Bonum Certa Men Certa

FUD Alert: Microsoft's Jeff Jones Aims His Lying Pistol at Firefox (Updated)

More lies reveal new fears

Jim Powers wrote to point out this bit from Glyn Moody:

So, Microsoft refers to a report that just happens to be written by one of its employees, but without mentioning that fact.


This isn't exactly new (Matt Asay pointed this out a couple of days ago), but it connects nicely to our observation that Microsoft uses its internal people and various hired 'analysts' to deceive the public. More on that in a moment, but first, here's Asay's take.

It's a convenient fiction that buying everything from one vendor makes life easier. It may make installation and integration between programs easier, but that ease leads to single points of failure. Hijacking a browser is nice, but using the browser to dig deep into the OS, to have that hijacking facilitated by a too-close tie between the browser and the OS? Even better.


For reasons that were briefly mentioned a couple of days ago, Microsoft likes to hide its patches (or simply not patch at all) in order to keep up appearance. There are some recent examples of this, e.g.:

1. Skeletons in Microsoft’s Patch Day closet

This is the first time I’ve seen Microsoft prominently admit to silently fixing vulnerabilities in its bulletins — a controversial practice that effectively reduces the number of publicly documented bug fixes (for those keeping count) and affects patch management/deployment decisions.


2. Beware of undisclosed Microsoft patches

Forget for a moment whether Microsoft is throwing off patch counts that Microsoft brass use to compare its security record with those of its competitors. What do you think of Redmond’s silent patching practice?


Then, consider the invalidity of patch count.

Sorry, but Microsoft's self-evaluating security counting isn't really a good accounting.

[...]

The point: Don't count on security flaw counting. The real flaw is the counting.


Only days ago, the weaknesses of Internet Explorer security were mentioned in the following article.

When Didier Stevens recently took a closer look at some Internet Explorer malware that he had found, something surprised him somwehat. He discovered that the IE-targeted malware had been obfuscated with null-bytes (0x00) and when run against VirusTotal, he found that fewer than half of the products identified the sample as malware (15 of 32). When all null-bytes were removed, the chances of successful detection improved, though not as much as would normally be expected (25 of 32 detections).


Going further back you'll find that IE7 has already been the victim of quite a lot of "critical" flaws (the highest level of severity, which compromises the operating system remotely, with or without user intervention). Examples include:

1. Code posted for Internet Explorer attack

"This type of vulnerability has been very popular with malicious attacks in the past, and we expect to see its usage increase substantially, now that exploit code is publicly available," security vendor Websense. warned in a note published Monday.


2. Microsoft probes possible IE 7 phishing hole

The vulnerability relates to the message IE displays when Web page loading is aborted, Raff wrote. An attacker can rig the message by creating a malicious link. The message will offer a link to retry loading the page; hitting it brings up the attacker's page, but showing an arbitrary Web address, he wrote.


3. Critical IE Graphics Flaw Resurfaces

It's bad enough when crooks exploit bugs to ruin a home computer, but the consequences of a successful attack can be much worse. A substitute teacher in Norwich, Connecticut, found that out when a computer she was using in her classroom suddenly started showing pornographic pop-up ads to everyone in the class. She now faces up to 40 years in prison after being convicted of willfully showing her students the images. A security expert hired by her defense, however, says he found malicious software on the PC.


4. Monthly Microsoft Patch Hides Tricky IE 7 Download

Opinion: Microsoft used the January 2007 security update to induce users to try Internet Explorer 7.0 whether they wanted to or not. But after discovering they had been involuntarily upgraded to the new browser, they next found that application incompatibility effectively cut them off from the Internet.


5. Attack code out for 'critical' Windows flaw

All recent versions of Windows are vulnerable when all recent versions of IE, including IE 7, are in use, according to Microsoft.


6. IE7 'critical update' causes headaches for managed desktop environments

As many organisations may not feel compelled to turn off automatic updates, they should be prepared to face this is issue when Internet Explorer 7 is downloaded and installed automatically.


7. IE 7 bugs abound

"But browser testers may already be at risk, according to security researcher Tom Ferris. Late Tuesday, Ferris released details of a potential security flaw in IE 7. An attacker could exploit the flaw by crafting a special Web page that could be used to crash the browser or gain complete control of a vulnerable system, Ferris said in an advisory on his Web site. Microsoft had no immediate comment on Ferris' alert."


8. Information disclosure bug blights IE7 release

The flaw stems from error in the handling of redirections for URLs with the "mhtml:" URI handler. Security notification firm Secunia reports that the same bug was discovered six months ago in IE6 but remains unresolved.


9. IE Used to Launch Instant Messaging and Questionable Clicks

First of all, you need to visit an infection site using Internet Explorer - this exploit doesn't work in Firefox, for example.


10. IE Exploit Could Soon Be Used By 10,000-plus Sites

First reported by Florida-based Sunbelt Software Tuesday, the bug has already been used to compromise PCs and load them with scores of adware and spyware programs, as well as other malicious code. Users surfing with IE 6 and earlier can be infected simply by viewing the wrong site.


11. Russian sites using new IE bug to install spyware

This is the second unpatched flaw found in IE over the past week. On Sept. 14, researchers posted code that could be used to exploit a different vulnerability in a multimedia component of the Web browser. Microsoft is still investigating that flaw and is not saying whether it too will be patched next month.


12. Seen in the wild: Zero Day exploit being used to infect PCs

The exploit uses a bug in VML in Internet Explorer to overflow a buffer and inject shellcode. It is currently on and off again at a number of sites.

Security researchers at Microsoft have been informed.


13. Attack code targets new IE hole

Computer code that could be used to hijack Windows PCs via a yet-to-be-patched Internet Explorer flaw has been posted on the Net, experts have warned.


Then, come to consider some comparisons, e.g.:

1. Which Is Safer: Internet Explorer 7 or Firefox 2.0

In the SmartWare test, Microsoft's Internet Explorer 7 blocked 690 known phishing sites, or 66.35 percent of the total. In contrast, Firefox blocked 78.85 percent when using a local antiphishing database and 81.54 percent when using the online database.


2. Firefox Still Tops IE for Browser Security

"Mozilla is forthcoming about vulnerabilities," Levy said, whereas "it takes Microsoft far longer to acknowledge vulnerability."

How much longer? "In the last reporting period, the second half of last year, Microsoft had acknowledged 13 vulnerabilities. We've now revised it to 31. The difference is that now Microsoft has acknowledged these vulnerabilities."

[...]

"Mozilla can turn around on a dime," Levy said. "Open-source programmers can recognize a problem and patch it in days or weeks."

And as for Microsoft?

"If a vulnerability is reported to Microsoft, Microsoft doesn't acknowledge it for at least a month or two. There's always a certain lag between knowing about a bug and acknowledging it," Levy said.


Other recent articles state that Firefox may have its weak points, but often they are the result of attempts to mimic IE functionality on Windows, which means that the fragile layer is the operating system, not just the Web browser. On operating systems security, consider the following articles from the past year:



The great value of GNU/Linux is something that Microsoft itself cannot deny. In fact, it wasn't long ago that it was 'caught' praising it. Microsoft's campus is full of Linux devices that the company is happy with.

What the press statement didn't mention is that Aruba mobility controllers run the Linux operating system which Microsoft has aggressively targeted as being inferior to Windows as part of its "Get the Facts" marketing campaign.

[...]

Pandey's appraisal of Aruba's technology is in stark contrast to Microsoft's "Get the Facts" rhetoric which places Windows as a more secure, and higher-performing choice over Linux.


Let's not forget that for many years, Microsoft has run its Web sites behind the Akamai clusters that are all GNU/Linux. As evidence, consider this recent blog post that contains a screenshot.

Microsoft has also bought companies whose entire infrastructure is based on GNU/Linux and Free software. Examples include the recent acquisition of Newsvine:

The funny thing is, The site is hosted on Debian Linux...


There is also the $6 billion acquisition of aQuantive:

This month's announcement by Microsoft to acquire digital marketing services firm aQuantive has revealed little on how the companies will integrate their IT, but inside information indicates the deal may be Redmond's largest commitment to free software.

[...]

Whether the businesses are complementary or not, Microsoft's integration work will no doubt involve a lot of open source software used by aQuantive.

Information available from Atlas' Web site indicates the Internet software company employs extensive use of open source software including Linux, Apache, MySQL, and Solaris.

Software engineers at Atlas' Raleigh office do client/server development in C and C++, software maintenance and "scripting", and developing and maintaining custom reporting capabilities.


Remember Hotmail, which ran a BSD for several years after Microsoft had acquired it? There are many more examples, but they would make this post extremely long.

”While Microsoft controls the media, buys the media, and even buys voices on the Internet, nobody can be trusted.“As promised, returning to the original point of this post, Microsoft can deny the truth all it wants, but we ought to judge things for ourselves. While Microsoft controls the media, buys the media, and even buys voices on the Internet, nobody can be trusted. The antitrust exhibit known as "Effective Evangelism" [PDF] shows that Microsoft has for a long time intended to hire analyst whose output only appears to be independent. One need only look a month back for a live demonstration.

Going a year into the past, Redmond Kool-Aid seems likely to have played a role in another story which turned out to be an anti-Firefox lie. It did a lot of damage even after it was called a lie, by admission of the claim's own so-called 'hacker'. More information here.

Lately, I read the headline: "Open Source browser Firefox is so critically flawed that it is impossible to fix, according to two hackers." Further on, in the ZDNet article I read: "The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding onto the bugs."

Since that sounds suspicious, I decided to start searching for connections with MS. Easy enough, here it is...


So, as you can see, the anti-Mozilla Firefox crusade has roots in the past. It remains to be seen how the media will respond to Microsoft's latest attempt to spread Firefox FUD.

Update: A Mozilla senior, who is also a former Microsoft employee, spills the beans on Microsoft and reveals more information about the deception mentioned above.

This is a small subset of all the vulnerabilities, because the vulnerabilities that are found through the QA process and the vulnerabilities that are found by the security folks they engage as contractors to perform penetration testing are fixed in service packs and major updates. For Microsoft this makes sense because these fixes get the benefit of a full test pass which is much more robust for a service pack or major release than it is for a security update.


Recent Techrights' Posts

Attacks on Techrights Are Only Making Techrights Bigger and Even More Popular
A week ago they offered to settle with us
EPO Staff Can Go Listen to Richard Stallman Next Week in Munich (Technical University of Munich, Rudolf-Diesel Hörsaal (MW2001) on Campus Garching at 18:00)
"The talk is open to the public and attendance is free. Registration is not required."
 
Links 15/10/2025: Qantas Airways Loses Control of Sensitive Data and Software Patents Are Being Thrown Out
Links for the day
Vista 10 is 'Dead', Here's Why People Should Move to GNU/Linux (or the BSDs)
Today we try to make an outline of reasons move away from Windows to GNU/Linux
Our Sites Continue to Improve
LLM slop has had no noticeable impact on us
Gemini Links 15/10/2025: Neovim, Helix Compared and Gemlog.blue Now Closed
Links for the day
Links 15/10/2025: Mass Layoffs at Amazon, OneDrive Spyware Revved Up, More 'Gen Z Protests'
Links for the day
The EPO's Staff Engagement Survey 2025 is Already Tainted by Intimidation by EPO Management (Trying to Influence Outcomes by Scaring Genuine, Honest Critics)
"[W]e have received reports that, following the previous survey, teams with negative responses were reproached or questioned about their answers..."
The DDoS Attacks by Microsoft's Scam Altman and Other Slop Charlatans and Frauds is Hurting the FSF, Delinking It From Copyleft Projects
This impacts a lot more than access to the licences
Microsoft Scanning Faces in Photos People Upload to Microsoft (Even Unconsciously), Slashdot Turns Report About It Into "Microsoft Sez" (Says)
Or "let's repeat the lies from a PR person/Microsoft's publicist"
[Teaser] Angel Aledo Lopez the Manipulator (Nepotism, Poll Rigging, and Other EPO Corruption)
We'll discuss this later today or tomorrow, based on internal EPO material
Epic Metaphor for End of IBM: "The IBM Demolition is Down to the Last Shards!"
Nothing lasts forever
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, October 14, 2025
IRC logs for Tuesday, October 14, 2025
Proprietary and DRM Prisons Spiralling Down the Sinkhole? Not Just Yet.
Let's hope that more people will flee to GNU/Linux
The European Patent Office (EPO), the Second-Largest Institution in Europe, is Cracking Down on Recreational Activities
Without AMICALE activities, and as staff already says it's pressured to work more for less, how can the EPO recruit bright people?
Transparency: FSFE financial reports exclude speaker fees and expenses
Reprinted with permission from Daniel Pocock
Many Developers Have Many Political Views, They'll Never Agree on Everything
It's an effort to divide and destroy, not build
Gemini Links 14/10/2025: An Opportunity to Consider GNU/Linux and Another Simple IRC Client
Links for the day
Slopwatch: UbuntuPIT, LinuxSecurity, Google News, and the Serial Slopper Brian Fagioli
Nothing of merit here, just more slop
Links 14/10/2025: Lack of Trust in Slop and "Retirement Challenges"
Links for the day
Rhonda D'Vine, Gerfried Fuchs, Pronouns & Debian pregnancy cluster
Reprinted with permission from Daniel Pocock
At IBM, Relocation Means Layoffs (Downsizing)
Silent or 'invisible' layoffs?
Central Staff Committee of the European Patent Office (EPO) Warns That EPO Management is Robbing or Manipulating Pension Funds Again
Faking "growth" is just about as bad as forgery
Probably a Lot Worse Than LLM Slop: GNOME Tying Itself to Divisive Politics, Even Where It's Clearly Not Relevant
Something has gone terribly wrong in GNOME
Links 14/10/2025: Microsoft OneDrive Scanning Faces in Photos (Without Asking First), "OpenAI Says It Will Move to Allow Smut"
Links for the day
They Generally Don't Like Scholars, as They're Less Compelled or Pressured to Repeat What Corporations and Oligarchs Say
People who loathe scholars have an agenda in mind that, unlike that of reasonable people, revolves around controlling people
Dystopian Trends in Technology Make Richard Stallman More Relevant Than Ever
It's good to see him attracting vast audiences
Belated New Article About Last Thursday's Lecture by Richard Stallman in Helsinki, Finland
there are good reasons to pay with cash, not limited to privacy
Attacking Richard Stallman Has Become 'Career Suicide'
If you're going to viciously attack somebody, make sure your arguments are rock-solid
Microsoft's Failing XBox Business Has Turned Games Into Funerals
How does it feel to depend on Microsoft?
Yesterday's "Distinguished Lecture" by Richard Stallman Possibly Attended by Close to 1,000 People
The capacity of the place is about 900
Slop Poisons Everything
Imagine wanting to find what Torvalds has just said or what has just been released
Taking Software Freedom 'Mainstream'
interest in Software Freedom must have grown
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, October 13, 2025
IRC logs for Monday, October 13, 2025
Gemini Links 14/10/2025: Ada Lovelace Day, Sony CLIE PEG-TG50 Review, Why to Avoid Network Solutions
Links for the day
Richard Stallman (RMS) Announced His Talk Less Than 24 Hours Before It Took Place and Still Filled Up the Auditorium at Sapienza Università di Roma
Photos from yesterday evening [...] It looks like it was a very successful event
The EPO's War on Techrights Was a Massive Mistake
The EPO started the SLAPPs after we had published a few hundreds of articles; we've since then published close to 6,000 because the attacks on us emboldened insiders to help us
General-Purpose Computers to Become Growing Area of Coverage
Without them, we have little left for controlling our lives
"They missed a great opportunity to shut up." -Jacques Chirac
Brett Wilson LLP has been trying to cheat the legal system many times
Harassment evidence: Switzerland, overcrowded fitness and yoga centers, incompetence and racism in accident response
Reprinted with permission from Daniel Pocock
Vincent Danjean & Debian NXIVM collateral, blackmail risks
Reprinted with permission from Daniel Pocock
In Sweden This Past Friday Richard Stallman Explained Why Copyleft is Important
And he didn't have to 'bash' BSDs, either
IBM Layoffs Due to a Lack of Money and Company Debt Rising by Almost 10 Billion Dollars in 6 Months
IBM didn't buy Red Hat for any ideological reasons; it was a fast "cash grab" for revenue
Forbes Already Stopped Being a News Sites. Now It's a Spam and Propaganda Platform for "Paying Partners" (Companies).
news from Forbes became very scarce
Is the Second-Largest Institution in Europe (EPO) Gradually Becoming More Like a Sweatshop?
Underpaid, unqualified, inexperienced and incompatible people are already recruited to replace veteran examiners
The Register MS Has No FOSS Coverage Anymore
The Editor in Chief is like a Microsoft plant
Links 13/10/2025: "Toasty Subwoofer" and WiFi Speakers "Are About To Go Dumb"
Links for the day
Gemini Links 13/10/2025: iNaturalist and Tove Jansson’s Moominpappa at Sea
Links for the day
Microsoft Does Not Deny That Large Retailers Like Walmart, Costco and Target Are Giving Up on XBox (and Not Stocking It)
No doubt XBox is in trouble and rumours suggest that more mass layoffs are imminent
We'll Encourage Richard Stallman to Talk About Software Patents at the EPO Next Week When He Visits Munich (EPO Headquarters)
Go listen to Richard Stahlmann
Investigative Journalism Protects Society From Corruption, Crimes Against Women, Assaults on Civil Society
"what is the point of men doing military practice to defend a system that is so rotten?"
Swiss pimp usurping reputation of legendary Tissot boss Francois Thiébaud from France (BaselWorld, SWATCH Group SA)
Reprinted with permission from Daniel Pocock
Paris 'Love Nest' & Debian Outreachy: from Lycée Lakanal to ENS Cachan, Cr@ns, nepotism
Reprinted with permission from Daniel Pocock
Richard Stallman to Give Public Talk in 3 Hours, Then in the Technical University of Munich (Germany) Next Week
Richard Stallman at TUM on 21.10.2025 18:00, MW2001
Arnaud Parreaux lost case defending rogue employer
Reprinted with permission from Daniel Pocock
Mathieu Elias Parreaux declared bankrupt in Switzerland
Reprinted with permission from Daniel Pocock
Breakdown of the Rule of Law and Patent Law in the European Union (EU)
The EPO cannot recruit suitably qualified patent examiners this way, let alone retain them
Gemini Links 13/10/2025: Good Films, Wizard of Earthsea, Upgrading the Steam Controller's Stick
Links for the day
Leaks and Whistleblowers: Our Plan for Today
Society simply cannot advance when too many people self-censor
It's Not Justice When One Side Denies the Other Side the Ability to Even Speak
At this stage, Brett Wilson LLP is in my humble opinion acting in contempt of the Court
Links 13/10/2025: Australian Catholic University Uses Slop to Libel Students, Canada Threatens to Kill Beluga Whales
Links for the day
How Not to Silence Tux Machines (It'll Only Backfire, Badly)
defending Microsoft while attacking this site
Slopwatch: UbuntuPIT and Google News
It seems abundantly clear that Google News and Google in general participates in the slop epidemic
Vincent Danjean (not INTERPOL), Claire Bardel & Debian pregnancy cluster
Reprinted with permission from Daniel Pocock
Christmas lynchings: Martin Krafft (madduck), Penny Leach (mjollnir) & Debian pregnancy cluster
Reprinted with permission from Daniel Pocock
Gemini Links 13/10/2025: Birthdays and "Committee Unable to Contact Nobel Prize Winner"
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, October 12, 2025
IRC logs for Sunday, October 12, 2025