A New York Times article raises our blood pressure and not because the paper is a mouthpiece for left wing bleeding hearts and fellow travelers.*
In Ransomware Attack, Where Does Microsoft’s Responsibility Lie? accepts the standard line that Microsoft is doing its best to solve security problems as they arise. No mention that Microsoft made Windows and Office with those bugs in the first place.
Pushing the PR narrative
Microsoft makes a lot out of their effort to squash security bugs in their products. Never mentioning their responsibility for leaving the security door so wide open in the first place.
It’s a long-standing narrative that Microsoft has pushed for over a decade.
Security bugs didn’t start in 2002
The NYT article suggest that “.. malicious software first became a serious problem on the internet about 15 years ago” which accepts Microsoft’s version of events.
In 2002, Bill Gates sent an email which authorized the company to start taking security problems seriously. Only then did Microsoft seriously address the countless number of security bugs in their own products. It’s an effort that continues over 15 years later and shows no sign of ending.
Supposedly, new versions of Windows and Office are more secure and that’s used as a sales pitch to sell more software. But the ‘more secure’ software still gets regular patches for security lapses that have been in the products for years.
It took a long time for Microsoft management to take security problems seriously. For a long time ‘softies just hoped that viruses, worms and hacks would go away.
A very senior executive blamed Microsoft’s customers for the delay in fixing security problems (would love to find a reference to it). The excuse was that Redmond hadn’t worked to fix security bugs because customers had not complained enough! It ignored Microsoft’s willful deafness to the customer complaints. Microsoft should not have needed a big push from customers to act.
PR Spin instead of action
Publicly, Microsoft did it’s best to downplay the bugs instead of fixing them. Back when Office Watch started in 1996, Microsoft did little to help customers infected by malicious macros in Office. Microsoft belittled the problem by calling the viruses ‘prank macros’ as if they were a harmless jape. Of course, they knew Office macros were a serious problem, but they would not admit that to customers.
Even today, Microsoft uses euphemisms and tactics to downplay the severity of the security bugs in Windows and Office.
They aren’t security bugs or gaps – it’s always ‘issues’. Security documentation is full of carefully worded stock phrases, sentences and whole paragraphs that are used over and over again.
Take out the Trash Day
Security fixes aren’t released as needed because that’s too damaging to Microsoft. Instead there’s a poorly documented, monthly dump of all bug patches.
The West Wing fans remember a similar political strategy for hiding bad news – Take out the Trash Day. Microsoft copied that idea for ‘Patch Tuesday’.
* It’s a joke. The NYT is rightly regarded as a great journal of record.