It has been a very busy year when it comes to Microsoft zero-day attacks. According to KrebsOnSecurity, May is the only month in 2021 that Microsoft didn’t release a patch to defend against at least one zero-day exploit. And Microsoft vulnerabilities are playing a bigger role in the spate of ransomware infections organizations are grappling with than most probably are aware of (more on that below).
The issue is not the mere presence of vulnerabilities in Microsoft code – that’s something that unfortunately is almost unavoidable when you’re dealing with billions of lines of code, and most developer shops make a serious effort to weed them out before the code goes into production.
Until we find a way to reliably automate vulnerability remediation at scale, there are going to be exploitable bugs now and again.
The issue here is Microsoft’s lackluster track record in assuring fewer vulnerabilities make it to market so their customers can be more secure – and it’s security that is the real rub here.
Over the last few years, Microsoft has been making huge investments in security, but those investments are not focused on making their products more secure, they are directed at developing new product offerings in the security space.
To be clear here, Microsoft as an organization has made a conscious decision to forgo improving their product security in favor of going after new revenue streams as a security vendor.
So essentially, Microsoft – arguably the most prolific and ubiquitous IT products and services providers on the planet, and thus the biggest target for attackers – is looking to cash-in by offering to protect everyone from the vulnerabilities they introduce into the market.
Enlarge the infographic here…
This is akin to a fast food chain deciding not to make their food healthier but instead choosing to invest in fitness centers, or Big Tobacco funding cancer research instead of just ceasing to sell cancer-causing agents. And, after they have successfully conditioned us to accept the fact that their products are perpetually vulnerable with the monthly Patch Tuesday fire drills, they now want organizations to trust that they are the best choice to…