05.31.10

Gemini version available ♊︎

Microsoft Finally Admits Numbers of Vulnerabilities It Reports Are Fake

Posted in Deception, GNU/Linux, Microsoft, Red Hat, Security, Servers, Windows at 6:14 am by Dr. Roy Schestowitz

Microsoft lies

Summary: Mike Reavey, the director of the Microsoft Security Response Center, admits that Microsoft is silently patching vulnerabilities without ever reporting the problem

IT’S official. Microsoft is a liar. Again. Now there is even admission from Microsoft, confirming an issue which we first raised some weeks ago. Whenever Microsoft says it patches x number of flaws with y number of patches/bulletins, Microsoft ought to be assumed to be lying. Microsoft’s silent patching is a subject we have been covering for years and it helps explain why one in two Windows PCs is believed to be a zombie PC, despite Microsoft’s claims that all of its flaws are being addressed. All those fake comparisons against platforms like Red Hat Enterprise Linux (where Microsoft stacks up and aggregates numbers of flaws) can be thrown into the wastebasket. If convincing proof is needed, here it is. Microsoft first tried to spin it (for weeks) and now it gives up and tells the truth.

Microsoft Official Admits to Quiet Security Patching

Microsoft doesn’t report all security vulnerabilities that it fixes in its software. Bug comparisons between vendors therefore paint an incorrect picture.

“We don’t document every issue found,” Mike Reavey, director of the Microsoft Security Response Center (MSRC), said at a meeting with reporters at the company’s corporate headquarters in Redmond, Washington.

Microsoft will issue a Common Vulnerabilities and Exposures (CVE) number to a vulnerability for flaws that share the same severity, have an attack vector and a workaround. If several flaws share all the same properties, they will not be reported separately, Reavey said.

The nondisclosure of fixes was brought to light early this month by a company called Core Security Technologies. After studying the Microsoft patches MS10-024 and MS10-028, it noticed three silent fixes. Security bulletin MS10-028 addressed a flaw that would expose a user of Microsoft Visio to a buffer overflow attack, which would allow an attacker to take over control of the system.

Finally. Thanks for the honesty. So how much damage has been caused by Microsoft’s lies so far. Microsoft has been denying this for years, but not exactly denying, either. It was spinning and avoiding the actual question. It’s the art of lying without practically lying, just evading. Adobe is at least honest about its proprietary software being insecure garbage. As far as we are aware, Adobe hasn’t a long history of systematic lying, unlike Microsoft.

“Microsoft smacks patch-blocking rootkit second time,” says another new report from Gregg Keizer.

For the second month in a row, Microsoft has tried to eradicate a mutating rootkit that has blocked some Windows users from installing security updates.

Here is another one (also here):

Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), said his team is looking into Raskin’s claims, but hinted that Microsoft wouldn’t be patching IE anytime soon. “I wouldn’t classify this as a ‘vulnerability’ though,” Bryant said in an e-mail answer to questions.

The followup says:

Will browser makers patch this? Unlikely. Microsoft’s Jerry Bryant, a general manager at the company’s security response center, said the issue isn’t a security vulnerability per se, and that Internet Explorer (IE) falls for the scam because that’s the way browsers work.

“Working with [Raskin's] proof-of-concept, as written, is expected,” he said in an e-mail Tuesday when asked whether Microsoft had a fix in mind for IE.

Let’s remember how much damage was caused this year because Microsoft had refused to patch known Internet Explorer flaws for five months [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12]. Where is the liability [1, 2, 3, 4, 5]? Watch what it happening in Denver right now.

Denver officials have asked the FBI, Denver police and Microsoft Corp. to help them identify the person or people who have hacked into the city’s website twice in the past week.

If Microsoft gets involved, then it almost must be a Windows server.

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

A Single Comment

  1. twitter said,

    June 1, 2010 at 5:52 pm

    Gravatar

    Microsoft was cornered in two ways. First, people noticed a “silent patch”. The more fundamental bust, however, is that no one with a clue ever believed the “get the facts” propaganda. Only someone with a financial interest will tell you that Windows and GNU/Linux security are equivalent. Only someone without free software experience will believe them.

    Microsoft will go on telling the same lies. “Get the Facts” was not some kind of subtle spin. It was a direct lie, constructed of fabricated evidence, relentlessly pushed anywhere and everywhere people with computer purchasing power and developers had a discussion. Each point of the lie was refuted almost as many times. Someone might get fired for getting caught and Microsoft will keep telling the world that Windows is the most secure software ever.

DecorWhat Else is New


  1. Links 08/06/2023: Istio 1.18 and FreeIPMI 1.6.11

    Links for the day



  2. Gemini Links 08/06/2023: Sourcehut, Gemini Identity, and BBS Comments on Cosmos

    Links for the day



  3. IRC Proceedings: Wednesday, June 07, 2023

    IRC logs for Wednesday, June 07, 2023



  4. The Need to Evolve on the Internet

    Tux Machines is one year away from its twentieth birthday and its increased focus on protocols aside from HTTP/S is paying off; Tux Machines also weaned itself off all social control media, including Mastodon and Diaspora (they're not the future, they're the past)



  5. EPO Management is Still Bullying the Staff (While Breaking the Law and Violating the European Patent Convention)

    Overloaded or overworked EPO workers are complaining about further deterioration at the workplace and their representatives say "this management style may well contribute to feelings of disengagement, depression, or even burn-out"



  6. His Majesty’s Revenue and Customs (HMRC) Not Responding After 20 Days (Well-Founded Report of Tax Fraud) and British Police Pretending Not to Exist

    The crimes of Sirius ‘Open Source’ have helped unearth a profound problem in the British law enforcement authorities; What good is a monopolistic taxman (called after the British Monarchy even in 2023) that cannot assess its own tax abuses? Or abuses connected to it via a contractor? Meanwhile, as per what I was told, the police is not responding to my MP and that’s ANOTHER scandal (police not only refusing to act against crimes, committed against many people, but moreover not responding to elected politicians)



  7. Links 08/06/2023: Cinnamon 5.8 and Leap 15.5 Release Mature

    Links for the day



  8. Gemini Links 08/06/2023: Emacs and Thoughts on Bubble

    Links for the day



  9. Links 07/06/2023: Reddit Layoffs and OpenGL 3.1 in Asahi Linux

    Links for the day



  10. Gemini Links 07/06/2023: Jukka Charting Geminispace

    Links for the day



  11. IRC Proceedings: Tuesday, June 06, 2023

    IRC logs for Tuesday, June 06, 2023



  12. NOW LIVE: Working for the Public — Universities, Software and Freedom - a Talk by Richard Stallman at Università di Pisa (Italy)

    As noted a few hours ago, Richard Stallman is delivering a talk at Università di Pisa this morning



  13. Richard Stallman's Talk is in Two Hours and There's a BigBlueButton Livestream

    Dr. Stallman is in Italy to give talks at universities this week; he will soon give a live talk, accessible in his site or directly at the source



  14. Links 06/06/2023: Angie 1.2.0, New EasyOS and EndeavourOS Released

    Links for the day



  15. Gemini Links 06/06/2023: OpenKuBSD, GrapheneOS, and More

    Links for the day



  16. Links 06/06/2023: OpenSUSE Plans for Leap

    Links for the day



  17. Gemini Links 06/06/2023: Bubble 4.0, Neutral News, and Older Bits

    Links for the day



  18. IBM's War on Open (Look at the Pattern of Layoffs at Red Hat)

    By abandoning OpenSource.com and OpenOffice.org/LibreOffice IBM sends out a clear signal that it doesn’t understand or simply does not care about the community of Free software users; its siege against the FSF and other institutions never ended and today we look at who’s being laid off or shown the door (the work environment is intentionally being made worse)



  19. Links 06/06/2023: IceWM 3.4.0 and Liveslak 1.7.0

    Links for the day



  20. Gemini Links 06/06/2023: Apple Might Kill VR, Tea Tea Deluxe 1.2.7 and Tea Land

    Links for the day



  21. IRC Proceedings: Monday, June 05, 2023

    IRC logs for Monday, June 05, 2023



  22. Links 05/06/2023: Debian 12 Almost Ready, Hong Kong 'Cannot' Remember Tiananmen Massacre

    Links for the day



  23. Gemini Links 05/06/2023: New Ship in Cosmic Voyage, Stack Overflow Moderator Strike

    Links for the day



  24. IRC Proceedings: Sunday, June 04, 2023

    IRC logs for Sunday, June 04, 2023



  25. Links 04/06/2023: Unifont 15.0.05 and PCLinuxOS Stuff

    Links for the day



  26. Gemini Links 04/06/2023: Wayland and the Old Computer Challenge

    Links for the day



  27. StatCounter: GNU/Linux (Including ChromeOS) Grows to 8% Market Share Worldwide

    This month’s numbers from StatCounter are good for GNU/Linux (including ChromeOS, which technically has both GNU and Linux); the firm assesses logs from 3 million sites and shows Windows down to 66% in desktops/laptops (a decade ago it was above 90%) with modest growth for GNU/Linux, which is at an all-time high, even if one does not count ChromeOS that isn’t freedom- or privacy-respecting



  28. Journalism Cannot and Quite Likely Won't Survive on the World Wide Web

    We’re reaching the point where the overwhelming majority of new pages on the Web (the World Wide Web) are basically junk, sometimes crafted not by humans; how to cope with this rapid deterioration is still an unknown — an enigma that demands hard answers or technical workarounds



  29. Do Not Assume Pensions Are Safe, Especially When Managed by Mr. EPOTIF Benoît Battistelli and António Campinos

    With the "hoax" that is the financial assessment by António Campinos (who is deliriously celebrating the inauguration of illegal and unconstitutional kangaroo courts) we urge EPO workers to check carefully the integrity of their pensions, seeing that pension promises have been broken for years already



  30. Links 04/06/2023: Why Flatpak and Wealth of Devices With GNU/Linux

    Links for the day


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts