Bonum Certa Men Certa

Microsoft Finally Admits Numbers of Vulnerabilities It Reports Are Fake

Microsoft lies



Summary: Mike Reavey, the director of the Microsoft Security Response Center, admits that Microsoft is silently patching vulnerabilities without ever reporting the problem

IT'S official. Microsoft is a liar. Again. Now there is even admission from Microsoft, confirming an issue which we first raised some weeks ago. Whenever Microsoft says it patches x number of flaws with y number of patches/bulletins, Microsoft ought to be assumed to be lying. Microsoft's silent patching is a subject we have been covering for years and it helps explain why one in two Windows PCs is believed to be a zombie PC, despite Microsoft's claims that all of its flaws are being addressed. All those fake comparisons against platforms like Red Hat Enterprise Linux (where Microsoft stacks up and aggregates numbers of flaws) can be thrown into the wastebasket. If convincing proof is needed, here it is. Microsoft first tried to spin it (for weeks) and now it gives up and tells the truth.



Microsoft Official Admits to Quiet Security Patching



Microsoft doesn't report all security vulnerabilities that it fixes in its software. Bug comparisons between vendors therefore paint an incorrect picture.

"We don't document every issue found," Mike Reavey, director of the Microsoft Security Response Center (MSRC), said at a meeting with reporters at the company's corporate headquarters in Redmond, Washington.

Microsoft will issue a Common Vulnerabilities and Exposures (CVE) number to a vulnerability for flaws that share the same severity, have an attack vector and a workaround. If several flaws share all the same properties, they will not be reported separately, Reavey said.

The nondisclosure of fixes was brought to light early this month by a company called Core Security Technologies. After studying the Microsoft patches MS10-024 and MS10-028, it noticed three silent fixes. Security bulletin MS10-028 addressed a flaw that would expose a user of Microsoft Visio to a buffer overflow attack, which would allow an attacker to take over control of the system.


Finally. Thanks for the honesty. So how much damage has been caused by Microsoft's lies so far. Microsoft has been denying this for years, but not exactly denying, either. It was spinning and avoiding the actual question. It's the art of lying without practically lying, just evading. Adobe is at least honest about its proprietary software being insecure garbage. As far as we are aware, Adobe hasn't a long history of systematic lying, unlike Microsoft.

"Microsoft smacks patch-blocking rootkit second time," says another new report from Gregg Keizer.

For the second month in a row, Microsoft has tried to eradicate a mutating rootkit that has blocked some Windows users from installing security updates.


Here is another one (also here):

Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), said his team is looking into Raskin's claims, but hinted that Microsoft wouldn't be patching IE anytime soon. "I wouldn't classify this as a 'vulnerability' though," Bryant said in an e-mail answer to questions.


The followup says:

Will browser makers patch this? Unlikely. Microsoft's Jerry Bryant, a general manager at the company's security response center, said the issue isn't a security vulnerability per se, and that Internet Explorer (IE) falls for the scam because that's the way browsers work.

"Working with [Raskin's] proof-of-concept, as written, is expected," he said in an e-mail Tuesday when asked whether Microsoft had a fix in mind for IE.


Let's remember how much damage was caused this year because Microsoft had refused to patch known Internet Explorer flaws for five months [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12]. Where is the liability [1, 2, 3, 4, 5]? Watch what it happening in Denver right now.

Denver officials have asked the FBI, Denver police and Microsoft Corp. to help them identify the person or people who have hacked into the city's website twice in the past week.


If Microsoft gets involved, then it almost must be a Windows server.

Comments

Recent Techrights' Posts

The Only Thing the So-called 'Hey Hi Revolution' Gave Microsoft is More Debt
Microsoft bailouts
FUD Alert: 2024 is Not 2011 and Ebury is Not "Linux"
We've seen Microsofers (actual Microsoft employees) putting in a lot of effort to shift the heat to Linux
[Video] 'Late Stage Capitalism': Microsoft as an Elaborate Ponzi Scheme (Faking 'Demand' While Portraying the Fraud as an Act of Generosity and Demanding Bailouts)
Being able to express or explain the facts isn't easy because of the buzzwords
 
Links 16/05/2024: Orangutans as Political Props, VMware Calls Proprietary 'Free'
Links for the day
TechTarget (and Computer Weekly et al): We Target 'Audiences' to Sell Your Products (Using Fake Articles and Surveillance)
It is a deeply rogue industry that's killing legitimate journalism by drowning out the signal (real journalism) with sponsored fodder
Links 15/05/2024: XBox Trouble, Slovakia PM Shot 5 Times
Links for the day
Windows in Times of Conflict
In pictures
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, May 15, 2024
IRC logs for Wednesday, May 15, 2024
Gemini Links 15/05/2024: 50 Years of Text Games
Links for the day
Ebury is Not "Linux", That's Just the Media Shifting Attention (Microsoft in the Hot Seat for Total Breach Right Now)
Seems like it may be a Trojan
Links 15/05/2024: Growing Tensions Between East and West, Anticlimax in Chatbot Space
Links for the day
Richard Stallman Talk 'Delayed'
"Repousé à une date ultérieur. Du au congé, il n'était pas possible de l'organiser bien dans le temps disponible."
Links 15/05/2024: Toll on Climate Change, Physical Assaults on Politicians
Links for the day
[Meme] Free Society Requires Free Press
The Assange decision is now less than a week away (after several delays and demand for shallow 'assurances')
CyberShow Goes "Live"
The CyberShow has a similar worldview (on technology and ethics) to ours
Latest Status of Site Archives (Static Pages)
article listings are reaching a near-final form
IRC Proceedings: Tuesday, May 14, 2024
IRC logs for Tuesday, May 14, 2024
Over at Tux Machines...
GNU/Linux news for the past day
Today's Talk by Richard Stallman Going Ahead as Planned
That talk will be in French
At This Pace (and Rate) It Won't Take Long for Android to Unseat Windows in Russia
Operating System Market Share Russian Federation
[Video] The High Cost of High-Level Tools and High-Level Programming Languages
Windows and Microsoft-style teaching remain a barrier to simple programming
Linux and Linux Foundation Leftovers
Some more Linux news
Africa is Still Android
Operating System Market Share Africa: May 2024
Windows Falls to 10% in Uganda, It Was 94% in 2010
Microsoft fell from market dominance to (soon) single digit (percent-wise).
Grouping Our Archives by Week
No more 'numbers lottery', the clustering is based on dates
[Video] LinuxFest Northwest is Letting GAFAM Take Over (and Why It's Hard to Resist)
Microsoft and LinuxFest Northwest
Links 14/05/2024: Bounties on Terrible Patents, China Censors Dissidents Internationally via Attack Dogs
Links for the day
Gemini Links 14/05/2024: Server Failure Swallows rawtext.club
Links for the day
Links 14/05/2024: SoftBank and ARM Chasing Hype, "Why Are You Working?"
Links for the day
Links 14/05/2024: Microsoft Edelman Works for Climate Change Deniers, NATO Draws a Cyber Red Line in Tensions With Russia
Links for the day
Feasibility of Self-Hosting is About More Than Speeds
Speed helps, but the Internet (Net) is a global, interconnected system that no single person or company or government fully controls
EPO: Language of Conflict
A letter about this has already been sent
IRC Proceedings: Monday, May 13, 2024
IRC logs for Monday, May 13, 2024
Over at Tux Machines...
GNU/Linux news for the past day
Watching Our Videos Before We Write Articles for Them
It has long been possible
Microsoft is Measured at Lower Than Apple in Niger (Of Course Android Dominates)
Niger's OS share (as measured by Web sites) is subjected to significant fluctuations because it's not highly connected
Refuting the Ludicrous, Laughable Idea I Don't (or Cannot) Code
I've written code for 30 years
[Meme] "Talk is Cheap. Show Me the Code." - Linus Torvalds
be like Chad
Windows in Chad: Going Extinct
From 100% to 1%?
Doing the Site From Home (What I Always Wanted to Do)
Even some of the hosting was done from home (since 2020)