EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

05.31.10

Microsoft Finally Admits Numbers of Vulnerabilities It Reports Are Fake

Posted in Deception, GNU/Linux, Microsoft, Red Hat, Security, Servers, Windows at 6:14 am by Dr. Roy Schestowitz

Microsoft lies

Summary: Mike Reavey, the director of the Microsoft Security Response Center, admits that Microsoft is silently patching vulnerabilities without ever reporting the problem

IT’S official. Microsoft is a liar. Again. Now there is even admission from Microsoft, confirming an issue which we first raised some weeks ago. Whenever Microsoft says it patches x number of flaws with y number of patches/bulletins, Microsoft ought to be assumed to be lying. Microsoft’s silent patching is a subject we have been covering for years and it helps explain why one in two Windows PCs is believed to be a zombie PC, despite Microsoft’s claims that all of its flaws are being addressed. All those fake comparisons against platforms like Red Hat Enterprise Linux (where Microsoft stacks up and aggregates numbers of flaws) can be thrown into the wastebasket. If convincing proof is needed, here it is. Microsoft first tried to spin it (for weeks) and now it gives up and tells the truth.

Microsoft Official Admits to Quiet Security Patching

Microsoft doesn’t report all security vulnerabilities that it fixes in its software. Bug comparisons between vendors therefore paint an incorrect picture.

“We don’t document every issue found,” Mike Reavey, director of the Microsoft Security Response Center (MSRC), said at a meeting with reporters at the company’s corporate headquarters in Redmond, Washington.

Microsoft will issue a Common Vulnerabilities and Exposures (CVE) number to a vulnerability for flaws that share the same severity, have an attack vector and a workaround. If several flaws share all the same properties, they will not be reported separately, Reavey said.

The nondisclosure of fixes was brought to light early this month by a company called Core Security Technologies. After studying the Microsoft patches MS10-024 and MS10-028, it noticed three silent fixes. Security bulletin MS10-028 addressed a flaw that would expose a user of Microsoft Visio to a buffer overflow attack, which would allow an attacker to take over control of the system.

Finally. Thanks for the honesty. So how much damage has been caused by Microsoft’s lies so far. Microsoft has been denying this for years, but not exactly denying, either. It was spinning and avoiding the actual question. It’s the art of lying without practically lying, just evading. Adobe is at least honest about its proprietary software being insecure garbage. As far as we are aware, Adobe hasn’t a long history of systematic lying, unlike Microsoft.

“Microsoft smacks patch-blocking rootkit second time,” says another new report from Gregg Keizer.

For the second month in a row, Microsoft has tried to eradicate a mutating rootkit that has blocked some Windows users from installing security updates.

Here is another one (also here):

Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), said his team is looking into Raskin’s claims, but hinted that Microsoft wouldn’t be patching IE anytime soon. “I wouldn’t classify this as a ‘vulnerability’ though,” Bryant said in an e-mail answer to questions.

The followup says:

Will browser makers patch this? Unlikely. Microsoft’s Jerry Bryant, a general manager at the company’s security response center, said the issue isn’t a security vulnerability per se, and that Internet Explorer (IE) falls for the scam because that’s the way browsers work.

“Working with [Raskin's] proof-of-concept, as written, is expected,” he said in an e-mail Tuesday when asked whether Microsoft had a fix in mind for IE.

Let’s remember how much damage was caused this year because Microsoft had refused to patch known Internet Explorer flaws for five months [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12]. Where is the liability [1, 2, 3, 4, 5]? Watch what it happening in Denver right now.

Denver officials have asked the FBI, Denver police and Microsoft Corp. to help them identify the person or people who have hacked into the city’s website twice in the past week.

If Microsoft gets involved, then it almost must be a Windows server.

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

A Single Comment

  1. twitter said,

    June 1, 2010 at 5:52 pm

    Gravatar

    Microsoft was cornered in two ways. First, people noticed a “silent patch”. The more fundamental bust, however, is that no one with a clue ever believed the “get the facts” propaganda. Only someone with a financial interest will tell you that Windows and GNU/Linux security are equivalent. Only someone without free software experience will believe them.

    Microsoft will go on telling the same lies. “Get the Facts” was not some kind of subtle spin. It was a direct lie, constructed of fabricated evidence, relentlessly pushed anywhere and everywhere people with computer purchasing power and developers had a discussion. Each point of the lie was refuted almost as many times. Someone might get fired for getting caught and Microsoft will keep telling the world that Windows is the most secure software ever.

What Else is New


  1. Links 13/12/2019: Zorin OS 15.1, Vim 8.2

    Links for the day



  2. Linux Foundation Has Outsourced All the Licence Compliance Stuff to Microsoft, a Serial GPL Violator

    OpenChain Specification/OpenChain Project and Automated Compliance Tooling (ACT) are yet more examples -- the latest of many -- of the Linux Foundation being outsourced to Microsoft, not only for code but also documentation and hosting



  3. IRC Proceedings: Thursday, December 12, 2019

    IRC logs for Thursday, December 12, 2019



  4. Copyleft: Keeping Code Free

    Now that news about "Linux" is dominated by promotion of proprietary software we ought to remember what perpetrators of such a strategy seek to eliminate



  5. Plans That Worked, Plans That Failed

    "I am still looking for good news, but the more good I try to find, the more nastiness I uncover. This is by far, Free software's worst year ever. 2019 Sucks!"



  6. Links 12/12/2019: KDE Applications 19.12, Qt Creator 4.11, New VirtualBox

    Links for the day



  7. Brand Dilution in Action

    Microsoft's proprietary software which spies on people and businesses is getting a "free ride" on the "Linux" brand; and nobody seems to care, nobody seems to notice how perverse that it



  8. At the EPO Money -- Not Quality -- is King

    Financiers are ruining quality



  9. The EPO's Strategic Failure 2023

    Potemkin social dialogue



  10. IRC Proceedings: Wednesday, December 11, 2019

    IRC logs for Wednesday, December 11, 2019



  11. EPO Promoting Software Patents in Countries Where These Are Illegal

    The EPO's vision of 'unitary' software patents (patents on algorithms in countries that disallow such patents, as per their national laws) won't materialise, but in the meantime a lot of Invalid Patents (IPs) are granted in the form of European Patents (EPs) and this is wrong



  12. We Support GNU and the FSF But Remain Sceptical and Occasionally Worry About an RMS-less FSF

    Richard Stallman (RMS) is not in charge of the FSF anymore (it's Stallman who created the FSF) and there's risk the decisions will be made by people who don't share Stallman's ethics or the FSF's spirit



  13. Links 11/12/2019: Huawei Lobbied by Microsoft (Because of GNU/Linux) and Microsoft Still Googlebombs Linux to Promote 'Teams'

    Links for the day



  14. Links 11/12/2019: Edge Native Working Group, CrossOver 19.0 Released

    Links for the day



  15. Instead of Fixing Bug #1 Canonical/Ubuntu Contributes to Making the Bug Even More Severe (WSL/EEE)

    Following one seminal report about Canonical financially contributing to Microsoft's EEE efforts — celebrated openly by GNU/Linux opponentsclosing bug #1 Ubuntu basically decided not that it was fixed but that it would no longer attempt to fix it (“wontfix”)



  16. IRC Proceedings: Tuesday, December 10, 2019

    IRC logs for Tuesday, December 10, 2019



  17. Today's Example of Microsoft's Faked 'Love'

    “On 7 September 2017, users began noticing a message that stated “Skype for Business is now Microsoft Teams”. This was confirmed on 25 September 2017, at Microsoft’s annual Ignite conference,” according to Wikipedia



  18. Links 10/12/2019: Kubernetes 1.17, Debian Init Systems GR

    Links for the day



  19. 'Cancel Culture' as 'Thoughtpolice' Creep

    Richard Stallman spoke about an important aspect of censorship more than 2 decades ago (before “Open Source” even existed); it was published in Datamation (“Censoring My Software”) 23 years before a campaign of defamation on the Internet was used to remove him from MIT and FSF (censoring or ‘canceling’ Stallman himself)



  20. Microsoft Still Hates GNU/Linux and Mark Shuttleworth Knows It (But He is Desperate for Money)

    We're supposed to believe that a PR or image management (reputation laundering) campaign alone can turn Microsoft from GNU/Linux foe into friend/ally



  21. Actions Against EPO Corruption and Unitary Patent (UPC) Injustice/Lobbying

    The EPO is apparently going on strike again and an action against the UPC is scheduled for later this week (protest in Brussels)



  22. “The Fifth Freedom as a Meme”

    The issue with systemd (or SystemD) has provoked or at least stimulated discussions about the limits of the famous Four Freedoms



  23. IRC Proceedings: Monday, December 09, 2019

    IRC logs for Monday, December 09, 2019



  24. Demonstration Against Unitary Software Patents, Thursday 12 Dec in Brussels

    FFII's call to demonstrate against the UPC



  25. Links 9/12/2019: China on GNU/Linux, Canonical Wants Help to Improve Ubuntu

    Links for the day



  26. Links 9/12/2019: Linux 5.5 RC1, EasyOS Buster 2.1.9

    Links for the day



  27. IRC Proceedings: Sunday, December 08, 2019

    IRC logs for Sunday, December 08, 2019



  28. Mandatory Education for Those Who Use and Misuse Buzzwords Would Go a Long Way

    In an age of substitution — where marketing terms replace meaningful words and concepts — it has gotten more difficult to have honest debates, for example about the scope of patents



  29. Once Upon a Time Banter Was Allowed on Mailing Lists

    Hours ago Torvalds announced RC1 of the next Linux (kernel) release; it has been a while since he last said something ‘controversial’ (following his month at the penalty box); free speech deficit can make us weaker, not stronger (advantage to those who work in the dark)



  30. Links 8/12/2019: Debian Init Systems GR, NomadBSD 1.3

    Links for the day


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts