Bonum Certa Men Certa

Microsoft Finally Admits Numbers of Vulnerabilities It Reports Are Fake

Microsoft lies



Summary: Mike Reavey, the director of the Microsoft Security Response Center, admits that Microsoft is silently patching vulnerabilities without ever reporting the problem

IT'S official. Microsoft is a liar. Again. Now there is even admission from Microsoft, confirming an issue which we first raised some weeks ago. Whenever Microsoft says it patches x number of flaws with y number of patches/bulletins, Microsoft ought to be assumed to be lying. Microsoft's silent patching is a subject we have been covering for years and it helps explain why one in two Windows PCs is believed to be a zombie PC, despite Microsoft's claims that all of its flaws are being addressed. All those fake comparisons against platforms like Red Hat Enterprise Linux (where Microsoft stacks up and aggregates numbers of flaws) can be thrown into the wastebasket. If convincing proof is needed, here it is. Microsoft first tried to spin it (for weeks) and now it gives up and tells the truth.



Microsoft Official Admits to Quiet Security Patching



Microsoft doesn't report all security vulnerabilities that it fixes in its software. Bug comparisons between vendors therefore paint an incorrect picture.

"We don't document every issue found," Mike Reavey, director of the Microsoft Security Response Center (MSRC), said at a meeting with reporters at the company's corporate headquarters in Redmond, Washington.

Microsoft will issue a Common Vulnerabilities and Exposures (CVE) number to a vulnerability for flaws that share the same severity, have an attack vector and a workaround. If several flaws share all the same properties, they will not be reported separately, Reavey said.

The nondisclosure of fixes was brought to light early this month by a company called Core Security Technologies. After studying the Microsoft patches MS10-024 and MS10-028, it noticed three silent fixes. Security bulletin MS10-028 addressed a flaw that would expose a user of Microsoft Visio to a buffer overflow attack, which would allow an attacker to take over control of the system.


Finally. Thanks for the honesty. So how much damage has been caused by Microsoft's lies so far. Microsoft has been denying this for years, but not exactly denying, either. It was spinning and avoiding the actual question. It's the art of lying without practically lying, just evading. Adobe is at least honest about its proprietary software being insecure garbage. As far as we are aware, Adobe hasn't a long history of systematic lying, unlike Microsoft.

"Microsoft smacks patch-blocking rootkit second time," says another new report from Gregg Keizer.

For the second month in a row, Microsoft has tried to eradicate a mutating rootkit that has blocked some Windows users from installing security updates.


Here is another one (also here):

Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), said his team is looking into Raskin's claims, but hinted that Microsoft wouldn't be patching IE anytime soon. "I wouldn't classify this as a 'vulnerability' though," Bryant said in an e-mail answer to questions.


The followup says:

Will browser makers patch this? Unlikely. Microsoft's Jerry Bryant, a general manager at the company's security response center, said the issue isn't a security vulnerability per se, and that Internet Explorer (IE) falls for the scam because that's the way browsers work.

"Working with [Raskin's] proof-of-concept, as written, is expected," he said in an e-mail Tuesday when asked whether Microsoft had a fix in mind for IE.


Let's remember how much damage was caused this year because Microsoft had refused to patch known Internet Explorer flaws for five months [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12]. Where is the liability [1, 2, 3, 4, 5]? Watch what it happening in Denver right now.

Denver officials have asked the FBI, Denver police and Microsoft Corp. to help them identify the person or people who have hacked into the city's website twice in the past week.


If Microsoft gets involved, then it almost must be a Windows server.

Comments

Recent Techrights' Posts

[Meme] One Person, Singular Pronoun
Abusing people into abusing the English language is very poor diplomacy
New Article From Richard Stallman Explains Why He Says He and She for Unknown Person (Not 'They')
"Nowadays I use gender-neutral singular pronouns for a person whose gender I don't know"
 
Gemini Not Deflated Yet (Soon Turning 5!)
Gemini numbers still moving up, the protocol will turn five next summer
Links 30/11/2023: Belated End of Henry Kissinger and 'Popular Science' Shuts Online Magazine
Links for the day
Site Priorities and Upcoming Improvements
pages are served very fast
Ending Software Patents in Recent Years (Software Freedom Fighters MIA)
not a resolved issue
IRC Proceedings: Wednesday, November 29, 2023
IRC logs for Wednesday, November 29, 2023
Over at Tux Machines...
GNU/Linux news
Links 30/11/2023: Rushing Patent Cases With Shorter Trial Scheme (STS), Sanctions Not Working
Links for the day
Links 30/11/2023: Google Purging Many Accounts and Content (to Save Money), Finland Fully Seals Border With Russia
Links for the day
Lookout, It's Outlook
Outlook is all about the sharing!
Updated A Month Ago: Richard Stallman on Software Patents as Obstacles to Software Development
very recent update
The 'Smart' Attack on Power Grid Neutrality (or the Wet Dream of Tiered Pricing for Power, Essentially Punishing Poorer Households for Exercising Freedom Like Richer Households)
The dishonest marketing people tell us the age of disservice and discrimination is all about "smart" and "Hey Hi" (AI) as in algorithms akin to traffic-shaping in the context of network neutrality
Links 29/11/2023: VMware Layoffs and Too Many Microsofters Going Inside Google
Links for the day
Is BlueMail a Client of ZDNet Now?
Let's examine what BlueMail does to promote itself
Just What LINUX.COM Needed After Over a Month of Inactivity: SPAM SPAM SPAM (Linux Brand as a Spamfarm)
It's not even about Linux
Microsoft “Discriminated Based on Sexuality”
Relevant, as they love lecturing us on "diversity" and "inclusion"...
IRC Proceedings: Tuesday, November 28, 2023
IRC logs for Tuesday, November 28, 2023
Media Cannot Tell the Difference Between Microsoft and Iran
a platform with back doors
Links 28/11/2023: New Zealand's Big Tobacco Pivot and Google Mass-Deleting Accounts
Links for the day
Justice is Still the Main Goal
The skulduggery seems to implicate not only Microsoft
OpenBSD Says That Even on Linux, Wayland Still Has a Number of Rough Edges (But IBM Wants to Make X Extinct)
IBM tries to impose unready software on users
[Teaser] Next Week's Part in the Series About Anti-Free Software Militants
an effort to 'cancel' us and spy on us
Over at Tux Machines...
GNU/Linux news
Permacomputing
This work is licensed under a Creative Commons Attribution 4.0 International License
Professor Eben Moglen on How Social Control Media Metabolises Humans and Constraints Freedom of Thought
Nothing of value would be lost if all these data-harvesting giants (profiling people) vanished overnight
IRC Proceedings: Monday, November 27, 2023
IRC logs for Monday, November 27, 2023
When Microsoft Blocks Your Access to Free Software
"Linux is a cancer that attaches itself in an intellectual property sense to everything it touches." [Chicago Sun-Times]
Techrights Statement on 'Cancel Culture' Going Out of Control
relates to a discussion we had in IRC last night
Stuff People Write About Linux
revisionist pieces
Links 28/11/2023: Rosy Crow 1.4.3 and Google Drive Data Loss
Links for the day