EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

05.31.10

Microsoft Finally Admits Numbers of Vulnerabilities It Reports Are Fake

Posted in Deception, GNU/Linux, Microsoft, Red Hat, Security, Servers, Windows at 6:14 am by Dr. Roy Schestowitz

Microsoft lies

Summary: Mike Reavey, the director of the Microsoft Security Response Center, admits that Microsoft is silently patching vulnerabilities without ever reporting the problem

IT’S official. Microsoft is a liar. Again. Now there is even admission from Microsoft, confirming an issue which we first raised some weeks ago. Whenever Microsoft says it patches x number of flaws with y number of patches/bulletins, Microsoft ought to be assumed to be lying. Microsoft’s silent patching is a subject we have been covering for years and it helps explain why one in two Windows PCs is believed to be a zombie PC, despite Microsoft’s claims that all of its flaws are being addressed. All those fake comparisons against platforms like Red Hat Enterprise Linux (where Microsoft stacks up and aggregates numbers of flaws) can be thrown into the wastebasket. If convincing proof is needed, here it is. Microsoft first tried to spin it (for weeks) and now it gives up and tells the truth.

Microsoft Official Admits to Quiet Security Patching

Microsoft doesn’t report all security vulnerabilities that it fixes in its software. Bug comparisons between vendors therefore paint an incorrect picture.

“We don’t document every issue found,” Mike Reavey, director of the Microsoft Security Response Center (MSRC), said at a meeting with reporters at the company’s corporate headquarters in Redmond, Washington.

Microsoft will issue a Common Vulnerabilities and Exposures (CVE) number to a vulnerability for flaws that share the same severity, have an attack vector and a workaround. If several flaws share all the same properties, they will not be reported separately, Reavey said.

The nondisclosure of fixes was brought to light early this month by a company called Core Security Technologies. After studying the Microsoft patches MS10-024 and MS10-028, it noticed three silent fixes. Security bulletin MS10-028 addressed a flaw that would expose a user of Microsoft Visio to a buffer overflow attack, which would allow an attacker to take over control of the system.

Finally. Thanks for the honesty. So how much damage has been caused by Microsoft’s lies so far. Microsoft has been denying this for years, but not exactly denying, either. It was spinning and avoiding the actual question. It’s the art of lying without practically lying, just evading. Adobe is at least honest about its proprietary software being insecure garbage. As far as we are aware, Adobe hasn’t a long history of systematic lying, unlike Microsoft.

“Microsoft smacks patch-blocking rootkit second time,” says another new report from Gregg Keizer.

For the second month in a row, Microsoft has tried to eradicate a mutating rootkit that has blocked some Windows users from installing security updates.

Here is another one (also here):

Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), said his team is looking into Raskin’s claims, but hinted that Microsoft wouldn’t be patching IE anytime soon. “I wouldn’t classify this as a ‘vulnerability’ though,” Bryant said in an e-mail answer to questions.

The followup says:

Will browser makers patch this? Unlikely. Microsoft’s Jerry Bryant, a general manager at the company’s security response center, said the issue isn’t a security vulnerability per se, and that Internet Explorer (IE) falls for the scam because that’s the way browsers work.

“Working with [Raskin's] proof-of-concept, as written, is expected,” he said in an e-mail Tuesday when asked whether Microsoft had a fix in mind for IE.

Let’s remember how much damage was caused this year because Microsoft had refused to patch known Internet Explorer flaws for five months [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12]. Where is the liability [1, 2, 3, 4, 5]? Watch what it happening in Denver right now.

Denver officials have asked the FBI, Denver police and Microsoft Corp. to help them identify the person or people who have hacked into the city’s website twice in the past week.

If Microsoft gets involved, then it almost must be a Windows server.

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email
  • Slashdot

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

A Single Comment

  1. twitter said,

    June 1, 2010 at 5:52 pm

    Gravatar

    Microsoft was cornered in two ways. First, people noticed a “silent patch”. The more fundamental bust, however, is that no one with a clue ever believed the “get the facts” propaganda. Only someone with a financial interest will tell you that Windows and GNU/Linux security are equivalent. Only someone without free software experience will believe them.

    Microsoft will go on telling the same lies. “Get the Facts” was not some kind of subtle spin. It was a direct lie, constructed of fabricated evidence, relentlessly pushed anywhere and everywhere people with computer purchasing power and developers had a discussion. Each point of the lie was refuted almost as many times. Someone might get fired for getting caught and Microsoft will keep telling the world that Windows is the most secure software ever.

What Else is New


  1. Video: Free Communication With Free Software - Daniel Pocock - FOSSASIA Summit 2016

    The 2016 FOSSASIA talk from Daniel Pocock (Debian) about Free software alternatives to Google, Microsoft Skype and so on (Microsoft started paying Debian in 2016)



  2. [Meme] Microsoft Downtime... Now in 'Linux' (Wait a Month for Microsoft to Restore Uptime)

    Microsoft’s utter failure that is "WSL2" is bringing the failures Windows is so notorious for (loss of work, lack of security, fatal patches) to so-called ‘Linux’; the timeframe for a fix says a lot about just how much Microsoft “loves” Linux…



  3. Coming Soon: Microsoft Leaks (Which Microsoft Pressured Medium to Suppress and Promptly Unpublish)

    Microsoft is no ordinary company; exposing it is like dealing with the Mafia or some drug cartel in Mexico, but we're able to publish truths about Microsoft nonetheless (their notorious intimidation and silencing attempts have always failed against us)



  4. Dishonest Corporations -- Like Smug Politicians -- Pretend to be Something They're Not

    Corporate lies dominate the media, having been crafted by unethical marketing departments with their photo ops and hashtags



  5. GNU is Also a Brand, But It Boils Down to Philosophy and Principles, Not Greed or Corporate Identity

    Why the goal of GNU should be freedom rather than so-called 'world domination' (the objective of large firms with shareholders)



  6. IRC Proceedings: Friday, September 18, 2020

    IRC logs for Friday, September 18, 2020



  7. Links 19/9/2020: Taiwins 0.2 and a Call for Ubuntu Community Council Nominations

    Links for the day



  8. One Year Later Richard Stallman Needs to be Un-cancelled and Attention Turned to the Real Perpetrator of MIT Scandals

    The sheer hypocrisy, treating Stallman as the real nuisance to MIT when it was in fact Bill Gates who trafficked money through convicted sex criminals (to MIT); justice needs to be belatedly restored



  9. ZDNet's 'Linux' Section Isn't About Linux But About Microsoft

    ZDNet's so-called 'Linux' section isn't really about GNU/Linux; it's just the site's usual Microsoft propaganda, bought and paid for by Microsoft



  10. Debian's Network of Gossip and Gossipmongering in Debian-Private

    Reprinted with permission from Debian Community News



  11. More EPO Disclosures: An Explanation of How an EPO Survey Plots to Dismantle the EPO's Staff

    Dismantling the Office for the benefit of a bunch of private companies (taking over various duties of EPO staff) seems like the management's goal; included in image form (and text) below is today's publication. There's a PDF with text (not OCR) but it contains metadata.



  12. Forced Confessions and Thought Control in Debian

    Reprinted with permission from Debian Community News



  13. [Meme] You Cannot Elect/Vote Corporations Out of Power (Eternal Vigilance is Required)

    Based on early polls, Biden will be president-elect in about a month and a half; but it’s important to remember that the election (if honoured by the current tenant of the White House) won’t be the end of corporate abuse of power in the same sense that driving Microsoft out of business won’t miraculously mean that Free software ‘won’ (we have a lot more to confront still)



  14. Debian Volunteers Disallowed and Forbidden From Talking About Politics (Unlike Debian's Aristocracy That Handles All the Money From Sponsors)

    Reprinted with permission from Debian Community News



  15. Political Compass for Free Software (and Those Who Attack Software Freedom)

    With RMS (the father of the movement) betrayed from multiple angles (OSI, Linux Foundation etc.) it’s probably important to depict what’s going on, quasi-politically speaking



  16. Richard Stallman Has Not Changed His Tune at All

    Richard Stallman's (RMS) principled views regarding software go back to the days of zeroes and ones; his position 35 years ago was almost indistinguishable from today's position



  17. IRC Proceedings: Thursday, September 17, 2020

    IRC logs for Thursday, September 17, 2020



  18. Keith Packard: Richard Stallman Was Right (About the GPL)

    A 2020 video (before lock-downs) from the brain behind X11 and various lesser-known projects



  19. The Quandary of 'Ethical' Sponsors and One's Ability to Criticise Them (Otherwise It's a Potential Bribe in Exchange for Censorship of Critics)

    When Free software advocacy groups are indebted to companies that greatly harm people's freedom (including privacy) we have to ask ourselves questions regarding morality and ethics because money isn't inherently evil, it depends who or where it comes from (on what implicit conditions)



  20. When Attempting to Run for Debian Project Leader (DPL), Only to Realise the Process is Rigged (and Censored) to Protect Past Leaders

    Reprinted with permission from Debian Community News



  21. [Meme] Linux Foundation Does Not Represent Linux Users

    With only one truly technical person inside the Linux Foundation Board (it got a lot worse in 2020) it seems safe to call it 95%+ corporate gerrymandering with no signs of improving any time soon; it’s all about letting hostile corporations change Linux rather than allowing Linux to change the world



  22. Somebody Needs to Talk About Free Software Politics

    The world of Free software is full of politics; it's impossible to be completely apolitical in it and just like "office politics" or "corporate politics" a lot boils down to deception, manipulation, exchange of favours (sometimes bribes) and we must talk about those things if we're ever going to seriously tackle abuse



  23. 2020 Elections: No, It's Not About Russia

    The Biden/Trump false dichotomy (perpetuating the two-party system monopoly/duopoly) borrows from Russophobic tactics and fact-free shaming



  24. Nepotism and Conflicts of Interest in Free Software

    Reprinted with permission from Debian Community News



  25. Links 17/9/2020: Qt Creator 4.13.1, Linux 5.8.10 and Mesa 20.1.8 Released

    Links for the day



  26. Codes of Contradiction

    Reprinted with permission from Debian Community News



  27. [Meme] Two Dictators: When Jimmy Met Satya

    Jim Zemlin’s Linux Foundation has sold Linux to a bunch of Linux-hostile dictators



  28. Germany Would Violate 3 International Agreements With the Unitary Patent, Says FFII

    Open Letter to the Bundesrat: “Germany will violate 3 international agreements with the Unitary Patent”



  29. Expulsions by Vendettas

    Reprinted with permission from Debian Community News



  30. [Meme] António Campinos Fools Nobody at the EPO Anymore

    António Campinos, President of the EPO, is failing to hide who or what he really is; he’s not even trying anymore


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts