Microsoft falls for Vista security hoax

The Week Of Vista Bugs promised to report an unpatched Vista bug every day this week

An April Fool's joke that aimed to expose sensational media coverage and educate non-security experts failed to find any victims.

A self-proclaimed group of hackers set up The Week Of Vista Bugs website that promised to report an unpatched Vista bug every day this week. 

Pioneered by security researcher H D Moore last summer, projects aiming to uncover vulnerabilities every day for a week or a month have proved a powerful way to direct the public's attention to security issues in certain applications. 

Applications targeted by such daily security disclosures included browsers, Apple's OS X, Oracle software and MySpace.  

"Education is an important step to consider in security. People have, as experts do, to rely on real facts, things they can verify," the group warned on a website where they exposed their hoax.

The Week of Vista Bugs issued its first 'security alert' on Monday, warning people against an allegedly critical flaw that offered a way to bypass the firewall in Vista.

The alert was riddled with technical lingo, but the educated reader would have been able to see through the hoax.

Apparently most media saw through it as well. Google News does not list a single English media outlet that picked up the report.

The report was noticed by vnunet.com, but was not published. As part of our standard fact-checking procedures, vnunet.com contacted Microsoft on Monday with a request for comment on the reported flaw. 

The company issued a generic public relation statement, but did not expose the report as a hoax.

A Microsoft spokesperson said on Monday that the Microsoft Security Research Center is "aware of 'The Week of Vista Bugs' project in which details about possible issues affecting Windows Vista will be publicly disclosed.

"As always, the Microsoft Security Response Center will stand ready to mobilise its teams to investigate, fix and learn from any vulnerabilities discovered through the project, and take appropriate action to protect its customers as needed."

The person responsible for the hoax said that Microsoft did not contact the team.

Symantec flagged the report in its DeepSight subscription-based threat management alert network. But researchers for the company warned that the report failed to prove the claimed flaws.