EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

05.31.10

Microsoft Finally Admits Numbers of Vulnerabilities It Reports Are Fake

Posted in Deception, GNU/Linux, Microsoft, Red Hat, Security, Servers, Windows at 6:14 am by Dr. Roy Schestowitz

Microsoft lies

Summary: Mike Reavey, the director of the Microsoft Security Response Center, admits that Microsoft is silently patching vulnerabilities without ever reporting the problem

IT’S official. Microsoft is a liar. Again. Now there is even admission from Microsoft, confirming an issue which we first raised some weeks ago. Whenever Microsoft says it patches x number of flaws with y number of patches/bulletins, Microsoft ought to be assumed to be lying. Microsoft’s silent patching is a subject we have been covering for years and it helps explain why one in two Windows PCs is believed to be a zombie PC, despite Microsoft’s claims that all of its flaws are being addressed. All those fake comparisons against platforms like Red Hat Enterprise Linux (where Microsoft stacks up and aggregates numbers of flaws) can be thrown into the wastebasket. If convincing proof is needed, here it is. Microsoft first tried to spin it (for weeks) and now it gives up and tells the truth.

Microsoft Official Admits to Quiet Security Patching

Microsoft doesn’t report all security vulnerabilities that it fixes in its software. Bug comparisons between vendors therefore paint an incorrect picture.

“We don’t document every issue found,” Mike Reavey, director of the Microsoft Security Response Center (MSRC), said at a meeting with reporters at the company’s corporate headquarters in Redmond, Washington.

Microsoft will issue a Common Vulnerabilities and Exposures (CVE) number to a vulnerability for flaws that share the same severity, have an attack vector and a workaround. If several flaws share all the same properties, they will not be reported separately, Reavey said.

The nondisclosure of fixes was brought to light early this month by a company called Core Security Technologies. After studying the Microsoft patches MS10-024 and MS10-028, it noticed three silent fixes. Security bulletin MS10-028 addressed a flaw that would expose a user of Microsoft Visio to a buffer overflow attack, which would allow an attacker to take over control of the system.

Finally. Thanks for the honesty. So how much damage has been caused by Microsoft’s lies so far. Microsoft has been denying this for years, but not exactly denying, either. It was spinning and avoiding the actual question. It’s the art of lying without practically lying, just evading. Adobe is at least honest about its proprietary software being insecure garbage. As far as we are aware, Adobe hasn’t a long history of systematic lying, unlike Microsoft.

“Microsoft smacks patch-blocking rootkit second time,” says another new report from Gregg Keizer.

For the second month in a row, Microsoft has tried to eradicate a mutating rootkit that has blocked some Windows users from installing security updates.

Here is another one (also here):

Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), said his team is looking into Raskin’s claims, but hinted that Microsoft wouldn’t be patching IE anytime soon. “I wouldn’t classify this as a ‘vulnerability’ though,” Bryant said in an e-mail answer to questions.

The followup says:

Will browser makers patch this? Unlikely. Microsoft’s Jerry Bryant, a general manager at the company’s security response center, said the issue isn’t a security vulnerability per se, and that Internet Explorer (IE) falls for the scam because that’s the way browsers work.

“Working with [Raskin's] proof-of-concept, as written, is expected,” he said in an e-mail Tuesday when asked whether Microsoft had a fix in mind for IE.

Let’s remember how much damage was caused this year because Microsoft had refused to patch known Internet Explorer flaws for five months [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12]. Where is the liability [1, 2, 3, 4, 5]? Watch what it happening in Denver right now.

Denver officials have asked the FBI, Denver police and Microsoft Corp. to help them identify the person or people who have hacked into the city’s website twice in the past week.

If Microsoft gets involved, then it almost must be a Windows server.

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

A Single Comment

  1. twitter said,

    June 1, 2010 at 5:52 pm

    Gravatar

    Microsoft was cornered in two ways. First, people noticed a “silent patch”. The more fundamental bust, however, is that no one with a clue ever believed the “get the facts” propaganda. Only someone with a financial interest will tell you that Windows and GNU/Linux security are equivalent. Only someone without free software experience will believe them.

    Microsoft will go on telling the same lies. “Get the Facts” was not some kind of subtle spin. It was a direct lie, constructed of fabricated evidence, relentlessly pushed anywhere and everywhere people with computer purchasing power and developers had a discussion. Each point of the lie was refuted almost as many times. Someone might get fired for getting caught and Microsoft will keep telling the world that Windows is the most secure software ever.

What Else is New


  1. EPO Grants Fake European Patents -- Including Software Patents -- and European Courts Keep Rejecting These

    The demise of the legitimacy or perceived validity of European Patents is measurable and the system isn't the same anymore; the EPO makes no effort to change this for the better, either



  2. Nobody But Patent Trolls and Litigators Will Benefit From the Corruption of the European Patent Office

    IAM, EPO leadership, Iancu and the rest of these raiders are enabling corruption and facilitating or supporting a racket; that money they collect comes at the expense of future victims of their "clients" or "customers" (that's what they call applicants, to whom they grant dubious monopolies as a matter of urgency)



  3. WSL is a Misleading Acronym/Name Because There's No Linux in It, It's Just Windows

    When Microsoft says "Linux" (as in "Microsoft loves Linux") what it actually means is Windows and/or Azure



  4. Links 16/2/2019: Ubuntu 18.04.2 LTS, PyCharm 2019.1 EAP 4

    Links for the day



  5. Outline/Index of the Alexandre Benalla/Battistelli Scandal

    Our writings about the scandals implicating Benalla and the European Patent Office (EPO)



  6. Reading Techrights on a Mobile Device Running Android

    A new Android app for reading this site is being tested



  7. Links 14/2/2019: “I Love Free Software Day” and Mesa 19.0 RC4 Released

    Links for the day



  8. “EPO Lawlessness Again”

    Blackberry uses bogus European Patents (on software) for lawsuits; "all of them pure software patents. Patents on programs for computers as such," as Müller puts it



  9. Unitary Patent (UPC) is All About Imposing Patent Maximalists' Ideology of Greed and Self Interest on Courts in the Name of 'Unification' or 'Consistency' or 'Community'

    Pushers of the Unified Patent Court (UPC) are upset that they don’t always get their way when independent judges get to decide; as it turns out, many European Patents are just fake patents, more so under António Campinos



  10. Battistelli's Bodyguard, Part V: Mediapart Explains the 'Raid' Attempt, Reporters Without Borders Involved

    Mediapart, an investigative site that unearths a lot of incriminating things about Battistelli's former bodyguard Alexandre Benalla, was the target of a raid attempt some weeks ago



  11. Links 13/2/2019: Tails 3.12.1, MongoDB Being Dumped

    Links for the day



  12. Battistelli's Bodyguard, Part IV: Suspected Offenses of Forgery and Possible Falsification

    In a very underworld fashion, Benalla continues to break the law and create yet more scandals



  13. Battistelli's Bodyguard, Part III: Mars, France Close Protection (Benalla's Family), and Russian Oligarchy

    An article which examines the business background of Benalla, the outrageous salaries, the severance indemnity pay, and contract with a Russian oligarch close to Vladimir Putin



  14. Links 13/2/2019: Plasma 5.15.0 and a Look at Linux Mint Debian Edition Cindy

    Links for the day



  15. Battistelli's Bodyguard, Part II: Fishing Expedition for Sources in the Alexandre Benalla 'Underworld' Scandal

    An utter lack of respect for the privacy of the media and of its sources, in the name of protecting the privacy of those convicted of crimes, as seen in France just like the European Patent Office



  16. Innovating the Idea That Software Patents (Monopolies on Algorithms) Are Covering 'Artificial' 'Intelligence' (AI and ML as Loopholes)

    Patent law firms around the world love this new trick, which is framing software that makes decisions as "AI" (magically rendering it patent-eligible only in offices but not in courts, which the EPO hopes to replace/override anyway)



  17. Battistelli's Bodyguard, Part I: Destruction of Evidence by Alexandre Benalla

    The Alexandre Benalla scandal carries on, deepening even further than before and causing raids of the media; will the EPO be implicated and held accountable too?



  18. Links 12/2/2019: PyPy 7.0.0, HHVM 4.0.0 and CVE-2019-5736

    Links for the day



  19. USPTO Director Iancu Works for Anti-SCOTUS (Against Section 101) Lobbyists

    The United States Patent and Trademark Office Director Andrei Iancu is becoming to the patent system what Ajit Pai is to the FCC or to the broadband industry; there appears to be intentional vandalism and total disregard for the rule of law



  20. Gross Violations of the EPC at the European Patent Office as Principal Priority Turns Against Science and Technology

    What good is the law if violation of the European Patent Convention (EPC) is so routine at today’s European Patent Office (EPO), which exploits its immunity to operate outside the rule of law and pursue nothing but cash (selling patents/monopolies that are invalid in courts)?



  21. European Patent Office's Exploitation of the 'AI' Catchphrase/Buzzword to Grant Patents on Algorithms in Defiance of the Rules, the Law, and Common Sense

    In clear violation of the EPC (i.e. more of the same from the EPO) software patents are being actively promoted and law being bypassed or worked around



  22. Microsoft's Patent Trolls Are Still Suing Microsoft's Rivals to Help Sell Microsoft

    The ‘new’ Microsoft boils down to the patent equivalent of the copyright case of SCO (funded by Microsoft)



  23. The American Software Patents Lobby Has Died

    Voices of US law firms (i.e. patent maximalists) have become quieter and rarer; applications for US patents have decreased in number, patent litigation numbers have collapsed entirely, and patent maximalists have moved on



  24. Links 10/2/2019: Linux 5.0 RC6, Project Trident 18.12 Reviewed

    Links for the day



  25. Corrupt Battistelli Paid a Fortune (EPO Budget) for Outlaw/Rogue 'Bodyguards' From Firm Linked to Russian Oligarch Iskander Makhmudov

    Mediapart continues to shed more light on the shady firm behind Alexandre Benalla, whom Battistelli hired to break the law and secretly bring firearms to the EPO



  26. Which Microsoft?

    The inconsistencies between public statements of Microsoft and private discussions/actions



  27. António Campinos Will Never Hold Battistelli Accountable for His Crimes Because He Too Profits From These

    The EPO isn't just Europe's second-largest institution but also quite possibly Europe's largest criminal enterprise, whose ringleaders have enjoyed and exploited diplomatic immunity to escape prosecution



  28. 25,000 Blog Posts and Record Traffic

    At a pace of nearly 2,000 posts per year (since 2006) we continue to grow and can use readers' help



  29. Jim Zemlin's PAC Keeps Raising Money From Microsoft

    The Open Source Definition's author as well as various Free/Open Source software (FOSS) luminaries warn of an attack on FOSS ("efforts to undermine the integrity of open source”); it's not too hard to see who participates in it or enables such attacks



  30. Links 9/2/2019: Linux 4.4.174 and GTK+ No More (Now Just GTK)

    Links for the day


CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts