05.31.10

Microsoft Finally Admits Numbers of Vulnerabilities It Reports Are Fake

Posted in Deception, GNU/Linux, Microsoft, Red Hat, Security, Servers, Windows at 6:14 am by Dr. Roy Schestowitz

Microsoft lies

Summary: Mike Reavey, the director of the Microsoft Security Response Center, admits that Microsoft is silently patching vulnerabilities without ever reporting the problem

IT’S official. Microsoft is a liar. Again. Now there is even admission from Microsoft, confirming an issue which we first raised some weeks ago. Whenever Microsoft says it patches x number of flaws with y number of patches/bulletins, Microsoft ought to be assumed to be lying. Microsoft’s silent patching is a subject we have been covering for years and it helps explain why one in two Windows PCs is believed to be a zombie PC, despite Microsoft’s claims that all of its flaws are being addressed. All those fake comparisons against platforms like Red Hat Enterprise Linux (where Microsoft stacks up and aggregates numbers of flaws) can be thrown into the wastebasket. If convincing proof is needed, here it is. Microsoft first tried to spin it (for weeks) and now it gives up and tells the truth.

Microsoft Official Admits to Quiet Security Patching

Microsoft doesn’t report all security vulnerabilities that it fixes in its software. Bug comparisons between vendors therefore paint an incorrect picture.

“We don’t document every issue found,” Mike Reavey, director of the Microsoft Security Response Center (MSRC), said at a meeting with reporters at the company’s corporate headquarters in Redmond, Washington.

Microsoft will issue a Common Vulnerabilities and Exposures (CVE) number to a vulnerability for flaws that share the same severity, have an attack vector and a workaround. If several flaws share all the same properties, they will not be reported separately, Reavey said.

The nondisclosure of fixes was brought to light early this month by a company called Core Security Technologies. After studying the Microsoft patches MS10-024 and MS10-028, it noticed three silent fixes. Security bulletin MS10-028 addressed a flaw that would expose a user of Microsoft Visio to a buffer overflow attack, which would allow an attacker to take over control of the system.

Finally. Thanks for the honesty. So how much damage has been caused by Microsoft’s lies so far. Microsoft has been denying this for years, but not exactly denying, either. It was spinning and avoiding the actual question. It’s the art of lying without practically lying, just evading. Adobe is at least honest about its proprietary software being insecure garbage. As far as we are aware, Adobe hasn’t a long history of systematic lying, unlike Microsoft.

“Microsoft smacks patch-blocking rootkit second time,” says another new report from Gregg Keizer.

For the second month in a row, Microsoft has tried to eradicate a mutating rootkit that has blocked some Windows users from installing security updates.

Here is another one (also here):

Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), said his team is looking into Raskin’s claims, but hinted that Microsoft wouldn’t be patching IE anytime soon. “I wouldn’t classify this as a ‘vulnerability’ though,” Bryant said in an e-mail answer to questions.

The followup says:

Will browser makers patch this? Unlikely. Microsoft’s Jerry Bryant, a general manager at the company’s security response center, said the issue isn’t a security vulnerability per se, and that Internet Explorer (IE) falls for the scam because that’s the way browsers work.

“Working with [Raskin's] proof-of-concept, as written, is expected,” he said in an e-mail Tuesday when asked whether Microsoft had a fix in mind for IE.

Let’s remember how much damage was caused this year because Microsoft had refused to patch known Internet Explorer flaws for five months [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12]. Where is the liability [1, 2, 3, 4, 5]? Watch what it happening in Denver right now.

Denver officials have asked the FBI, Denver police and Microsoft Corp. to help them identify the person or people who have hacked into the city’s website twice in the past week.

If Microsoft gets involved, then it almost must be a Windows server.

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

This post is also available in Gemini over at:

gemini://gemini.techrights.org/2010/05/31/silent-patching-confirmed-by-msft/

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

A Single Comment

  1. twitter said,

    June 1, 2010 at 5:52 pm

    Gravatar

    Microsoft was cornered in two ways. First, people noticed a “silent patch”. The more fundamental bust, however, is that no one with a clue ever believed the “get the facts” propaganda. Only someone with a financial interest will tell you that Windows and GNU/Linux security are equivalent. Only someone without free software experience will believe them.

    Microsoft will go on telling the same lies. “Get the Facts” was not some kind of subtle spin. It was a direct lie, constructed of fabricated evidence, relentlessly pushed anywhere and everywhere people with computer purchasing power and developers had a discussion. Each point of the lie was refuted almost as many times. Someone might get fired for getting caught and Microsoft will keep telling the world that Windows is the most secure software ever.

What Else is New

  1. Links 16/5/2021: ExTiX 21.5, Drumstick Multiplatform MIDI File Player Refresh

    Links for the day

  2. EPO.org is a Really Awful Source of Information

    The site that bears a .org suffix is actually more like a private corporation lying about itself in order to save face and attract more money -- or in other words funds that will be squandered and stolen by corrupt administrators

  3. IBM Has Changed a Lot Since 2018, and Not for the Better

    IBM isn't that much of an ally of GNU/Linux as a community-led or community-centric operating system; IBM is in it all just for IBM and we need to treat IBM accordingly

  4. [Meme] Criticising IBM is Racist and Intolerant

    Systemd is becoming untouchable and its critics are framed as "toxic" or "trolls", no matter the facts and irrespective of the technical substance of their complaints

  5. Combatting Revisionist History (Post From 2015, Years Before IBM Bought Red Hat and Increased Vendor Lock-in)

    Today we republish this forum post from more than 6 years ago; in light of what IBM did to CentOS and its vicious attack on the founder of the GNU/Linux operating system we must understand the systemd agenda, which the FSF can more openly speak about now that there are no financial strings

  6. Kyle Wiens, CEO of iFixit: Right to Repair

    Uploaded earlier this month was this talk and accompanying slides; summary below

  7. IRC Proceedings: Saturday, May 15, 2021

    IRC logs for Saturday, May 15, 2021

  8. [Meme] When All That Matters is 'Production' and 'Timeliness'

    The EPO has gone down the same route as the U.S. Patent and Trademark Office (USPTO) when it comes to patent quality; as if the goal is to grant 11 million patents (most of them in just a few decades) rather than assess the impact of such patents

  9. The EPO's War on Justice and Assault on the Law -- Part 8: The Radical Student “Brotherhood”

    The latest part in this series explores the roots of Judge Josefsson; that can help explain how Benoît Battistelli constructed his stacked EPO ‘court’, which he and António Campinos basically control to rubber-stamp whatever illegal practices they engage in (in pursuit of money and power, at the expense of the law)

  10. Christoph Ernst Lecturing Us on “Transparency” and EPO Corruption (as Well as Assault on the EPC) Becoming a “New Normal”

    The EPO’s administration continues rushing ahead with an unlawful agenda, exploiting a pandemic that’s gradually coming under control regardless to shred apart the EPC

  11. Richard Stallman's Talk About New/er Risks to Free Software (Free as in Freedom-Respecting, Libre)

    Richard M. Stallman (RMS) gave the above talk not too long before the attacks on him intensified greatly, serving to silence him for nearly 2 years

  12. Jacques Michel and Willy (Guillaume) Minnoye: Stakeholders in EPO Lawlessness

    Former EPO Vice-Presidents who wish not to be held accountable for what they did in the Office (or be chased after leaving their duties, finishing/ending terms there) are adding fuel to the illegal agenda of an EPOnian regime

  13. Links 15/5/2021: Godot 3.3.1 RC 2 and Pine64 Hardware in Focus

    Links for the day

  14. The EPO's War on Justice and Assault on the Law -- Part 7: Calle's Strange Metamorphosis

    Sources believe the “legal anarchy” that EPOnia became notorious for, especially when it comes to handling referrals at the EPO‘s BoA, will become a dark legacy — a legacy that would, if he was alive, disappoint even Josefsson’s source of inspiration

  15. Making up Law at the EPO

    Another video about the ongoing EPO series and some news/commentary from around the Web

  16. Over a Thousand Videos (or Audio Files) and More Protocols Supported

    From just a Web site (ordinary HTTP/S protocol) we've expanded to alternative channels of communication; this is a quick roundup, with focus on last night's development work (already pushed into our self-hosted Git repository)

  17. IRC Proceedings: Friday, May 14, 2021

    IRC logs for Friday, May 14, 2021

  18. Nathan Proctor: Right to Repair and the DMCA

    LibrePlanet 2019 video

  19. [Meme] Calle Calling...

    The values of the Habermasian EPO judge depend on who’s paying the salary

  20. The EPO's War on Justice and Assault on the Law -- Part 6: The Habermasian Who Warned About “Legal Anarchy”

    The political orientation of a Benoît Battistelli-appointed EPO judge who has the audacity to talk about legal anarchy and bemoan abuse of the law; the António Campinos administration extended his term until (at least) 2027

  21. Paid-for Plugs and Coordinated Marketing Fluff (PR Campaigns) Are Ruining 'Linux' Sites

    Junk 'articles' (just marketing disguised as 'news') spoil the World Wide Web; companies repeat the same sales pitch over and over again, sometimes leveraging what they perceive to be avenues read by geeks

  22. Links 15/5/2021: GCC 8.5, Fedora Community Revamp

    Links for the day

  23. Links 14/5/2021: FreeBSD on the Pine H6, Red Hat Hiring

    Links for the day

  24. Protecting Freenode is Protecting the Free Software Movement

    Freenode may seem like a negligible corner of the Internet, which media never bothers mentioning at all; but Freenode, which many have come to take for granted, is core infrastructure for many Free software projects and protecting the network is essential for the Free Software Movement

  25. EPO Justice

    Justice in Europe's second-largest institution, where the law itself is a second-class citizen

  26. IRC Proceedings: Thursday, May 13, 2021

    IRC logs for Thursday, May 13, 2021

  27. Understanding How Freenode (IRC) Works -- or Doesn't Work -- in 2021

    There is a conflict going on behind the scenes at Freenode, but there are also sincere and well-meaning attempts to undo the damage and get back to normal

  28. [Meme] Judges the Office Cannot Control Are Just Nazis With Weapons in Their Office...

    The EPO hasn’t been run by grown-ups for over ten years; Benoît Battistelli, António Campinos and their confidants cannot grasp the concept of law, just blind loyalty

  29. The EPO's War on Justice and Assault on the Law -- Part 5: Battistelli's “Swedish Chef”

    The EPO's 'courts' are controlled by the people whom they're supposed to judge on; this has been the case for at least half a decade

  30. Links 14/5/2021: KDE Plasma 5.22 Beta and GNOME 40 in Gentoo

    Links for the day

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts