EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

05.31.10

Microsoft Finally Admits Numbers of Vulnerabilities It Reports Are Fake

Posted in Deception, GNU/Linux, Microsoft, Red Hat, Security, Servers, Windows at 6:14 am by Dr. Roy Schestowitz

Microsoft lies

Summary: Mike Reavey, the director of the Microsoft Security Response Center, admits that Microsoft is silently patching vulnerabilities without ever reporting the problem

IT’S official. Microsoft is a liar. Again. Now there is even admission from Microsoft, confirming an issue which we first raised some weeks ago. Whenever Microsoft says it patches x number of flaws with y number of patches/bulletins, Microsoft ought to be assumed to be lying. Microsoft’s silent patching is a subject we have been covering for years and it helps explain why one in two Windows PCs is believed to be a zombie PC, despite Microsoft’s claims that all of its flaws are being addressed. All those fake comparisons against platforms like Red Hat Enterprise Linux (where Microsoft stacks up and aggregates numbers of flaws) can be thrown into the wastebasket. If convincing proof is needed, here it is. Microsoft first tried to spin it (for weeks) and now it gives up and tells the truth.

Microsoft Official Admits to Quiet Security Patching

Microsoft doesn’t report all security vulnerabilities that it fixes in its software. Bug comparisons between vendors therefore paint an incorrect picture.

“We don’t document every issue found,” Mike Reavey, director of the Microsoft Security Response Center (MSRC), said at a meeting with reporters at the company’s corporate headquarters in Redmond, Washington.

Microsoft will issue a Common Vulnerabilities and Exposures (CVE) number to a vulnerability for flaws that share the same severity, have an attack vector and a workaround. If several flaws share all the same properties, they will not be reported separately, Reavey said.

The nondisclosure of fixes was brought to light early this month by a company called Core Security Technologies. After studying the Microsoft patches MS10-024 and MS10-028, it noticed three silent fixes. Security bulletin MS10-028 addressed a flaw that would expose a user of Microsoft Visio to a buffer overflow attack, which would allow an attacker to take over control of the system.

Finally. Thanks for the honesty. So how much damage has been caused by Microsoft’s lies so far. Microsoft has been denying this for years, but not exactly denying, either. It was spinning and avoiding the actual question. It’s the art of lying without practically lying, just evading. Adobe is at least honest about its proprietary software being insecure garbage. As far as we are aware, Adobe hasn’t a long history of systematic lying, unlike Microsoft.

“Microsoft smacks patch-blocking rootkit second time,” says another new report from Gregg Keizer.

For the second month in a row, Microsoft has tried to eradicate a mutating rootkit that has blocked some Windows users from installing security updates.

Here is another one (also here):

Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), said his team is looking into Raskin’s claims, but hinted that Microsoft wouldn’t be patching IE anytime soon. “I wouldn’t classify this as a ‘vulnerability’ though,” Bryant said in an e-mail answer to questions.

The followup says:

Will browser makers patch this? Unlikely. Microsoft’s Jerry Bryant, a general manager at the company’s security response center, said the issue isn’t a security vulnerability per se, and that Internet Explorer (IE) falls for the scam because that’s the way browsers work.

“Working with [Raskin's] proof-of-concept, as written, is expected,” he said in an e-mail Tuesday when asked whether Microsoft had a fix in mind for IE.

Let’s remember how much damage was caused this year because Microsoft had refused to patch known Internet Explorer flaws for five months [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12]. Where is the liability [1, 2, 3, 4, 5]? Watch what it happening in Denver right now.

Denver officials have asked the FBI, Denver police and Microsoft Corp. to help them identify the person or people who have hacked into the city’s website twice in the past week.

If Microsoft gets involved, then it almost must be a Windows server.

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

A Single Comment

  1. twitter said,

    June 1, 2010 at 5:52 pm

    Gravatar

    Microsoft was cornered in two ways. First, people noticed a “silent patch”. The more fundamental bust, however, is that no one with a clue ever believed the “get the facts” propaganda. Only someone with a financial interest will tell you that Windows and GNU/Linux security are equivalent. Only someone without free software experience will believe them.

    Microsoft will go on telling the same lies. “Get the Facts” was not some kind of subtle spin. It was a direct lie, constructed of fabricated evidence, relentlessly pushed anywhere and everywhere people with computer purchasing power and developers had a discussion. Each point of the lie was refuted almost as many times. Someone might get fired for getting caught and Microsoft will keep telling the world that Windows is the most secure software ever.

What Else is New


  1. Links 10/12/2018: Linux 4.20 RC6 and Git 2.20

    Links for the day



  2. US Courts Make the United States' Patent System Sane Again

    35 U.S.C. § 101 (Section 101), the Patent Trial and Appeal Board (PTAB) and other factors are making the patent system in the US a lot more sane



  3. Today's USPTO Grants a Lot of Fake Patents, Software Patents That Courts Would Invalidate

    The 35 U.S.C. § 101 effect is very much real; patents on abstract/nonphysical ideas get invalidated en masse (in courts/PTAB) and Director Andrei Iancu refuses to pay attention as if he's above the law and court rulings don't apply to him



  4. A Month After Microsoft Claimed Patent 'Truce' Its Patent Trolls Keep Attacking Microsoft's Rivals

    Microsoft's legal department relies on its vultures (to whom it passes money and patents) to sue its rivals; but other than that, Microsoft is a wonderful company!



  5. Good News: US Supreme Court Rejects Efforts to Revisit Alice, Most Software Patents to Remain Worthless

    35 U.S.C. § 101 will likely remain in tact for a long time to come; courts have come to grips with the status quo, as even the Federal Circuit approves the large majority of invalidations by the Patent Trial and Appeal Board’s (PTAB) panels, initiated by inter partes reviews (IPRs)



  6. Florian Müller's Article About SEPs and the EPO

    Report from the court in Munich, where the EPO is based



  7. EPO Vice-President Željko Topić in New Article About Corruption in Croatia

    The Croatian newspaper 7Dnevno has an outline of what Željko Topić has done in Croatia and in the EPO in Munich; it argues that this seriously erodes Croatia's national brand/identity



  8. The Quality of European Patents Continues to Deteriorate Under António Campinos and Software Patents Are Advocated Every Day

    The EPC in the European Patent Office and 35 U.S.C. § 101 in the USPTO annul most if not all software patents; under António Campinos, however, software patents are being granted in Europe and the USPTO exploits similar tricks



  9. Team UPC is Still Spreading False Rumours in an Effort to Trick Politicians and Pressure Judges

    Abuses at the European Patent Office, political turmoil and an obvious legislative coup by a self-serving occupation that produces nothing have already doomed the Unitary Patent or Unified Patent Court (UPC); so now we deal with complete fabrications from Team UPC as they're struggling to make something out of nothing, anonymously smearing opposition to the UPC and anonymously making stuff up



  10. Patents on Life and Patents That Kill the Poor Would Only Delegitimise the European Patent Office

    After Mayo, Myriad and other SCOTUS cases (the basis of 35 U.S.C. § 101) the U.S. Patent and Trademark Office is reluctant to grant patents on life; the European Patent Office (EPO), however, goes in the opposite direction, even in defiance of the European Patent Convention



  11. EPO 'Untapped Potential'

    "Campinos is diligently looking for ways to further increase the Office’s output without increasing the number of examiners," says the EPO-FLIER team



  12. Links 9/12/2018: New Linux Stable Releases (Notably Linux 4.19.8), RC Coming, and Unifont 11.0.03

    Links for the day



  13. Links 8/12/2018: Mesa 18.3.0, Mageia 7 Beta, WordPress 5.0

    Links for the day



  14. The European Patent Organisation is Like a Private Club and Roland Grossenbacher is Back in It

    In the absence of Benoît Battistelli quality control at the EPO is still not effective; patents are being granted like the sole goal is to increase so-called 'production' (or profit), appeals are being subjected to threats from Office management, and external courts (courts that assess patents outside the jurisdiction of the Office/Organisation) are being targeted with a long-sought replacement like the Unified Patent Court, or UPC (Unitary Patent)



  15. Links 7/12/2018: GNU Guix, GuixSD 0.16.0, GCC 7.4, PHP 7.3.0 Released

    Links for the day



  16. The Federal Circuit's Decision on Ancora Technologies v HTC America is the Rare Exception, Not the Norm

    Even though the PTAB does not automatically reject every patent when 35 U.S.C. § 101 gets invoked we're supposed to think that somehow things are changing in favour of patent maximalists; but all they do is obsess over something old (as old as a month ago) and hardly controversial



  17. The European Patent Office Remains a Lawless Place Where Judges Are Afraid of the Banker in Chief

    With the former banker Campinos replacing the politician Battistelli and seeking to have far more powers it would be insane for the German Constitutional Court to ever allow anything remotely like the UPC; sites that are sponsored by Team UPC, however, try to influence outcomes, pushing patent maximalism and diminishing the role of patent judges



  18. Many of the Same People Are Still in Charge of the European Patent Office Even Though They Broke the Law

    "EPO’s art collection honoured with award," the EPO writes, choosing to distract from what actually goes on at the Office and has never been properly dealt with



  19. Links 6/12/2018: FreeNAS 11.2, Mesa 18.3 Later Today, Fedora Elections

    Links for the day



  20. EPO, in Its Patent Trolls-Infested Forum, Admits It is Granting Bogus Software Patents Under the Guise of 'Blockchain'

    Yesterday's embarrassing event of the EPO was a festival of the litigation giants and trolls, who shrewdly disguise patents on algorithms using all sorts of fashionable words that often don't mean anything (or deviate greatly from their original meanings)



  21. The Patent Litigation Bubble is Imploding in the US While the UPC Dies in Europe

    The meta-industry which profits from feuds, disputes, threats and blackmail isn't doing too well; even in Europe, where it worked hard for a number of years to institute a horrible litigation system which favours global plaintiffs (patent trolls, opportunists and monopolists), these things are going up in flames



  22. Links 5/12/2018: Epic Games Store, CrossOver 18.1.0, Important Kubernetes Patch

    Links for the day



  23. Links 4/12/2018: LibrePCB 0.1.0, SQLite 3.26.0, PhysX Code

    Links for the day



  24. EPO Management Keeps Embarrassing Itself, UPC More Dead Than Before, and Nokia Turns Aggressive

    The EPO’s race to the bottom of patent quality continues, it’s now complemented by direct association with patent trolls and law stands in their way (for they repeatedly violate the law)



  25. The Intellectual Property Owners Association (IPO) and IBM Are Part of the Software Patents Problem in the United States

    IBM's special role in lobbying for software patents (and against PTAB) needs to be highlighted; even Ethereum’s co-founder isn't happy about IBM's meddling in the blockchain space (with help from Hyperledger/Linux Foundation)



  26. The Patent Trial and Appeal Board (PTAB) Not Falling for Attempts to Prevent It From Instituting Challenges

    In the face of patent maximalists' endless efforts to derail patent quality the tribunal keeps calm and carries on smashing bad patents



  27. Links 2/12/2018: Linux 4.20 RC5, Snapcraft 3.0, VirtualBox 6.0 Beta 3

    Links for the day



  28. The Patent Microcosm Hopes That the Federal Circuit Will Get 'Tired' of Rejecting Software Patents

    Trolls-friendly sites aren't tolerating this court's habit of saying "no" to software patents; the Chief Judge meanwhile acknowledges that they're being overrun by a growing number of cases/appeals



  29. 35 U.S.C. § 101 Continues to Crush Software Patents and Even Microsoft Joins 'the Fun'

    The Court of Appeals for the Federal Circuit (CAFC) and even courts below it continue to throw out software patents or send them back to PTAB and lower courts; there is virtually nothing for patent maximalists to celebrate any longer



  30. The Anti-Section 101 (Pro-Software Patents) Lobby Looks at New Angles for Watering Down Guidelines and Caselaw

    By focusing on jury trials and patent trolls the proponents of bunk, likely-invalid abstract patents hope to overrule or override technical courts such as the Patent Trial and Appeal Board (PTAB)


CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts