[grub5000]

Not really, according to the article the sequence of events went

* Microsoft warned in March of active attacks

* Microsoft schedules patch for April 11th

* McAfee sees attacks on April 6th

* McAfee publicly explains how to use the exploit on April 7th

* April 9th attack-kits are publicly for sale

* April 11th Microsoft releases public patch as scheduled

McAfee fucked up here.

[rando444]

Microsoft was formally notified of the vulnerability in October 2016. Why leave this out of the timeline?

The researcher that found the vulnerability first noticed it in July 2016. Between July and October he had gathered even more information about the vulnerability, presumably in his interest to demonstrate how serious the matter is, as well as a likely attempt to procure as large a bug bounty as possible.

If Microsoft was presented with such a serious vulnerability and didn't address it properly for over half a year, I would say that they are the owners of the lion's share of the responsibility here.

[BearGoesChirp]

I don't see why. The whole thing seems wrong. Having privacy and keeping secrets seems to only encourage the bad security practices. If instead every vulnerability discovered was immediately shared, our society as a whole, and especially the IT sub culture, would work quite differently. We would value security far more. Right now, it is easier to justify having less focus on security because when someone does find an exploit they'll help you patch it up before it is out of control.

On a very fundamental level, someone engaging in the free exchange of information, and this information being useful to people wanting to know what is or is not secure, cannot be a fuck up.

Microsoft had a security flaw. That's a fuck up.

People used that flaw for immoral actions. That's a double fuck up.

McAfee shared information letting people know about active security threats. That isn't a fuck up.