Microsoft ships flaws. A lot of flaws. But I want to talk about just three of them, BlueHammer, RedSun, and UnDefend, because they are seeing exploitation in the wild. Two of the six are in BitLocker and Defender, the encryption and defense layer Microsoft ships as the reason to trust their platform.
To be clear, this past January I said that position is already untenable. Gone. Doesn’t exist. For five months now, Windows has been cooked. It’s no longer sustainable and everyone must migrate off it. What “Nightmare Eclipse” demonstrated in public with three flaws is the thing we were talking about openly. And by openly, I mean publishing proof-of-concept code is constitutionally protected speech in the US.
Aiding-or-enabling, however is not protected, which I’ll get to in a second.
In fact, given the sensationalist naming, I would lay some of this overheated pace of exploit at the feet of politicians driving “War Department” rhetoric and belligerent acts as if the new American identity. A UFC arena replacing the White House, which itself is in fire-ready-aim acts of war? MAGA “bomb them until they agree” foreign policy? Think about the state of the “leadership” of the country when you read “Bone Shattering Drop” statements from a researcher.
Microsoft is in denial, which hurts the public. It has responded with a blog post shaming researchers on coordinated disclosure, with a reminder that its private Digital Crimes Unit brings cases against those who enable criminal activity. Yeah, ok Pinkerton, if you claim to be a law enforcement group maybe enforce it against yourself? The threat to the public doesn’t go one direction here. The person who bottles the pollution, which is basically anyone now, faces the same laws, in principle, as the billionaires who push the pollution to be bottled. Am I right Volkswagen? The company that spews vulnerable code, at scale like a broken sewer pipe, faces what Digital Crimes Unit exactly?
A working exploit is a form of science, downstream evidence that the upstream polluter exists. Microsoft authored defects so widely their entire history has been an example of what not to do unless you’re the son of a powerful lawyer. The whole virus industry was literally created by Microsoft. Katie Moussouris, who used to work for Microsoft, said it plainly: the bugs are Microsoft’s, they wrote the code, and they own the risk to customers.
Every single era-defining mass infection ran on a Microsoft product. Get it? The right-hand column is accountability, investigation, regulation. At each scale of disaster, there are zero non-Microsoft events.
| Year | Outbreak | Microsoft attack surface | Blast radius | Non-Microsoft event at that scale |
|---|---|---|---|---|
| 1986 | Brain | MS-DOS boot sector | First PC virus in the wild | None |
| 1999 | Melissa | Word and Outlook macros | Forced corporate mail shutdowns, $80M cleanup | None |
| 2000 | ILOVEYOU | Windows and Outlook scripting | 45M machines, $5.5B in damage | None |
| 2001 | Code Red | IIS web server | 359,000 hosts in under 14 hours | None |
| 2001 | Nimda | Windows and IIS, five vectors | Most widespread worm on the internet within 22 minutes | None |
| 2003 | SQL Slammer | SQL Server | Saturated global bandwidth in 10 minutes | None |
| 2003 | Blaster | Windows RPC/DCOM | Millions of machines in reboot loops | None |
| 2004 | Sasser | Windows LSASS | Grounded flights, delayed trains, downed hospital systems | None |
| 2008 | Conficker | Windows Server service | 9 to 15M machines, still circulating today | None |
| 2010 | Stuxnet | Windows, four zero-days | Crossed malware into physical industrial sabotage | None |
| 2017 | WannaCry | Windows SMBv1 | 200,000+ machines across 150 countries, UK NHS down | None |
| 2017 | NotPetya | Windows SMB and credential theft | $10B, the costliest cyberattack on record | None |
Look at how AV-TEST cataloged new malware samples by platform in 2022. Windows drew more than five thousand times the volume aimed at macOS. You want a Digital Crimes Unit task list? I’ll give you a clue. It was Microsoft, with Windows, in the enterprise.
| Platform | New malware samples, 2022 | Multiple of macOS |
|---|---|---|
| Windows | 69,504,686 | 5,585x |
| Linux | 1,917,133 | 154x |
| macOS | 12,445 | baseline |
Of the endpoint malware that Surfshark logged from January through August, Windows accounted for 87 percent against 13 percent for macOS, and the July spike traced more than half its detections to PowerShell exploitation of Microsoft SharePoint flaws.
SharePoint. Who in their right mind is using SharePoint? If Microsoft was criminally accountable for flaws, SharePoint would have been regulated out of the market years ago.
Full disclosure, I started this blog in 1995 with the mind that Linux was the obviously better OS, but knowing full well all the money to be made was in mopping up Microsoft breaches. Now back to the aiding-or-enabling theory. Access to exploits is why Israelis leaving military service flock to Microsoft like moths to the sun. It’s a goldmine for the 8200 crews intending to weaponize insider access to flaws. Perhaps more to the point, if you’re still using Microsoft software, ask yourself how do you prove your data is not right now in the hands of the Israeli military? Decades ago we talked about the NSA, but do they even hold a candle anymore? This is why a Wiz (ex-Israeli military, ex-Microsoft) acquisition by Google is so politically relevant.
American infrastructure is increasingly being taken over by Israeli military interests and in some cases, literally ceded to foreign leadership.
Back to the core technical problem, it’s not even hard to find defects in 2026 for Microsoft’s latest security-branded offerings. Last month I openly documented an authentication bypass in Microsoft agent governance toolkit, marketed as a security checkpoint, with the authentication functions disconnected.
They shipped pre-authentication architectural failure in the product being sold to prevent it. Would you buy a car with a seatbelt that isn’t attached? Microsoft as whole is a pollution pattern, such that a proof-of-concept on GitHub of the emitter is not evidence of the emission.
When I asked Microsoft directly about their serious safety failure, a man in a thick Russian accent waved his hands at me, saying it’s just some random Microsoft worker doing it. He didn’t take the report, and then offered me swag with a Microsoft logo as “bounty”.
Microsoft wants us to allow them to exist in two states at once. Importance so high, that disclosing its flaws is never justifiable. Importance so low, that it will not carry a warranty, a liability, or a duty of care for the flaws it ships.
That’s impossible, which a 1920s German Jew would gladly tell you, while the 2020s Israeli Jew probably would never.
Uncertainty in Uncertainty in
Flaw Disclosure Liability/Warranty
│ │
▼ ▼
[ ΔF ] [ ΔL ] ≥ K
| Metric | The High-Criticality Limit (ΔF→0) | The Low-Criticality Limit (ΔL→∞) |
|---|---|---|
| The State | Importance is infinitely high. | Importance is infinitesimally low. |
| The Rule | Disclosing its flaws is never justifiable. | It will not carry a warranty or a duty of care. |
| The Quantum Behavior | Because the systemic risk of disclosure is so massive, knowledge of its flaws must remain hidden (ΔF approaches zero). As a result, the legal or liability framework (ΔL) becomes completely unmeasurable and unbounded. | Because the system carries zero liability or duty of care (ΔL approaches infinity), the existence, tracking, or disclosure of its flaws (ΔF) becomes entirely meaningless. |
Microsoft has its Tel Aviv and Seattle offices of lawyers working around the clock to block/enforce the law towards whatever is best for Microsoft. That’s a given. But who is fighting for the laws holding them accountable for what they ship? The 900 pound gorilla is missing from the story of the son of one of the most powerful lawyers in America avoiding accountability. Kevin Beaumont noted that Microsoft once hired SandboxEscaper after she published zero-day exploit code. Notably, the same conduct the claims say now is criminal was a hiring pitch when convenient for them.
The defect is the focus and Microsoft needs to truly own it, so that others don’t pwn it.
