Microsoft. It's their binary shipped in their system, and their customers are being directed to break their own systems. It's on them to remediate the situation.
But Microsoft are not advising them to remove curl AFAIK, in that case Microsoft should fix every issue ever within Windows, even if its self inflicted.
End of the day this as Daniel says is scare mongering by others who don't know what they are doing.
The phrase, if someone told you to jump off a cliff, would you?, and, Your scientists were so preoccupied with whether or not they could, they didn't stop to think if they should...
Not really. They aren't the ones directing customers to break their systems. They could ban anti-virus software and get slammed for being anti-competitive I suppose. Or they could try to track down all the vendors who are being stupid and ask them to please stop but that probably won't remediate it. They don't have a lot of moves here nor does the curl project.
Their platform (Windows) is getting a bad reputation due to the problem they neglected to fix (shipping a "vulnerable" curl, informing users when the old curl was getting flagged). They could pass the buck but it's just going to be bad for them later when users think Windows itself has security vulns and breaks itself when the users do what they're told to do by vendors. If they don't want the bad rep, they need to be proactive and work with vendors and better inform customers. If I was the CEO I'd do something about it.
End of the day this as Daniel says is scare mongering by others who don't know what they are doing.
The phrase, if someone told you to jump off a cliff, would you?, and, Your scientists were so preoccupied with whether or not they could, they didn't stop to think if they should...