celebrate this attack and defame people (cheering for corporate takeover under the blanket of “Open Source”), but the founder of the Free software movement remains alive, well, and very much active



  22. New EPO Meme: Who Wants to Make Billions From a 'Public' Monopoly?

    What was supposed to be a cash-balanced patent office became a money-making monster that fakes ‘crises’ to attack hard-working examiners



  23. EmacsConf Without Richard Stallman

    Now that emacs is being 'rebranded' this kind of meme seems apt



  24. IRC Proceedings: Thursday, October 17, 2019

    IRC logs for Thursday, October 17, 2019



  25. Guest Article: In the Absence of Richard Stallman OEM Source Software ('Open Source') is Trying to Hijack Even Emacs

    "Now they have to create some fictional history. No need to worry."



  26. Guest Article: Techies Should Not Dictate the Free Software Movement

    "We should start a second phase of the Free software movement that's making good software and putting users at the center."



  27. Links 17/10/2019: Ubuntu Turns 15, New Codename Revealed, Ubuntu 19.10 is Out

    Links for the day



  28. Free as in Free Speech (Restrictions May Apply)

    When limits of speech are not safety-related rules but political correctness or conformism



  29. There Won't be Patent Justice Until Patent Trolling Becomes Completely and Totally Extinct

    SLAPP-like behaviour and extortion/blackmail tactics using patent monopolies are a stain on the patent system; it's time to adopt measures to stop these things once and for all, bearing in mind they're inherently antithetical to the goal/s of the patent system and therefore discourage public support for this whole system



  30. EPO Staff Union and Staff Representatives Ought to Demand EPO Stops Bullying Publishers and Censoring Their Sites

    An often neglected if not forgotten aspect of EPO tyranny is the war on information itself; EPO management continues to show hostility towards journalism and disdain for true information


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts