05.11.10

Despite Security Lies and Security Failures, Microsoft Instructs Worldwide Cybersecurity Summit

Posted in Microsoft, Security, Windows at 8:41 am by Dr. Roy Schestowitz

Protect your money
Billions or trillions of dollars are lost or saved based on one’s security

Summary: Microsoft is telling lies about the number of flaws in its software, it admits failing to secure its software (statistics indicate exacerbation), and yet, Scott ‘Windows zombie tax’ Charney gets to tell participants of the Worldwide Cybersecurity Summit what to do next

IN OUR most recent post about Windows insecurity news we showed that nothing is improving at Microsoft when it comes to security. It’s only the messages (engagements with the public) that seemingly change. Last week we wrote about Microsoft pretending that it supports standards, which is an utter lie only PR can buy. Here is part of the PR where Microsoft joins Apple [1, 2, 3, 4, 5] in its attack on Flash, not just its attack on Theora, which we covered in:

Microsoft — like Apple — is being denounced for the hypocrite that it is:

MS criticises Adobe over security and performance. Physician, heal thyself!

Let’s not forget that Microsoft does exactly the same thing as Adobe (only with limited platform support) whenever it markets Silver Lie. Microsoft went further than that when .NET toys got secretly injected into Firefox without permission, thus creating security and performance issues without users’ consent.

Microsoft is also being somewhat hypocritical when it makes some statements as covered in the article “Adapt or die, Microsoft warns business”.

Microsoft has failed to adapt to a connected world and a world of computing mobility. Now it has debt to repay.

Addressing the subject of security, Microsoft spreads lies with its secret patches, which probably mean that there are fake figures in this latest ‘security’ report where Microsoft is conveniently blaming “ISVs” for security problems in Windows. The ‘Microsoft press’ plays along with this talking point and other publications are trying to make it an excuse for expensive Microsoft “upgrades”, which Microsoft urges/advocates using withdrawal of support. How ruthless and deceiving. Here is an example of Microsoft’s tactics:

The bottom line comes down to this: if your company plans to stay with XP well into 2011 and you’re still using IE6, you’ve got to upgrade that browser. Knowing that IE9 won’t support XP, you can safely move to IE8 knowing it’s the end of the line for IE on XP. Or, you can move to Firefox, Chrome, Safari, or Opera — but a company that’s still stuck on IE6 isn’t likely to be that adventurous. The web developers of the world will be happy with anything that gets you off IE6.

It is a “bait and switch” manoeuvre in a sense. Microsoft did the same thing to Windows 2000 users some years ago, for no practical reasons except the profit motive.

Going back to the hidden patches scam, can anyone believe that Microsoft is patching with just two “critical” bulletins? For several years Microsoft has been hiding its flaws and patching them silently for vanity purposes.

Microsoft on Tuesday will issue two critical bulletins that will fix vulnerabilities in Windows and Office, which if exploited successfully, could allow a remote attacker to take control of the computer, the company said Thursday.

There were also some broken patches which needed to be re-released.

Let’s consider this news in light of last week’s reports, such as:

The allegations are so serious that Microsoft could not afford to keep quiet without a carefully-crafted piece of spin. Here are the latest excuses from Microsoft (it’s the psychology of lying without technically lying):

Note that a policy such as this implies that Microsoft will not patch known, internally-discovered vulnerabilities if an externally-sourced vulnerability of the same or lesser severity is not available for the silent patch to piggyback on. They’ll sit on it, and we won’t know for how long because they don’t document it.

Utter spin. Groklaw has just found this new article which nicely explains Microsoft’s lies in this case:

#3 Tell the truth, misleadingly. The hardest lies to catch are those which aren’t actually lies. You’re telling the truth, but in a way that leaves a false impression. Technically, it’s only a prevarication – about half a sin. A 1990 study of pathological liars in New York City found that those who could avoid follow-up questions were significantly more successful at their deceptions.

Microsoft has also added a formal statement to The Register’s article on the subject (silent patching) because it received a lot of attention. Apologists of Microsoft also left comments trying to defend what Microsoft did there. It means it’s extremely damaging.

“Microsoft’s security record continues to be poor simply because Microsoft does not handle security issues properly, having for example ignored known flaws for 5 months until a disaster came.”In other insecurity news, SharePoint 2007 has a 0-day vulnerability (meaning that it’s already under attack). Microsoft has confirmed this [1, 2] and only issued a “workaround” rather than a solution [1, 2, 3]. As this one blogger puts it, there is “no SharePoint fix” and it says nothing about Microsoft’s hiding of patches and flaws (clustering them is possible if one wants to crunch the numbers). How many flaws does Microsoft patch in SharePoint silently? In this case, Microsoft had no choice but to publicise it (someone beat Microsoft to it).

Microsoft’s security record continues to be poor simply because Microsoft does not handle security issues properly, having for example ignored known flaws for 5 months until a disaster came [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12]. That’s just negligence [1, 2, 3].

As a result of such negligence, IDG reports that “Conficker found on 25% of enterprise Windows PCs,” according to Microsoft.

Conficker was far and away the most prevalent threat found on Windows machines in the second half of 2009 in the enterprise, Microsoft says. The company’s security tools cleaned the Conficker worm from one quarter of enterprise Windows machines.

“25% of enterprise Windows PCs” is a lot of computers. But then again, for several years now we have known that hundreds of millions of Windows zombies were out there waiting to be commandeered. Google says that fake antivirus software is 15 percent of all malware. That’s what happens when Windows refuses to implement repositories like GNU/Linux does. GNU/Linux has had that for ages and it keeps it more bulletproof.

Going back to Microsoft’s own figures, even Microsoft admits that it’s getting worse for Windows in practical terms:

Microsoft Sees Infected PC Numbers Climbing

[...]

The numbers of PCs cleaned by Microsoft’s anti-malware software worldwide during the second half of 2009 continued to trend upward, suggesting that more PCs are getting infected in total, according to the company’s latest Security Intelligence Report (SIR).

More here.

It’s interesting that even Microsoft admits that it’s failing to tackle the problem it created (or helped create).

Microsoft’s Charney, the former government (ish) person who wants charge Mac and GNU/Linux users for Microsoft to clean up its own mess [1, 2, 3, 4, 5, 6, 7] is now intervening in international affairs, based on this AP report:

“Lots of times, there’s confusion in these treaty negotiations because of lack of clarity about which problems they’re trying to solve,” said Scott Charney, vice president of Microsoft Corp.’s Trustworthy Computing Group, before a speech at the Worldwide Cybersecurity Summit.

[...]

Charney, of Microsoft, believes cyber threats should be better differentiated. He proposes four categories: conventional computer crimes, military espionage, economic espionage and cyberwarfare. That approach, he argues, would make it easier to craft defenses and to discuss international solutions to each problem.

What is Microsoft doing in a Worldwide Cybersecurity Summit? And why does it tell the world how to address these issues that it itself helped create? Microsoft cannot even issue disclosures of its own flaws (because it lies pathologically), so why should anyone believe Charney and maybe implement his outrageous idea of taxing all computer/Internet users for damage caused by Windows botnets? Microsoft should be held liable for knowingly refusing to patch known flaws.

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

This post is also available in Gemini over at:

gemini://gemini.techrights.org/2010/05/11/worldwide-cybersecurity-summit/

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

5 Comments

  1. Yuhong Bao said,

    May 12, 2010 at 9:14 pm

    Gravatar

    “Addressing the subject of security, Microsoft spreads lies with its secret patches, which probably mean that there are fake figures in this latest ’security’ report”
    Or more precisely that at best the figures include only the externally-reported ones.

  2. Yuhong Bao said,

    May 13, 2010 at 7:46 pm

    Gravatar

    “Note that a policy such as this implies that Microsoft will not patch known, internally-discovered vulnerabilities if an externally-sourced vulnerability of the same or lesser severity is not available for the silent patch to piggyback on. They’ll sit on it, and we won’t know for how long because they don’t document it. ”
    Yea, MS seems to be trying hard to pretend like that the internally-discovered vulnerabilities do not exist, with nasty side-effects like this one.

    Dr. Roy Schestowitz Reply:
    May 13th, 2010 at 7:57 pm

    Yes. it is important to show that they are doing this.

    Microsoft rarely gets caught because it’s hard to review binary-only patches.

    Yuhong Bao Reply:
    May 13th, 2010 at 8:01 pm

    Yea, one reason why this can be nasty is that the security patches can be reverse-engineered using for example the BinDiff plugin of IDA, which would provide all necessary info that would be needed to exploit them.

    Dr. Roy Schestowitz Reply:
    May 14th, 2010 at 1:06 am

    That’s still an excuse for telling fake numbers.

What Else is New

  1. The Next Generation of Free Software (or Software Freedom) Activism, Tackling Newer Problems

    New challenges as labour rights and human rights are further eroded, thanks to 'high' 'tech' with its very 'innovative' 'features'

  2. Mass Litigation Over the Salary Adjustment Procedure (SAP), Basically an Attack on All EPO Staff, Even EPO Pensioners

    “Importance of a binding and unambiguous erga omnes declaration” stressed by staff representatives of the EPO in a new letter to Benoît Battistelli‘s successor of choice, António Campinos, who has done nothing so far except attacking (or robbing) EPO staff, even EPO pensioners

  3. EPO 'Dialogue' With Staff Representatives is as Dead as 'Dialogue' With the Union

    “Yet another failure of social [sic] dialogue [sic] for Mr Campinos,” according to staff representatives, who rightly bemoan the Office president not giving a damn about staff; things quickly deteriorate in Europe’s second-largest institution, which does even worse things than granting loads of illegal European software patents (harming software producers and users alike)

  4. The FSF Needs to Reject OSI (and Open Source) Along With Much-Needed Rejection of the GNOME Foundation (Not the Same as the GNOME Project)

    Response to a good little speech (unscripted apparently) by Geoffrey Knauth, who explained his position on Open Source about a year ago

  5. Links 11/5/2021: Bodhi Linux 6.0, Coreboot 4.14, and DragonFly BSD 6.0

    Links for the day

  6. IRC Proceedings: Monday, May 10, 2021

    IRC logs for Monday, May 10, 2021

  7. Keynote by FSF President Geoff Knauth and Executive Director John Sullivan

    To quote the source: “FSF president Geoff Knauth became the president of the FSF in 2020, but has served on the FSF board of directors for over twenty years. FSF executive director John Sullivan started work with the FSF in 2003, and has never stopped since, with past roles including the FSF’s first Campaigns Manager and later the Manager of Operations.”

  8. Richard Stallman on Companies That Are “Only Pretending to be American Companies”

    Dr. Richard Stallman, the Free Software Foundation's founder, speaks about US politics being captured and dominated by large and multinational corporations in pursuit of just money and power

  9. Last Night's Talk by Richard Stallman About Software Freedom

    An inspiring new talk reminds many of us why loads of people continue to support the founder of the Free Software Movement

  10. Links 10/5/2021: Huawei's GNU/Linux Laptops and Kotlin 1.5.0

    Links for the day

  11. Richard Stallman on Writing rm, ls, and cp (Also Working on Bison)

    Dr. Richard Stallman, the Free Software Foundation's founder, explains what programs he developed in the eighties

  12. Raise the Roof

    Out comes the taxpayers’ subsidy, assured; with military the sky is the limit (and bailout guaranteed)

  13. Richard Stallman Replatformed 10 Hours From Now

    Link to the talk (when it goes live)

  14. [Meme] Bill Says, Bill Saves

    Bill Gates seems more likely to be indicted than to win a presidential election/term

  15. IRC Proceedings: Sunday, May 09, 2021

    IRC logs for Sunday, May 09, 2021

  16. According to the Wall Street Journal, Bill Gates’s Relationship with Jeffrey Epstein Caused the Bill-Melinda Divorce (While the Media Deflected to Dr. Stallman, Using a Phony 'Scandal')

    It’s becoming rather obvious that there’s real substance to accusations that Mr. Gates was in some sense enabling Jeffrey Epstein; while Gates-funded media told us that he was saving us from climate change and a pandemic (PR stunts for empathy and sympathy) Melinda worked really hard to distance herself from him, the father of her kids

  17. [Meme] Bill, What's Your Opinion?

    While it's ludicrous to insinuate that Mr. Gates somehow "started" COVID-19 he certainly "rode the wave" for reputation laundering purposes, profit, and distraction from scandals that precede the epidemic in China (and caused his marriage to break down)

  18. Links 10/5/2021: SystemRescueCD 8.03, KeePass 2.48 Released

    Links for the day

  19. How We Process and Upload Videos Hosted in Techrights

    With ffmpeg as the Swiss army knife (and various other utilities/programs ‘in between’) it’s possible to automate much of the pipeline associated with video production and self-hosting

  20. Richard Stallman's Free Software Speech in 2020 (FSF Turning 35)

    We've re-encoded (as WebM) the likely sole/only speech Richard Stallman gave about his movement last year; today seems like a suitable time to republish it because tomorrow a British university/group will replatform him (to use their term)

  21. The Chaos Theory

    Making GNU/Linux less stable and less predictable isn't good for GNU/Linux users; but it certainly helps sell Red Hat support contracts and vexation inside the community weakens Red Hat's competitors

  22. Gemini and Techrights: Still Growing in Gemini Space and Always Supporting/Loving the Protocol

    As we continue to expand in Gemini space (where our very large site became a very large and likely the largest capsule) it's worth explaining some of the overlooked merits of the protocol; unlike the World Wide Web (WWW) it does not impose things on the user/visitor, who is more or less in charge

  23. Links 9/5/2021: KDE Frameworks 5.82.0 Release and Patents Related to COVID Subjected to Waivers

    Links for the day

  24. Act More 'Professional' to Appease Mobs

    We should all think alike, dress alike, and like everybody (especially the business overlords)

  25. IRC Proceedings: Saturday, May 08, 2021

    IRC logs for Saturday, May 08, 2021

  26. Some Background on the Free Speech Society at the University of Buckingham, Where Richard Stallman is Being 'Replatformed'

    A private British university, the University of Buckingham, will 'host' (virtually) the most-defamed person in the Free software world; the Free Speech Society is only two years old and rationality for its existence is explained by its co-founder James Oliver

  27. Web Sites or News Sites Perish When Their Arguments Are Weak and/or Invalid

    "Just be honest!" is a simple motto for any site; but some sites sell out in pursuit of money or grandiosity, unlike us (we turned 14.5 years old on Friday)

  28. GNU/Linux Turns 38 (in 4 Months From Now)

    Contrary to what the Linux Foundation wants you to think, the operating system turns 38 later this year

  29. Richard Stallman: Steve Jobs Did Some Very Bad Things

    Dr. Richard Stallman told me about Steve Jobs that he had helped digitally imprison computer users

  30. GNU/Linux Founder Richard Stallman to Give a Talk at the University of Buckingham Tomorrow (Live Stream)

    Tomorrow it will be possible to watch this new talk live using Free software

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts