Microsoft has come under fire from the likes of the New York Times for not releasing updates for out of support versions of their software, including Windows XP, which is nearly old enough to vote.
Now in a blog post Brad Smith, Microsoft President and Chief Legal Officer, has tried to lay the blame where it belongs in part – not just with the criminals, but also companies slow to update their software, and governments stockpiling vulnerabilities, thereby preventing Microsoft from fixing them, and then losing them en masse, which Microsoft equates to the military losing a stash of Tomahawk missiles.
Castigating first companies for not updating their software with the latest patches, Microsoft noted that security was a shared responsibility between vendors releasing updates and customers applying them.
“As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise, they’re literally fighting the problems of the present with tools from the past. This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support,” noted Smith.
Many companies are of course reluctant to deploy patches without extensive testing, something which Microsoft understood, but Smith noted that Microsoft used “robust testing and analytics to enable rapid updates into IT infrastructure.”
Turning to the stockpiling of vulnerabilities by state actors, Smith noted that “repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” leading to the bizarre situation of government actions repeatedly leading to criminal attacks.
Calling WannaCrypt a wake-up call, Smith once again renewed a call for a “Digital Geneva Convention” which require governments to take into account the risk to civilians from hoarding vulnerabilities and which would include a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.
Microsoft said they were committed to doing their part, and called on governments to take action themselves to protect their citizens.