Microsoft has special licensing models where the sources for OS are available. Somebody looks at that, at least comparable to that how somebody was expected to detect the bug in OpenSSL, or to review TrueCrypt and nobody did until recently, because, well let somebody else care.
So as far as I understand, it is possible to audit Microsoft's crypto code too. I can imagine the audit of crypto code wouldn't find anything. The real problem is:
So as far as I understand, it is possible to audit Microsoft's crypto code too. I can imagine the audit of crypto code wouldn't find anything. The real problem is:
http://regmedia.co.uk/2014/05/16/0955_peter_gutmann.pdf
"Crypto won't save you either"
"Crypto Summary:
Number of attacks that broke the crypto: 0
Number of attacks that bypassed the crypto: All the rest
- No matter how strong the crypto was, or how large the keys were, the attackers walked around it"