Bonum Certa Men Certa

Why Microsoft's Security Reports Are a Scam

Microsoft lies



Summary: Microsoft is caught lying again, by essentially patching serious flaws while hiding their very existence

TO PUT it bluntly but rather fairly or at least realistically, Microsoft is a company of systematic liars and nobody should ever trust a word that comes out of their mouths. They believe that these lies are acceptable because they serve some higher goal or that it's a white lie when it helps one's investors or bank account (or perceived sense of security). The examples we have given (e.g. [1, 2, 3, 4, 5]) are too many to list here exhaustively, so we won't attempt to list such examples in a more compelling way.



One point that we stressed and demonstrated several years ago is that Microsoft fakes its reports when it comes to security; people buy their software based on false premises, lack of disclosure, and outright lies.

Putting aside several examples from several years ago, we now have some new examples where Microsoft gets caught (which is hard to achieve because the code is secret). As Slashdot summarised it:

"Microsoft silently patched three vulnerabilities last month, two of them affecting enterprise mission-critical Exchange mail servers, without calling out the bugs in the accompanying advisories, a security expert said on Thursday. Two of the three unannounced vulnerabilities, and the most serious of the trio, were packaged with MS10-024, an update to Exchange and Windows SMTP Service that Microsoft issued April 13 and tagged as 'important,' its second-highest threat ranking. Ivan Arce, CTO of Core Security Technologies, said Microsoft patched the bugs, but failed to disclose that it had done so — which could pose a problem. 'They're more important than the [two vulnerabilities] that Microsoft did disclose,' said Arce. 'That means [system] administrators may end up making the wrong decisions about applying the update. They need that information to assess the risk.'"


Here is the corresponding article.

Microsoft silently patched three vulnerabilities last month, two of them affecting enterprise mission-critical Exchange mail servers, without calling out the bugs in the accompanying advisories, a security expert said today.

Two of the three unannounced vulnerabilities, and the most serious of the trio, were packaged with MS10-024, an update to Exchange and Windows SMTP Service that Microsoft issued April 13 and tagged as "important," its second-highest threat ranking.

According to Ivan Arce, the chief technology officer of Core Security Technologies, Microsoft patched the bugs, but failed to disclose that it had done so.


This has already been covered by The Register too:

A recent security patch from Microsoft silently fixed two severe bugs that were never disclosed even though they posed a risk to many of its customers, a security researcher said.

MS10-024 fixed two flaws that made it possible for adversaries to intercept victims' email messages sent by Exchange and Windows SMTP service, Nicolás Economou, a researcher with Core Security said. But the bugs - which made it "trivial" to spoof responses to domain name system queries - weren't disclosed and were never assigned a Common Vulnerabilities and Exposure identifier, sparking criticism that the critical bugs weren't properly disclosed.


Next time Microsoft shows any comparisons involving a number of flaws or severity of flaws, refuse to accept them. Microsoft is the boy who cried "Wolf!" and the above serves as an example of behaviour that has gone on for years (rarely detected though because it's hard).

Comments

Recent Techrights' Posts

Extortion is a Crime, Even If You're Based in Another Continent and Work for Microsoft
reported to British authorities
 
Links 06/06/2025: Microsoft XBox Bracing For More Mass Layoffs, Climate Disaster, Fake 'Money' Tokens From US President
Links for the day
Gemini Links 06/06/2025: Vanishing Cultures and MElon Implosion
Links for the day
We're in 6/6 Now, Almost Halfway in 2025
2025 was probably the best year for us
South Americans Are Saying Goodbye to Microsoft
We're hardly even "Cherry-Picking" or conveniently singling out one South American nation
Abuse Inside the Polish Patent Office (UPRP) - Part III: Data Protection Failures, Just Like at the European Patent Office (EPO)
Just less than a decade ago we showed that the EPO had illegally shared staff data with third parties
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, June 05, 2025
IRC logs for Thursday, June 05, 2025
Pushing Microsoft's Proprietary Trash/Trap as "Open" and "Linux" (Windows is 'Linux' Now?)
Maybe it's time to just stop saying "FOSS". The people who use that term are promoting Microsoft.
Slopwatch: Comparing Linux to Vermin, Attacking BSD With LLM Slop, and Helping Microsoft Demonise Linux/OpenBSD/SSH Over Weak User Passwords
Microsoft must be laughing its arse off, seeing how a bunch of Serial Sloppers (no skills, no comprehension, no integrity, no creativity) and slopfarms use Microsoft LLM to flood the Web with anti-Linux FUD
Links 05/06/2025: US Poised for Another $2.4 Trillion to Debt, Cops Want GAFAM Kill Switches
Links for the day
Links 05/06/2025: First US Spacewalk 60 Years Ago, GNU Octave 10.2.0 is Out
Links for the day
Scandinavia Saying Goodbye to Microsoft
The Danes have had enough of Microsoft
GNU/Linux Measured at 6% in Bangladesh, According to statCounter
Windows isn't growing, it's going away
Nat Friedman Had Left Microsoft GitHub Exactly One Week Before Matthew Garrett Sent His First SLAPP (Which Was an Empty Threat, He Was Abusing the Legal System of Another Continent to Terrorise Critics Who Had Just Unearthed Major Microsoft Scandals)
And it was likely talked about by his lawyers around the exact same time Nat Friedman was packing up
Gemini Links 05/06/2025: Loop Earplugs Review and ANS Forth
Links for the day
Armenian Adoption of GNU/Linux
Russian influence in Armenian must be worrying to Microsoft
Abuse Inside the Polish Patent Office (UPRP) - Part II: Turning a Once-Respected Patent Office Into a Circus and Laughing Stock
It's not legal, but administrators who don't care about the law and don't fear the law would just go ahead and turn things to junk
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, June 04, 2025
IRC logs for Wednesday, June 04, 2025
Slopwatch: Mindless Slop Pieces, Fake Images and Text, Linux FUD on the Cheap
spewed out by Microsoft-controlled LLMs
Links 04/06/2025: Workers' Strikes, Sudan Exodus
Links for the day
Links 04/06/2025: Linux Foundation PR Spam and Lee Jae-myung Wins Election
Links for the day
Gemini Links 04/06/2025: Future Leaders of the World and Platforming Jordan Peterson
Links for the day
Links 04/06/2025: WSL Backfiring on Microsoft and "Disney, Microsoft Announce Massive Layoffs"
Links for the day
Our Case is a Very Easy Win, the SLAPPs From Microsofters Were a Grave Error, and Censoring Information Won't Work (It'll Only Ever Backfire)
Censoring is what people do when they lose the argument
Say the Truth, the Rest Will Follow
There's no guarantee that writing the truth will result in an audience (or readership), but over time - in the long run - people generally gravitate towards what they know or feel to be crude truth, not just what's comforting (albeit false or self-deluding, usually groupthink dictated from above)
How to Expose High-Level Corruption Without Getting in (Too Much) Trouble
Democracy depends on free press and freedom of the press depends on being able to safely publish (and keep available) material that bad people don't want to be known to anybody
In-Depth EPO Coverage at Techrights Turns Eleven
11 years is a very long time
Windows Measured Below 10% in Afghanistan, GNU/Linux Gaining a Lot
about 80% are Android (Linux) users, compared to only about 10% for Windows
Poland's Political Predicament and Social Control Media
Democracy and fake "tech" don't mix well; the latter tends to interfere with the former and that's why we get more "Putins" out there
EPO: Taking Away From the Staff to Give More to the Rich
The Central Staff Committee (CSC) wrote to EPO staff earlier this week
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, June 03, 2025
IRC logs for Tuesday, June 03, 2025
Abuse Inside the Polish Patent Office (UPRP) - Part I: It's a Lot Like the EPO
we can commence a series soon
Gemini Links 04/06/2025: Inescapable Questions and Quitting All "Oligarch Tech"
Links for the day