[hatsunearu]

> It doesn't read to me as trying to dodge anything.

It absolutely reads like this. They are getting blasted online for shipping kernel mode driver updates without proper QA and release engineering. Which just from face value just seems like some insano style engineering. They are saying "it's not actually a kernel mode value" to deflect blame.

I mean, I really don't understand why they would make this statement otherwise. If they are innocently just trying to say "this is just a channel file", there are other ways to say this, and it really isn't relevant enough to underline and emphasize.

[bostik]

Friend does incident response and Windows forensics, and pointed something (in retrospect) rather obvious out yesterday: the instructions for cleaning up simply told people to "delete .SYS files according to this wildcard". No additional context.

That caught his eye, because to him it sounded like madness. Apparently deleting random driver files is a fairly well known way to screw a Windows system up even more than it already was.

This statement from CS must have gone through legal and PR review, so we have to assume every word and statement has been carefully vetted from a cover-your-backside perspective. It is light on information content, but there must be reason for them to so forcefully telegraph that the files being deployed (and removed) are not themselves drivers.

[dizhn]

They said to delete a single specific file. Did what you're saying happen before that or something?

[bostik]

The original instructions were "delete [something]00291-*.sys"

[gjm11]

They're getting blasted for causing a massive worldwide outage due to what is clearly inadequate quality control. I don't see why this is any better if it's "pushed a kernel-mode driver update with bugs in it" than if it's "released a product with buggy kernel-mode stuff that can be made to crash by an innocuous-looking data file, and then pushed a data file that made it crash". Same result either way. Same demonstration of inadequate quality control either way.

I think the story they're telling now, which so far as I know is the truth, looks worse for them, because it requires them to have screwed up their QC twice. Once when they made a product that do such bad things, and once when they pushed the data file to millions of PCs without checking what it did.

So I still don't see how "this particular file happens not to be kernel-mode code" makes them look any better, and therefore I don't see why they'd be saying it "to deflect blame". It doesn't deflect blame; they look just as bad either way.

[mynameisvlad]

You may understand it that way, but you also have a much deeper knowledge of this than the targeted audience of the RCA.

Make no mistake, this RCA was not published for technical folks. The only reason it’s even published is to make their customers feel more secure. You and I are not their customers; high level management and executives are.