EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

05.31.10

Microsoft Finally Admits Numbers of Vulnerabilities It Reports Are Fake

Posted in Deception, GNU/Linux, Microsoft, Red Hat, Security, Servers, Windows at 6:14 am by Dr. Roy Schestowitz

Microsoft lies

Summary: Mike Reavey, the director of the Microsoft Security Response Center, admits that Microsoft is silently patching vulnerabilities without ever reporting the problem

IT’S official. Microsoft is a liar. Again. Now there is even admission from Microsoft, confirming an issue which we first raised some weeks ago. Whenever Microsoft says it patches x number of flaws with y number of patches/bulletins, Microsoft ought to be assumed to be lying. Microsoft’s silent patching is a subject we have been covering for years and it helps explain why one in two Windows PCs is believed to be a zombie PC, despite Microsoft’s claims that all of its flaws are being addressed. All those fake comparisons against platforms like Red Hat Enterprise Linux (where Microsoft stacks up and aggregates numbers of flaws) can be thrown into the wastebasket. If convincing proof is needed, here it is. Microsoft first tried to spin it (for weeks) and now it gives up and tells the truth.

Microsoft Official Admits to Quiet Security Patching

Microsoft doesn’t report all security vulnerabilities that it fixes in its software. Bug comparisons between vendors therefore paint an incorrect picture.

“We don’t document every issue found,” Mike Reavey, director of the Microsoft Security Response Center (MSRC), said at a meeting with reporters at the company’s corporate headquarters in Redmond, Washington.

Microsoft will issue a Common Vulnerabilities and Exposures (CVE) number to a vulnerability for flaws that share the same severity, have an attack vector and a workaround. If several flaws share all the same properties, they will not be reported separately, Reavey said.

The nondisclosure of fixes was brought to light early this month by a company called Core Security Technologies. After studying the Microsoft patches MS10-024 and MS10-028, it noticed three silent fixes. Security bulletin MS10-028 addressed a flaw that would expose a user of Microsoft Visio to a buffer overflow attack, which would allow an attacker to take over control of the system.

Finally. Thanks for the honesty. So how much damage has been caused by Microsoft’s lies so far. Microsoft has been denying this for years, but not exactly denying, either. It was spinning and avoiding the actual question. It’s the art of lying without practically lying, just evading. Adobe is at least honest about its proprietary software being insecure garbage. As far as we are aware, Adobe hasn’t a long history of systematic lying, unlike Microsoft.

“Microsoft smacks patch-blocking rootkit second time,” says another new report from Gregg Keizer.

For the second month in a row, Microsoft has tried to eradicate a mutating rootkit that has blocked some Windows users from installing security updates.

Here is another one (also here):

Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), said his team is looking into Raskin’s claims, but hinted that Microsoft wouldn’t be patching IE anytime soon. “I wouldn’t classify this as a ‘vulnerability’ though,” Bryant said in an e-mail answer to questions.

The followup says:

Will browser makers patch this? Unlikely. Microsoft’s Jerry Bryant, a general manager at the company’s security response center, said the issue isn’t a security vulnerability per se, and that Internet Explorer (IE) falls for the scam because that’s the way browsers work.

“Working with [Raskin's] proof-of-concept, as written, is expected,” he said in an e-mail Tuesday when asked whether Microsoft had a fix in mind for IE.

Let’s remember how much damage was caused this year because Microsoft had refused to patch known Internet Explorer flaws for five months [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12]. Where is the liability [1, 2, 3, 4, 5]? Watch what it happening in Denver right now.

Denver officials have asked the FBI, Denver police and Microsoft Corp. to help them identify the person or people who have hacked into the city’s website twice in the past week.

If Microsoft gets involved, then it almost must be a Windows server.

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

A Single Comment

  1. twitter said,

    June 1, 2010 at 5:52 pm

    Gravatar

    Microsoft was cornered in two ways. First, people noticed a “silent patch”. The more fundamental bust, however, is that no one with a clue ever believed the “get the facts” propaganda. Only someone with a financial interest will tell you that Windows and GNU/Linux security are equivalent. Only someone without free software experience will believe them.

    Microsoft will go on telling the same lies. “Get the Facts” was not some kind of subtle spin. It was a direct lie, constructed of fabricated evidence, relentlessly pushed anywhere and everywhere people with computer purchasing power and developers had a discussion. Each point of the lie was refuted almost as many times. Someone might get fired for getting caught and Microsoft will keep telling the world that Windows is the most secure software ever.

What Else is New


  1. The Fall of the UPC - Part XVII: Bardehle Pagenberg in 'Corona Zombie' Mode

    Gymnastics in logic and outright lies told by Bardehle Pagenberg, which spent endless time and money trying to pass the UPC(A) for its patent-trolling clients



  2. The Fall of the UPC - Part XVI: What's Reality Got to Do With It? Ask Hogan Lovells.

    Hogan Lovells, whose Counsel is Winfried Tilmann, wants us to think that UPC is dead only for formal reasons or that it's not really dead because they just need to vote again; reality, however, is far more complicated, but lawyers gonna lie...



  3. The Fall of the UPC - Part XV: A Three-Week Parade of Lies From Team UPC and Its Media Collaborators

    Team UPC continues to shamelessly lie about the fate of the Unified Patent Court Agreement (UPCA); we've studied all the responses we were able to find and we'll tackle them one by one (or firm by firm)



  4. Coronavirus Has Not Slowed Down the EPO's Promotion of Illegal Software Patents

    Using the latest buzzwords and weasel words (digital, games, videogames, digitalisation etc.) the EPO continues to invite bogus patents/applications and boasts about granting a lot more of them



  5. IRC Proceedings: Wednesday, April 08, 2020

    IRC logs for Wednesday, April 08, 2020



  6. Links 8/4/2020: Tails 4.5, Septor 2020.2, GNOME Money Awards and Mozilla's New CEO

    Links for the day



  7. IRC Proceedings: Tuesday, April 07, 2020

    IRC logs for Tuesday, April 07, 2020



  8. GitHug - A Guest Article by Thomas Grzybowski

    "Now, if Azure revenue has increased 72%, but the gross revenue in this category has only increased 25%, that means that the other components, primary GitHub, are actually a substantial negative."



  9. Links 7/4/2020: Firefox 75, Python 2.7.1 RC1

    Links for the day



  10. The Fall of the UPC - Part XIV: Media Owned and Controlled by Law Firms Did Not Properly Cover the Decision of the German Constitutional Court (FCC)

    We take another look at the shallow if not deliberately misleading coverage in sites that are literally owned and run by law firms, for the benefit of law firms rather than informing the public



  11. The Media Paints Bill Gates as the Man Who Will Save the World While Seattle's Police Department Obstructs Access to Documents About Pedophilia Arrest at His Home

    We're still unable to receive even one single page of the police report about arrest for pedophilia at the home of Bill and Melinda Gates; the media says nothing about this and instead it paints Gates as a national or international hero



  12. IRC Proceedings: Monday, April 06, 2020

    IRC logs for Monday, April 06, 2020



  13. Software Patents Remain Junk Patents in the United States (Not Enforceable), Whereas the EPO Keeps Granting Them and Promoting Them

    We take note of the positive outcomes in the US, where courts continue to reject software patents, but in Europe the largest patent office, which sought to replace all the courts, still acts as if patent law does not exist and patents can be endlessly printed irrespective of their merit (or validity as judged by actual courts)



  14. The Fall of the UPC - Part XIII: A Death Worth Celebrating and Many Lies Worth Debunking

    We take stock of positive responses to the decision made by the German constitutional court (FCC) 2.5 weeks ago; we also explain why it has taken so long to piece together firm-by-firm scoresheet for UPC lies



  15. GitHub is Moving the Free Software Movement Into “Check”

    GitHub's growing levels of control over Free software projects (GitHub itself is proprietary and Microsoft-controlled) ought to alarm the community; it's a lot worse than most people care to acknowledge, based on weeks of detailed analysis of GNU/Linux distros



  16. Links 6/4/2020: New Red Hat CEO, elementary OS Hera Updates

    Links for the day



  17. When the Decision is OK and the Judge's Motivations Are Also OK

    Justice Huber made the right call; but the bullies and charlatans who conspired to undermine laws and constitutions will never be satisfied



  18. The Fall of the UPC - Part XII: Doing the Unthinkable by Blaming the Judge's (Justice's) Wife?

    Team UPC and its media partners never cease to amaze us; anybody who stands in their way is either portrayed as a Russian stooge or too ignorant to be worth talking to



  19. The Fall of the UPC - Part XI: Lies Told by Bundesverband der Deutschen Industrie (BDI) in Süddeutsche Zeitung

    Today we look at misleading claims (or lies) published by Süddeutsche Zeitung after the Germans' constitutional court (FCC) had pointed out the obvious, namely that UPC ratification would be in violation of the German constitution



  20. IRC Proceedings: Sunday, April 05, 2020

    IRC logs for Sunday, April 05, 2020



  21. Links 5/4/2020: MindSpore, Covid-19 Projects and More

    Links for the day



  22. EPO is Just Like Some Cruel Political Party and Not a Patent Office

    The "cabal" which runs today's EPO (even the word "Mafia" seems suitable here) isn't acting -- not even remotely -- like a patent office; it's a patent-printing operation ("protection money" as income) that uses shallow political stunts to manufacture consent with the EU's 'generous' assistance



  23. Digitalisation and Digital Technologies as a Ploy to Justify Illegal Software Patents

    Say "hello" to the next weasel word/s; from the "hey hi" hype wave we've now moved to something "digital" (which can mean just about anything, including algorithms of all sorts)



  24. The Fall of the UPC - Part X: How We Shall Catalogue UPC Lies

    The cult that Team UPC became (one member lying to another member, maintaining a false version of reality) will be judged based on underlying facts, not lying about facts; we start with a token of contempt for IP Kat and Bristows LLP (there are overlaps)



  25. IRC Proceedings: Saturday, April 04, 2020

    IRC logs for Saturday, April 04, 2020



  26. Major Revelation: Microsoft Blackmail Against LAMP (GNU/Linux and Free Stacks for Servers) Goes At Least 16 Years Back, Predating the Novell Patent Deal

    (Techno-)Anthropological analyses of Microsoft's patent war on Free/libre software must take into account what Microsoft did to MySQL, a Swedish company at the time



  27. Links 4/4/2020: Sparky 5.11, Firefox 74.0.1, POCL 1.5

    Links for the day



  28. IRC Proceedings: Friday, April 03, 2020

    IRC logs for Friday, April 03, 2020



  29. Links 3/4/2020: Ubuntu Beta, GNOME 3.36.1, ExTiX LXQt Mini, NetBSD 8.2 Released

    Links for the day



  30. Digital Communication, Digitalisation and Videogaming Among the EPO's Latest Smokescreens for Illegal and Abstract Patents on Algorithms

    The EPO keeps liaising with the EU to promote patents which EU officials have themselves said were illegal; to make matters worse, the EPO's violations of its own laws inspire the United States to do the same


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts