05.31.10

Gemini version available ♊︎

Microsoft Finally Admits Numbers of Vulnerabilities It Reports Are Fake

Posted in Deception, GNU/Linux, Microsoft, Red Hat, Security, Servers, Windows at 6:14 am by Dr. Roy Schestowitz

Microsoft lies

Summary: Mike Reavey, the director of the Microsoft Security Response Center, admits that Microsoft is silently patching vulnerabilities without ever reporting the problem

IT’S official. Microsoft is a liar. Again. Now there is even admission from Microsoft, confirming an issue which we first raised some weeks ago. Whenever Microsoft says it patches x number of flaws with y number of patches/bulletins, Microsoft ought to be assumed to be lying. Microsoft’s silent patching is a subject we have been covering for years and it helps explain why one in two Windows PCs is believed to be a zombie PC, despite Microsoft’s claims that all of its flaws are being addressed. All those fake comparisons against platforms like Red Hat Enterprise Linux (where Microsoft stacks up and aggregates numbers of flaws) can be thrown into the wastebasket. If convincing proof is needed, here it is. Microsoft first tried to spin it (for weeks) and now it gives up and tells the truth.

Microsoft Official Admits to Quiet Security Patching

Microsoft doesn’t report all security vulnerabilities that it fixes in its software. Bug comparisons between vendors therefore paint an incorrect picture.

“We don’t document every issue found,” Mike Reavey, director of the Microsoft Security Response Center (MSRC), said at a meeting with reporters at the company’s corporate headquarters in Redmond, Washington.

Microsoft will issue a Common Vulnerabilities and Exposures (CVE) number to a vulnerability for flaws that share the same severity, have an attack vector and a workaround. If several flaws share all the same properties, they will not be reported separately, Reavey said.

The nondisclosure of fixes was brought to light early this month by a company called Core Security Technologies. After studying the Microsoft patches MS10-024 and MS10-028, it noticed three silent fixes. Security bulletin MS10-028 addressed a flaw that would expose a user of Microsoft Visio to a buffer overflow attack, which would allow an attacker to take over control of the system.

Finally. Thanks for the honesty. So how much damage has been caused by Microsoft’s lies so far. Microsoft has been denying this for years, but not exactly denying, either. It was spinning and avoiding the actual question. It’s the art of lying without practically lying, just evading. Adobe is at least honest about its proprietary software being insecure garbage. As far as we are aware, Adobe hasn’t a long history of systematic lying, unlike Microsoft.

“Microsoft smacks patch-blocking rootkit second time,” says another new report from Gregg Keizer.

For the second month in a row, Microsoft has tried to eradicate a mutating rootkit that has blocked some Windows users from installing security updates.

Here is another one (also here):

Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), said his team is looking into Raskin’s claims, but hinted that Microsoft wouldn’t be patching IE anytime soon. “I wouldn’t classify this as a ‘vulnerability’ though,” Bryant said in an e-mail answer to questions.

The followup says:

Will browser makers patch this? Unlikely. Microsoft’s Jerry Bryant, a general manager at the company’s security response center, said the issue isn’t a security vulnerability per se, and that Internet Explorer (IE) falls for the scam because that’s the way browsers work.

“Working with [Raskin's] proof-of-concept, as written, is expected,” he said in an e-mail Tuesday when asked whether Microsoft had a fix in mind for IE.

Let’s remember how much damage was caused this year because Microsoft had refused to patch known Internet Explorer flaws for five months [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12]. Where is the liability [1, 2, 3, 4, 5]? Watch what it happening in Denver right now.

Denver officials have asked the FBI, Denver police and Microsoft Corp. to help them identify the person or people who have hacked into the city’s website twice in the past week.

If Microsoft gets involved, then it almost must be a Windows server.

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

A Single Comment

  1. twitter said,

    June 1, 2010 at 5:52 pm

    Gravatar

    Microsoft was cornered in two ways. First, people noticed a “silent patch”. The more fundamental bust, however, is that no one with a clue ever believed the “get the facts” propaganda. Only someone with a financial interest will tell you that Windows and GNU/Linux security are equivalent. Only someone without free software experience will believe them.

    Microsoft will go on telling the same lies. “Get the Facts” was not some kind of subtle spin. It was a direct lie, constructed of fabricated evidence, relentlessly pushed anywhere and everywhere people with computer purchasing power and developers had a discussion. Each point of the lie was refuted almost as many times. Someone might get fired for getting caught and Microsoft will keep telling the world that Windows is the most secure software ever.

DecorWhat Else is New

  1. Links 28/9/2021: New Fedora Beta and LibreOffice's 11th Anniversary

    Links for the day

  2. [Meme] Joining Red Hat After Jim Whitehurst Left

    The screenshots above are minutes old; insiders don’t think too highly of long-term careers at Red Hat (the latter seems to be the same person as the former)

  3. IPFS: The Good, the Bad, and the Exceptionally Ugly

    A personal and occasionally arduous experience with a whole year of IPFS; it may come across — on the surface at least — as an unconstructive rant, but IPFS is still a promising technology, albeit it has severe limitations that need to be properly understood (some can be technically overcome, too)

  4. Links 28/9/2021: GnuCash 4.7 and SuperTuxKart 1.3 Release

    Links for the day

  5. IRC Proceedings: Monday, September 27, 2021

    IRC logs for Monday, September 27, 2021

  6. Links 28/9/2021: Inkscape 1.1.1 and 4MLinux 37.1 Release

    Links for the day

  7. “What the Heli, Battistelli?”

    "Ms Pyjamas" (Heli) and Ms Bergot, a notoriously "strong lady" (for marrying the 'right' man?)

  8. When It Comes to UPC, EPO is Still Stuck in Pre-Brexit Mindset (More Than Half a Decade in the Past)

    The sheer lunacy of Team UPC is up on display and the EPO links to a “webinar” from 5.5 years ago; they’re still living in a fantasy world

  9. Links 27/9/2021: Q4OS 4, Windows Breaks Itself

    Links for the day

  10. [Meme] Route de France

    At the EPO, facts catch up with you

  11. [Meme] Tech Companies: No Friends of Women

    Just another reminder that companies like IBM do not actually care about women; they are misusing genuine feminism for corporate objectives

  12. Links 27/9/2021: OpenSSH 8.8, Martine OS 2.0 and Airyx 0.2.2 Reviewed

    Links for the day

  13. GNU Turns 38 (Midday Today or 12:35:59 EST) and RMS Talks to Polish Medical Professionals This Evening

    Today GNU turns 38. Last week over 5,000 people watched the RMS talk in Ukraine using our WebM version of it; in a few hours RMS will speak in Poland and we’ll try to find a stream if one becomes available (we shall update this page).

  14. IRC Proceedings: Sunday, September 26, 2021

    IRC logs for Sunday, September 26, 2021

  15. Links 27/9/2021: Librem 14 Reviewed, Linux 5.15 RC3 is Out

    Links for the day

  16. Links 26/9/2021: GNU Wget2 2.0.0 and MenuLibre 2.2.3 Released

    Links for the day

  17. How Basic Laws and Fundamental Rights Got Crushed in the European Patent Office

    Our next series will show the sheer hypocrisy of the EPO, hiding behind the veil of (patent) law while so shamelessly violating just about every law in the books without facing any form of accountability

  18. Regrettable Acts of Self-Harm: OpenMandriva and Mozilla Being Outsourced to Microsoft Proprietary Software and Monopoly

    In another blow to software freedom, OpenMandriva and Mozilla decide to abandon their own systems and use proprietary software from Microsoft instead

  19. Links 26/9/2021: Mozilla Spends on PR, OpenMandriva Outsourcing to Microsoft

    Links for the day

  20. IRC Proceedings: Saturday, September 25, 2021

    IRC logs for Saturday, September 25, 2021

  21. Links 25/9/2021: GNU/Linux Recognition in Mainstream Media and Wine-Staging 6.18

    Links for the day

  22. Reminder: GNU Turns 38 This Monday Around Midday (When GNU's Founder Gives Talk in Poland)

    With media and Torvalds speaking again about anniversaries (this has gone on for the past week because Torvalds wrote about it yet again), it is important to recall the announcement that got the ball rolling and basically started it all (the GNU/Linux operating system) because it was in 1983, not 1991. We reproduce in full the announcement.

  23. Links 25/9/2021: Wine 6.18 and Chromium Complier Woes

    Links for the day

  24. [Meme] When the EPO Watches Everything ('Dissidents', Media, Etc.) and Isn't Being Watched by Anybody

    The EPO is taking Europe for a wild ride; Everything is a vehicle for the very same agenda, with nobody left to hold it accountable or ask any tough questions… (even the media is in the EPO’s back pocket or back seat)

  25. Virtual Oversight

    “eMeetings” that simulate an impression of oversight are like ‘ViCo’ to simulate access to justice; will that ever change and will oversight be restored at EPOnia, Europe’s second-largest institution?

  26. The Corporate Coup Against the Soul of the Free Software Community Is Not Over

    The erosion of community role in the development of GNU/Linux is a growing problem; part of the problem is that large corporations target technical and philosophical (perceived) leaders in coordinated smear campaigns, led by media they own

  27. IRC Proceedings: Friday, September 24, 2021

    IRC logs for Friday, September 24, 2021

  28. Links 24/9/2021: GNU Coreutils 9.0, BattlEye GNU/Linux Support

    Links for the day

  29. [Meme] 'Linux' Foundation is Greenwashing Microsoft Again, Misusing the Linux Brand Like Nobody's Business

    Microsoft has weaponised the Linux brand to dub a toxic company like itself (helping notoriously polluting companies and generating lots of waste, both directly and through planned obsolescence, inefficient software, DRM, etc.) as "green"

  30. Richard Stallman to Speak (in Person) in Poland, Dedicate the Talk to Medical Professionals

    Days after his talk in Ukraine Richard Stallman plans to do the same in Poland (just announced)

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts