Bonum Certa Men Certa

Why Microsoft's Security Reports Are a Scam

Microsoft lies



Summary: Microsoft is caught lying again, by essentially patching serious flaws while hiding their very existence

TO PUT it bluntly but rather fairly or at least realistically, Microsoft is a company of systematic liars and nobody should ever trust a word that comes out of their mouths. They believe that these lies are acceptable because they serve some higher goal or that it's a white lie when it helps one's investors or bank account (or perceived sense of security). The examples we have given (e.g. [1, 2, 3, 4, 5]) are too many to list here exhaustively, so we won't attempt to list such examples in a more compelling way.



One point that we stressed and demonstrated several years ago is that Microsoft fakes its reports when it comes to security; people buy their software based on false premises, lack of disclosure, and outright lies.

Putting aside several examples from several years ago, we now have some new examples where Microsoft gets caught (which is hard to achieve because the code is secret). As Slashdot summarised it:

"Microsoft silently patched three vulnerabilities last month, two of them affecting enterprise mission-critical Exchange mail servers, without calling out the bugs in the accompanying advisories, a security expert said on Thursday. Two of the three unannounced vulnerabilities, and the most serious of the trio, were packaged with MS10-024, an update to Exchange and Windows SMTP Service that Microsoft issued April 13 and tagged as 'important,' its second-highest threat ranking. Ivan Arce, CTO of Core Security Technologies, said Microsoft patched the bugs, but failed to disclose that it had done so — which could pose a problem. 'They're more important than the [two vulnerabilities] that Microsoft did disclose,' said Arce. 'That means [system] administrators may end up making the wrong decisions about applying the update. They need that information to assess the risk.'"


Here is the corresponding article.

Microsoft silently patched three vulnerabilities last month, two of them affecting enterprise mission-critical Exchange mail servers, without calling out the bugs in the accompanying advisories, a security expert said today.

Two of the three unannounced vulnerabilities, and the most serious of the trio, were packaged with MS10-024, an update to Exchange and Windows SMTP Service that Microsoft issued April 13 and tagged as "important," its second-highest threat ranking.

According to Ivan Arce, the chief technology officer of Core Security Technologies, Microsoft patched the bugs, but failed to disclose that it had done so.


This has already been covered by The Register too:

A recent security patch from Microsoft silently fixed two severe bugs that were never disclosed even though they posed a risk to many of its customers, a security researcher said.

MS10-024 fixed two flaws that made it possible for adversaries to intercept victims' email messages sent by Exchange and Windows SMTP service, Nicolás Economou, a researcher with Core Security said. But the bugs - which made it "trivial" to spoof responses to domain name system queries - weren't disclosed and were never assigned a Common Vulnerabilities and Exposure identifier, sparking criticism that the critical bugs weren't properly disclosed.


Next time Microsoft shows any comparisons involving a number of flaws or severity of flaws, refuse to accept them. Microsoft is the boy who cried "Wolf!" and the above serves as an example of behaviour that has gone on for years (rarely detected though because it's hard).

Comments

Recent Techrights' Posts

LLM Hype is Already Descending, Apple Stopped Investing in the Money Furnace
Wall Street is a perverse force in the technology market, incentivising the most harmful (and mostly useless) things
Change Control and What Will Come After Git (If That's Still Possible at All)
It would be wrong to believe (at least misguided) Git can be a "standard" skill 30 or 50 years from now.
On the Web, HTTPS Has Actually Become a Privacy Problem (Broadcasting Usage/Access to the All-Seeing CA Eye). Geminispace Doesn't Have This Problem.
Down to 23 capsules: the rapid demise of Certificate Authority (CA) Let's Encrypt in Geminispace
Links 07/10/2024: Politics, Education, Wars, Financial Crunch
Links for the day
Munich Was Having Real Difficulties Moving From GNU/Linux to Windows
How many are still using GNU/Linux?
Links 07/10/2024:China’s 'Deflation' (Price Decreases), Brazil Still Bars Twitter ("X")
Links for the day
Links 07/10/2024: "Creative Computing" Turns 50, Long War in Middle East Turns 1
Links for the day
Gemini Links 07/10/2024: Luck and Dishonesty, Gaming Getting Worse
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, October 06, 2024
IRC logs for Sunday, October 06, 2024
EPO: We Give Recognition to Frauds
Good to see some frank recognition right there in the EPO's own Web site
Even Though We Don't Focus on statCounter for Now (Not Our Top Priority) GNU/Linux Reaches New Highs This Month:
We caught GNU/Linux at 4.86% before, but only temporarily
Links 06/10/2024: Ham Radio for Recovery, Health Problems Worldwide
Links for the day
Gemini Links 06/10/2024: Special Interest Galore and Religion
Links for the day
Keeping Control Out of Dictators' Hands
When people are just "numbers"...
Links 06/10/2024: Misinformation Growing on the Web, "Hey Hi" Hype Waning for Lack of RoI
Links for the day
[Meme] Years Have Passed and EPO Management Still Isn't Obeying a Ruling From a Court Regarding Communications Between Staff
Representatives talking to their staff is "privacy violation"?
Presentations of the Staff Union of the European Patent Office in Its Headquarters Tomorrow After Work
Annual General Meeting and reports
Gemini Links 06/10/2024: SSH Keys and Hobby Game Development
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, October 05, 2024
IRC logs for Saturday, October 05, 2024
[Meme] How to Keep Granting Hundreds of Thousands of Fake Patents (Without Upsetting Anybody in Politics and Media)
This is very Kremlin-like
EPO Examiners to Adopt Resolution Condemning EPO Management for Breaking the Law in Order to Grant Many Illegal Software Patents
Europe's second-largest institution (EPO) is a law-breaking institution hiding behind the veil of "law"
[Meme] Sup, Nazi?
"Come back, one year"
Calling "Nazi" and "Right Wing" Everyone Who Does Not Agree With You (Even Leftists Whose Views on Some Issues Slightly Differ From Yours)
Oil money has become exceptionally notorious for takeover of online platforms and institutions/NGOs (using them to incite society inwards, not upwards)
EFF Losing the Plot
Like the Linux Foundation and OSI, the EFF has succumbed to corporate influence and is derailing itself (along with its original mission)
Links 05/10/2024: Patents Being Squashed, EFF Insists on Children's Access to Porn
Links for the day
Gemini Links 05/10/2024: Multitudinous Agreeable Futures and Misfin Mail
Links for the day
EFF Celebrates Microsoft Windows and Microsoft Office as "Digital Inclusion", Mocks GNU/Linux-Based ChromeOS
Yet another example/evidence that EFF has become a rotten pile of junk
Links 05/10/2024: Amazon Culling 14,000 Managers, About 160 People Resign From Automattic
Links for the day
Microsoft Moles in Nerdearla, Openwashing and Whitewashing Microsoft With Its Latest Ponzi Scheme and Storytelling
Also GPL violations en masse
The Danger of Outsourcing Your Platform to Social Control Media and Getting "Information" There
Stella is probably not aware of what she has just done
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, October 04, 2024
IRC logs for Friday, October 04, 2024
Links 05/10/2024: Shift to ARM, Microsoft XBox Crisis
Links for the day