12.14.09

Gemini version available ♊︎

Microsoft Hides Its Own Flaws, Cheats Customers

Posted in Deception, Microsoft, Security, Windows at 6:48 am by Dr. Roy Schestowitz

Haha, very funny pig
Even swine flu vaccines are delivered
more quickly than Microsoft patches

Summary: Microsoft delivers patches only after customers are attacked (despite having prior warnings) and then cheats when it comes to the number of patches it issues

ACCORDING TO PC Magazine, Microsoft neglects to look for its own bugs.

Sotirov noted that it’s TippingPoint’s and VeriSign’s customers who were paying for this research and that Microsoft should be paying too. Surely, I asked, Microsoft does vulnerability research on their own product. At this point another famous researcher, Dino Dai Zovi, piped in to say no: “Apple is the only vendor that I know of that releases patches for vulns found internally.”

This rang true; I know I’ve read Apple advisories that credited internal research and I couldn’t recall a Microsoft advisory that credited their own. I looked and not a single vulnerability disclosure (so far) in 2009 was credited explicitly to Microsoft. I asked Microsoft about it.

Their answer… Well, of course they look for and find these things, but not so much.

Microsoft’s negligence may justify lawsuits. To make matters worse, Microsoft lies about security, usually by hiding known flaws. The following new report from IDG is very damaging: “Microsoft knew of just-patched IE zero-day for months”

Microsoft may not have hustled as fast as researchers thought when the company patched a zero-day bug in Internet Explorer (IE) just 18 days after exploit code went public.

According to VeriSign iDefense, Microsoft had information about the browser bug nearly six months before the researcher dubbed “K4mr4n” posted attack code to the Bugtraq security mailing list on Nov. 20.

More hidden patches have just arrived.

Microsoft Releases Surprise Advisory

Hidden behind the Patch Tuesday updates, Microsoft released two separate security advisories and one set of updates that were not mentioned in the advance notification.

Regarding the latest Internet Explorer (IE) flaw that we wrote about before [1, 2, 3], Microsoft gives too little, too late, and being a zero-day flaw, damage has already been done.

Probably the most important update for most users is the one for Internet Explorer, which corrects five critical flaws in IE 6, 7 and 8. These are vulnerabilities that attackers could exploit to quietly install malicious software on your machine if you browse with IE to a hacked or booby-trapped site.

This only justifies the use of non-IE Web browsers. The way in which Microsoft delivers security updates is already being exploited [1, 2] to actually push malware rather than a fix.

Malware distributors continue resorting to the fake software update lure for their email spam campaigns. The latest attack poses as a notification regarding a Windows security bulletin, which links to a malicious executable.

The rogue emails impersonate Steve Lipner, Microsoft’s Director of Security Assurance, who allegedly informs the receiver about a high-priority security update for all versions of Windows. “Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 2000, Microsoft Windows Millenium [sic], Microsoft Windows XP, Microsoft Windows Vista and Microsoft Windows 7,” the fake message reads.

It remains the job of some GNU/Linux-powered gateways to keep Windows more secure.

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

DecorWhat Else is New

  1. Links 17/1/2022: More Microsoft-Connected FUD Against Linux as Its Share Continues to Fall

    Links for the day

  2. The GUI Challenge

    The latest article from Andy concerns the Command Line Challenge

  3. Links 17/1/2022: digiKam 7.5.0 and GhostBSD 22.01.12 Released

    Links for the day

  4. IRC Proceedings: Sunday, January 16, 2022

    IRC logs for Sunday, January 16, 2022

  5. Links 17/1/2022: postmarketOS 21.12 Service Pack 1 and Mumble 1.4 Released

    Links for the day

  6. [Meme] Gemini Space (or Geminispace): From 441 Working Capsules to 1,600 Working Capsules in Just 12 Months

    Gemini space now boasts 1,600 working capsules, a massive growth compared to last January, as we noted the other day (1,600 is now official)

  7. [Meme] European Patent Office Space

    The EPO maintains a culture of illegal surveillance, inherited from Benoît Battistelli and taken to a whole new level by António Campinos

  8. Gemini Rings (Like Webrings) and Shared Spaces in Geminspace

    Much like the Web of 20+ years ago, Gemini lets online communities — real communities (not abused tenants, groomed to be ‘monetised’ like in Facebook or Flickr) — form networks, guilds, and rings

  9. Links 16/1/2022: Latte Dock 0.11 and librest 0.9.0

    Links for the day

  10. The Corporate Cabal (and Spy Agencies-Enabled Monopolies) Engages in Raiding of the Free Software Community and Hacker Culture

    In an overt attack on the people who actually did all the work — the geeks who built excellent software to be gradually privatised through the Linux Foundation (a sort of price-fixing and openwashing cartel for shared interests of proprietary software firms) — is receiving more widespread condemnation; even the OSI has been bribed to become a part-time Microsoft outsourcer as organisations are easier to corrupt than communities

  11. EPO's Web Site Constantly Spammed by Lies About Privacy While EPO Breaks the Law and Outsources Data to the United States

    The António Campinos-led EPO works for imperialism, it not only protects the rich; sadly, António’s father isn’t alive anymore and surely he would blast his son for doing what he does to progress his career while lying to staff and European citizens

  12. Links 16/1/2022: Tsunami and Patents

    Links for the day

  13. IRC Proceedings: Saturday, January 15, 2022

    IRC logs for Saturday, January 15, 2022

  14. Links 16/1/2022: Year of the GNU/Linux Desktop and Catch-up With Patent Misinformation

    Links for the day

  15. Patrick Breyer, Unlike Most German Politicians, Highlights the Fact That Unified Patent Court (UPC) and Unitary Patent Are Incompatible With EU Law

    A longtime critic of EPO abuses (under both Benoît Battistelli and António Campinos leadership), as well as a vocal critic of software patents, steps in to point out the very obvious

  16. Links 15/1/2022: Flameshot 11.0 and Libvirt 8.0

    Links for the day

  17. Blogging and Microblogging in Geminispace With Gemini Protocol

    Writing one’s thoughts and other things in Geminispace — even without setting up a Gemini server — is totally possible; gateways and services do exist for this purpose

  18. Links 15/1/2022: Raspberry Pi in Business

    Links for the day

  19. IRC Proceedings: Friday, January 14, 2022

    IRC logs for Friday, January 14, 2022

  20. Gemini Clients: Comparing Moonlander, Telescope, Amfora, Kristall, and Lagrange (Newer and Older)

    There are many independent implementations of clients (similar to Web browsers) that deal with Gemini protocol and today we compare them visually, using Techrights as a test case/capsule

  21. 2022 Starts With Censorship of Christmas and Other Greetings at the EPO

    The nihilists who run the EPO want a monopoly on holiday greetings; to make matters worse, they’re censoring staff representatives in their intranet whilst inconsistently applying said policies

  22. Links 14/1/2022: FFmpeg 5.0 and Wine 7.0 RC6

    Links for the day

  23. White House Asking Proprietary Software Companies That Add NSA Back Doors About Their Views on 'Open Source' Security

    The US government wants us to think that in order to tackle security issues we need to reach out to the collective 'wisdom' of the very culprits who created the security mess in the first place (even by intention, for imperialistic objectives)

  24. Links 14/1/2022: EasyOS 3.2.1 and Qt 6.3 Alpha

    Links for the day

  25. Scientific Excellence and the Debian Social Contract

    The Debian Project turns 30 next year; in spite of it being so ubiquitous (most of the important distros of GNU/Linux are based on Debian) it is suffering growing pains and some of that boils down to corporate cash and toxic, deeply divisive politics

  26. Links 14/1/2022: openSUSE Leap 15.2 EoL, VFX Designers Are Using GNU/Linux

    Links for the day

  27. IRC Proceedings: Thursday, January 13, 2022

    IRC logs for Thursday, January 13, 2022

  28. 2022 Commences With Microsoft-Themed (and Microsoft-Connected) FUD Against GNU/Linux

    A psychopathic Microsoft, aided by operatives inside the mainstream and so-called 'tech' media, keeps spreading old and invalid stigma about "Linux" and Free software; few people still bother responding to these fact-free FUD campaigns, which boil down to ‘perception management’ PR/propaganda

  29. Between January 2021 and January 2022 the Number of Active Gemini Capsules Nearly Quadrupled Based on Publicly-Available Catalogue of Capsules

    Geminispace has grown to about 2,000 known capsules and 1,600 of them are active, permanently online, fully accessible; in January last year these numbers were about 4 times smaller

  30. Links 13/1/2022: NetworkManager 1.34 and Everett 3.0.0

    Links for the day

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts