EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

05.31.10

Microsoft Finally Admits Numbers of Vulnerabilities It Reports Are Fake

Posted in Deception, GNU/Linux, Microsoft, Red Hat, Security, Servers, Windows at 6:14 am by Dr. Roy Schestowitz

Microsoft lies

Summary: Mike Reavey, the director of the Microsoft Security Response Center, admits that Microsoft is silently patching vulnerabilities without ever reporting the problem

IT’S official. Microsoft is a liar. Again. Now there is even admission from Microsoft, confirming an issue which we first raised some weeks ago. Whenever Microsoft says it patches x number of flaws with y number of patches/bulletins, Microsoft ought to be assumed to be lying. Microsoft’s silent patching is a subject we have been covering for years and it helps explain why one in two Windows PCs is believed to be a zombie PC, despite Microsoft’s claims that all of its flaws are being addressed. All those fake comparisons against platforms like Red Hat Enterprise Linux (where Microsoft stacks up and aggregates numbers of flaws) can be thrown into the wastebasket. If convincing proof is needed, here it is. Microsoft first tried to spin it (for weeks) and now it gives up and tells the truth.

Microsoft Official Admits to Quiet Security Patching

Microsoft doesn’t report all security vulnerabilities that it fixes in its software. Bug comparisons between vendors therefore paint an incorrect picture.

“We don’t document every issue found,” Mike Reavey, director of the Microsoft Security Response Center (MSRC), said at a meeting with reporters at the company’s corporate headquarters in Redmond, Washington.

Microsoft will issue a Common Vulnerabilities and Exposures (CVE) number to a vulnerability for flaws that share the same severity, have an attack vector and a workaround. If several flaws share all the same properties, they will not be reported separately, Reavey said.

The nondisclosure of fixes was brought to light early this month by a company called Core Security Technologies. After studying the Microsoft patches MS10-024 and MS10-028, it noticed three silent fixes. Security bulletin MS10-028 addressed a flaw that would expose a user of Microsoft Visio to a buffer overflow attack, which would allow an attacker to take over control of the system.

Finally. Thanks for the honesty. So how much damage has been caused by Microsoft’s lies so far. Microsoft has been denying this for years, but not exactly denying, either. It was spinning and avoiding the actual question. It’s the art of lying without practically lying, just evading. Adobe is at least honest about its proprietary software being insecure garbage. As far as we are aware, Adobe hasn’t a long history of systematic lying, unlike Microsoft.

“Microsoft smacks patch-blocking rootkit second time,” says another new report from Gregg Keizer.

For the second month in a row, Microsoft has tried to eradicate a mutating rootkit that has blocked some Windows users from installing security updates.

Here is another one (also here):

Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), said his team is looking into Raskin’s claims, but hinted that Microsoft wouldn’t be patching IE anytime soon. “I wouldn’t classify this as a ‘vulnerability’ though,” Bryant said in an e-mail answer to questions.

The followup says:

Will browser makers patch this? Unlikely. Microsoft’s Jerry Bryant, a general manager at the company’s security response center, said the issue isn’t a security vulnerability per se, and that Internet Explorer (IE) falls for the scam because that’s the way browsers work.

“Working with [Raskin's] proof-of-concept, as written, is expected,” he said in an e-mail Tuesday when asked whether Microsoft had a fix in mind for IE.

Let’s remember how much damage was caused this year because Microsoft had refused to patch known Internet Explorer flaws for five months [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12]. Where is the liability [1, 2, 3, 4, 5]? Watch what it happening in Denver right now.

Denver officials have asked the FBI, Denver police and Microsoft Corp. to help them identify the person or people who have hacked into the city’s website twice in the past week.

If Microsoft gets involved, then it almost must be a Windows server.

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

A Single Comment

  1. twitter said,

    June 1, 2010 at 5:52 pm

    Gravatar

    Microsoft was cornered in two ways. First, people noticed a “silent patch”. The more fundamental bust, however, is that no one with a clue ever believed the “get the facts” propaganda. Only someone with a financial interest will tell you that Windows and GNU/Linux security are equivalent. Only someone without free software experience will believe them.

    Microsoft will go on telling the same lies. “Get the Facts” was not some kind of subtle spin. It was a direct lie, constructed of fabricated evidence, relentlessly pushed anywhere and everywhere people with computer purchasing power and developers had a discussion. Each point of the lie was refuted almost as many times. Someone might get fired for getting caught and Microsoft will keep telling the world that Windows is the most secure software ever.

What Else is New


  1. IAM is Pushing SEPs/FRAND Agenda for Patent Trolls and Monopolists That Fund IAM

    The front group of patent trolls, IAM, sets up an echo chamber-type event, preceded by all the usual pro-FRAND propaganda



  2. “Trade Secrets” Litigation Rising in the Wake of TC Heartland, Alice, Oil States and Other Patent-Minimising Decisions

    Litigation strategies are evolving in the wake of top-level decisions that rule out software patents, restrict venue shifting, and facilitate invalidation of patents even outside the courtroom



  3. The EPO -- Like the Unified Patent Court (UPC) and Unitary Patent System -- is an Untenable Mess

    The António Campinos-led EPO, nearly three weeks under his leadership, still fails to commit to justice (court rulings not obeyed), undo union-busting efforts and assure independence of judges; this, among other factors, is why the Office/Organisation and the UPC it wants to manage appear more or less doomed



  4. Links 18/7/2018: System76's Manufacturing Facility, Microsoft-Led Lobby for Antitrust Against Android

    Links for the day



  5. What Patent Lawyers Aren't Saying: Most Patent Litigation Has Become Too Risky to be Worth It

    The lawyers' key to the castle is lost or misplaced; they can't quite find/obtain leverage in courts, but they don't want their clients to know that



  6. Software Patents Royalty (Tax) Campaign by IBM, a Serial Patent Bully, and the EPO's Participation in All This

    The agenda of US-based patent maximalists, including patent trolls and notorious bullies from the United States, is still being served by the 'European' Patent Office, which has already outsourced some of its work (e.g. translations, PR, surveillance) to the US



  7. The European Council Needs to Check Battistelli's Back Room Deals/Back Door/Backchannel With Respect to Christian Archambeau

    Worries persist that Archambeau is about to become an unworthy beneficiary (nepotism) after a Battistelli setup that put Campinos in power, supported by the Belgian delegation which is connected to Archambeau, a national/citizen of Belgium



  8. PTAB and § 101 (Section 101) Have Locked the Patent Parasites Out of the Patent System

    Patent Trial and Appeal Board (PTAB) inter partes reviews (IPRs) have contributed a great deal to patent quality and have reduced the number of frivolous patent lawsuits; this means that firms which profit from patent applications and litigation hate it with a passion and still lobby to weaken if not scuttle PTAB



  9. Patents on Computer Software and Plants in the United States Indicative of Systemic Error

    The never-ending expansion of patent scope has meant that patent law firms generally got their way at the patent office; can the courts react fast enough (before confidence in patents and/or public support for patents is altogether shattered)?



  10. Yesterday's Misleading News From Team UPC and Its Aspiring Management of the Unified Patent Court (UPC)

    The Unified Patent Court (UPC) enthusiasts — i.e. those looking to financially gain from it — continue to wrestle with logic, manipulate words and misrepresent the law; yesterday we saw many law firms trying to make it sound as though the UPC is coming to the UK even though this isn’t possible and UPC as a whole is likely already dead



  11. Time for the European Commission to Investigate EPO Corruption Because It May be Partly or Indirectly Connected to EU-IPO, an EU Agency

    The passage of the top role at the EU-IPO from António Campinos to Christian Archambeau would damage confidence in the moral integrity of the European Council; back room deals are alleged to have occurred, implicating corrupt Battistelli



  12. Links 17/7/2018: Catfish 1.4.6 Released, ReactOS 0.4.9, Red Hat's GPL Compliance Group Grows

    Links for the day



  13. Links 16/7/2018: Linux 4.18 RC5, Latte Dock v0.8, Windows Back Doors Resurface

    Links for the day



  14. Alliance for US Startups and Inventors for Jobs (USIJ) Misleads the US Government, Pretending to Speak for Startups While Spreading Lies for the Patent Microcosm

    In the United States, which nowadays strives to raise the patent bar, the House Small Business Committee heard from technology firms but it also heard from some questionable front groups which claim to support "startups" and "jobs" (but in reality support just patents on the face of it)



  15. 'Blockchain', 'Cloud' and Whatever Else Gets Exploited to Work Around 35 U.S.C. § 101 (or the EPC) and Patent Algorithms/Software

    Looking for a quick buck or some low-quality patents (which courts would almost certainly reject), opportunists carry on with their gold rush, aided by buzzwords and hype over pretty meaningless things



  16. PTAB Defended by the EFF, the R Street Institute and CCIA as the Number of Petitions (IPRs) Continues to Grow

    Patent Trial and Appeal Board (PTAB) inter partes reviews (IPRs) come to the rescue when patently-bogus patents are used, covering totally abstract concepts (like software patents do); IPRs continue to increase in number and opponents of PTAB, who conveniently cherry-pick Supreme Court (SCOTUS) decisions, can't quite stop that



  17. IAM/Joff Wild May Have Become a de Facto Media Partner of the Patent Troll iPEL

    Invitation to trolls in China, courtesy of the patent trolls' lobby called "IAM"; this shows no signs of stopping and has become rather blatant



  18. Cautionary Tale: ILO Administrative Tribunal Cases (Appeals) 'Intercepted' Under António Campinos

    The ILO Administrative Tribunal (ILO-AT) is advertised by the EPO's management as access to justice, but it's still being undermined quite severely to the detriment of aggrieved staff



  19. Asking the USPTO to Comply With 35 U.S.C. § 101 is Like Asking Pentagon Officials to Pursue Real, Persistent Peace

    Some profit from selling weapons, whereas others profit from patent grants and litigation; what's really needed right now is patent sanity and adherence to the public interest as well as the law itself, e.g. Supreme Court (SCOTUS) decisions



  20. BT and Sonos Are Still Patent Bullies, Seeing Patents as a Backup Plan

    The companies seeking to complement their business (or make up for their demise) using patents are still suing rivals while calling that litigation "research and development" (the same old euphemism)



  21. Jim Skippen, a Longtime Patent Troll, Admits That the Trolling Sector is Collapsing

    Canada's biggest patent troll (WiLAN) bar BlackBerry doesn't seem to be doing too well as its CEO leaves the domain altogether



  22. From East Asia to the Eastern District of Texas: XYZ Printing, Maxell, and X2Y Attenuators

    The patent aggression, which relies on improper litigation venues, harms innocent parties a great deal; only their lawyers benefit from all this mess



  23. Links 14/7/2018: Mesa 18.1.4, Elisa 0.2.1, More on Python's Guido van Rossum

    Links for the day



  24. Number of Oppositions to Grants/Awards of European Patents at the EPO Has Skyrocketed, Based on Internal Data

    The number of challenged patents continues to soar and staff of the EPO (examiners already over-encumbered by far too much work, due to unrealistic targets) would struggle to cope or simply be compelled to not properly deal with oppositions



  25. 'Transaction' Complete: Former EPO Executive From Belgium Takes the Seat of António Campinos at EU-IPO

    Rumours that Belgium made a back room deal with Battistelli may be further substantiated with the just-confirmed appointment of Archambeau



  26. EPO Abuses Against People With Disabilities Followed by Legal Bullying?

    The new President of the EPO is not (at least not yet) obeying court rulings from ILO; The above move seems like an attempt to derail ongoing cases at the ILO’s Administrative Tribunal (ILO-AT), i.e. yet more strong-arming



  27. Weeks Later António Campinos Still in Noncompliance With the Courts (ILO's Tribunal)

    'report card' for the ever-so-intransparent (or nontransparent) new President of the EPO, who does not even bother obeying court rulings



  28. Links 13/7/2018: Kube 0.7.0, Trisquel 8.0 LTS Reviewed

    Links for the day



  29. Constitutionality and CJEU as Barriers, the UPC Agreement (UPCA) is Already Moot in the United Kingdom

    The Unified Patent Court (UPC) isn't going anywhere and the UK merely "explores" what to do about it; for Team UPC, however, this means that the UK "confirms intention to remain in Unitary Patent system after Brexit" (clearly a case of deliberate misinformation)



  30. It's Not About EPO 'Backlog' But About Faking 'Production' by Lowering Standards

    Remarks on the EPO dropping all pretenses of genuine care for patent quality; it's all about speed now, never mind if wrongly-granted patents can cause billions in damages across Europe (a lot of that money flows towards patent law firms)


CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts