Bonum Certa Men Certa

Microsoft Finally Admits Numbers of Vulnerabilities It Reports Are Fake

Microsoft lies



Summary: Mike Reavey, the director of the Microsoft Security Response Center, admits that Microsoft is silently patching vulnerabilities without ever reporting the problem

IT'S official. Microsoft is a liar. Again. Now there is even admission from Microsoft, confirming an issue which we first raised some weeks ago. Whenever Microsoft says it patches x number of flaws with y number of patches/bulletins, Microsoft ought to be assumed to be lying. Microsoft's silent patching is a subject we have been covering for years and it helps explain why one in two Windows PCs is believed to be a zombie PC, despite Microsoft's claims that all of its flaws are being addressed. All those fake comparisons against platforms like Red Hat Enterprise Linux (where Microsoft stacks up and aggregates numbers of flaws) can be thrown into the wastebasket. If convincing proof is needed, here it is. Microsoft first tried to spin it (for weeks) and now it gives up and tells the truth.



Microsoft Official Admits to Quiet Security Patching



Microsoft doesn't report all security vulnerabilities that it fixes in its software. Bug comparisons between vendors therefore paint an incorrect picture.

"We don't document every issue found," Mike Reavey, director of the Microsoft Security Response Center (MSRC), said at a meeting with reporters at the company's corporate headquarters in Redmond, Washington.

Microsoft will issue a Common Vulnerabilities and Exposures (CVE) number to a vulnerability for flaws that share the same severity, have an attack vector and a workaround. If several flaws share all the same properties, they will not be reported separately, Reavey said.

The nondisclosure of fixes was brought to light early this month by a company called Core Security Technologies. After studying the Microsoft patches MS10-024 and MS10-028, it noticed three silent fixes. Security bulletin MS10-028 addressed a flaw that would expose a user of Microsoft Visio to a buffer overflow attack, which would allow an attacker to take over control of the system.


Finally. Thanks for the honesty. So how much damage has been caused by Microsoft's lies so far. Microsoft has been denying this for years, but not exactly denying, either. It was spinning and avoiding the actual question. It's the art of lying without practically lying, just evading. Adobe is at least honest about its proprietary software being insecure garbage. As far as we are aware, Adobe hasn't a long history of systematic lying, unlike Microsoft.

"Microsoft smacks patch-blocking rootkit second time," says another new report from Gregg Keizer.

For the second month in a row, Microsoft has tried to eradicate a mutating rootkit that has blocked some Windows users from installing security updates.


Here is another one (also here):

Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), said his team is looking into Raskin's claims, but hinted that Microsoft wouldn't be patching IE anytime soon. "I wouldn't classify this as a 'vulnerability' though," Bryant said in an e-mail answer to questions.


The followup says:

Will browser makers patch this? Unlikely. Microsoft's Jerry Bryant, a general manager at the company's security response center, said the issue isn't a security vulnerability per se, and that Internet Explorer (IE) falls for the scam because that's the way browsers work.

"Working with [Raskin's] proof-of-concept, as written, is expected," he said in an e-mail Tuesday when asked whether Microsoft had a fix in mind for IE.


Let's remember how much damage was caused this year because Microsoft had refused to patch known Internet Explorer flaws for five months [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12]. Where is the liability [1, 2, 3, 4, 5]? Watch what it happening in Denver right now.

Denver officials have asked the FBI, Denver police and Microsoft Corp. to help them identify the person or people who have hacked into the city's website twice in the past week.


If Microsoft gets involved, then it almost must be a Windows server.

Comments

Recent Techrights' Posts

Microsoft Has Managed to Make GNU/Linux Users Scared of Updating Their GNU/Linux PCs (Thanks to UEFI 'Secure' Boot's Boosters!)
How many people know who's responsible for this mess?
Geminispace Growing and Getting More Free (Independent)
Because self-signed certificates are the way to go
 
WikiLeaks Wonders: Major Leaks That Shook the Worlds
Published 14 hours ago
No Outage Here
Microsoft seems to have lost control of the narrative
Links 20/07/2024: Tesla's UK Lawsuit for 5G Patents Licence Thrown Out by UK Court, Censorship Examples Surface
Links for the day
Gemini Links 20/07/2024: Why Sleep Is So Important, Bot Problems Online
Links for the day
[Meme] Truth Hurts
"Saying that I physically assaulted women is 'defamation'"
Techrights Turns 18 in About 3 Months
Nothing can stop us
When (Software) Freedom is the Goal
Freedom of thought also
Giving the False Impression That the R blogosphere is Microsoft's Microcosm
Curation that culls "astrotrufing" isn't censorship but quality control for relevance
Expect Many More Microsoft Layoffs After the Latest Windows Outages (Bonus: More Media Says Microsoft Has Cut Half the Staff in Nigeria)
after the latest worldwide blunder we can expect many businesses to gradually ditch Windows
Today GNU/Linux Broke All-Time Record in statCounter Again
Expect more people to hop over to GNU/Linux after the Windows fiasco
Joab Jackson and "The New Stack" Publishing Microsoft Spam (E.E.E. Against Linux) for a Payment From Microsoft
It's not a real news site
Links 20/07/2024: Patents on Software Squashed, Further Attacks on Independent News Sites
Links for the day
Links 20/07/2024: Shopping Mall in Southwestern China and New Health Crises
Links for the day
Microsoft/Windows Has Fallen Well Below 1% (Now 0.7%) in American Samoa
statCounter Sees Microsoft Windows at Below 1% in American Samoa
The Thelio Mega Is a Dual-GPU Linux Supercomputer
System76 sells many desktops and laptops built to run Linux. The company has now revealed its new high-powered Linux desktop, the Thelio Mega
[Meme] "System of a Down"
The latest international catastrophe kills people
Why Microsoft is Laying Off So Many People in Nigeria
Nigeria is a place Microsoft has lost
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, July 19, 2024
IRC logs for Friday, July 19, 2024
Gemini Links 20/07/2024: Gopher Catchup and Old Computer Challenge
Links for the day
Microsoft Lays Off Half of Its Workforce in Nigeria
Microsoft continues to implode in Africa
Links 19/07/2024: Microsoft Breaks Down and Amdocs Has 1,500-3,000 More Layoffs
Links for the day
Washington's WARN Site/Portal (That Excludes Many Microsoft Layoffs) is Now Down for Many Hours, Microsoft Causes Major Outages and Incidents Worldwide (Even Deaths)
The mass layoffs (lots of them in Azure since 2020) probably worsen resilience and security some more
UEFI 'Secure Boot' Once Again Bricking PCs and Fake Security Models Are Perishing in Geminispace
Let's Encrypt has just fallen again
[Meme] Conservative (and Fake) Nuclear Physicist Bill Gates
Didn't even graduate from college, media treats him like a world-renowned expert in nuclear energy
The Gemini Capsule of Tux Machines Turns 2 in Six Days
Many people actually use Gemini, some participate in it by creating their own capsule (or capsules)
GNU/Linux Rises to 4% in Saudi Arabia, Says statCounter, Windows Has Fallen to 11% (Android Exceeds 60%)
Microsoft might soon fall below 10% in KSA (Saudi Arabia)
IRC Proceedings: Thursday, July 18, 2024
IRC logs for Thursday, July 18, 2024
GNU/Linux news for the past day
GNU/Linux news for the past day
1901 Days in High-Security Prison (and 8 More Years in Severe Confinement) for the 'Crime' of Exposing War Crimes and Corruption
Julian Assange clip
Opensource.org = Microsoft Lobbying (Openwashing)
Here's the latest pair of blog posts
In Northern Mariana Islands, Where Julian Assange Pled Guilty 4 Weeks Ago, Windows Remains Second to Android, and GNU/Linux Still Grows in Oceania
It was the first month ever that statCounter saw more Web requests there from Android than from Windows
If GitLab Gets Sold (Datadog and Google Named Among Potential Buyers), It'll Prove Our Point About GitLab
Beware the bait on the hook