[nxc18]

He asked a PR person, probably one with little security background (how many security people do you know who went into PR?) gave the stock answer which does happen to actually be good security advice: run the latest supported version with patches.

The reporter was just butthurt about not getting a scoop and decided to write an article complaining about PR practices in place of an actual story.

Really like the click bait title though, it's a nice touch. /s

[aao]

It's a rant about PR bullshit, specifically this:

>Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible,

EDIT and this

>The time has come for Microsoft vulnerability disclosure communications to mute the marketers and let the security engineers do the talking instead.

I found it funny to be honest

[mjw1007]

In this case it seems to have been fully-fledged lying, not just bullshit: Microsoft (told the researcher they) delayed releasing this patch so they could release a number of SMB-related fixes at once.

They might have good reasons for doing that, but it isn't true to say they "proactively update impacted devices as soon as possible".

[golfer]

Microsoft always seems to prefer going on offense rather than playing defense. They are one of the least self-aware companies I can think of. For example, this absolutely insane "funeral march" for iPhone and Blackberry they held in 2010 to celebrate the launch of Windows Phone 7 [1]. What other company would even consider this?

[1] https://www.engadget.com/2010/09/10/microsoft-celebrates-win...

[PhantomGremlin]

They are one of the least self-aware companies I can think of.

That was Uncle Fester's Microsoft. That behavior was an extension of Ballmer's pugilistic personality.

Today's Microsoft is just as tone-deaf, but in a different respect. For the life of me I can't understand why Nadella thinks that their recent behavior wrt. Win 10 is a good idea. E.g. rebooting user's machines during presentations, having spyware that it's not possible to disable, advertising in the OS, etc.

[baldfat]

I am still shocked that Windows was recoverable from the fiasco of XP security problems. They have gotten exponentially better in security over the years.

[cptskippy]

The NT Kernel is a very secure and resilient design, it was just mucked up over the years with Win32 blurring the lines between the kernel and userland. MinWin was an internal project that started in Windows 7 where the tendrils of things like Win32 were extricated from the kernel. In addition to improving security, this also enabled things like multi-platform support and headless servers.

[PhantomGremlin]

I understand what you're saying "in theory".

But in practice, here's what happened. In 2002 Chairman Bill said:

   An internal Microsoft e-mail tells the software
   giant's employees that security and privacy are
   the most important issues for the company's products.

https://www.cnet.com/news/gates-security-is-top-priority/

And yet, 15 years later, we're discussing yet another 0day. And Win 10's built in spyware is the absolute opposite of "privacy".

I'd rather judge Microsoft on their actual historical record, and not on whether Cutler's initial design for NT was secure and resilient.

[mtgx]

Truth be told, Microsoft has among the worst PR agencies/policies from the tech industry. Very bureaucratic, slow to get something out of them, and you usually end up with just canned answers and most questions dodged. It's hardly even worth the effort to contact Microsoft's PR about something.

Unless you know a higher-up exec, like Mary Jo Foley or Paul Thurrott does, for instance, you're unlikely to get a real answer for a security question. For a journalist, writing what you think happened, and then waiting for Microsoft to react, contact you, and tell you what really happened is likely a much more effective strategy to get something out of Microsoft.