Microsoft ships flaws. A lot of flaws. But I want to talk about just three of them, BlueHammer, RedSun, and UnDefend, because they are seeing exploitation in the wild. Two of the six are in BitLocker and Defender, the encryption and defense layer Microsoft ships as the reason to trust their platform.

To be clear, just this past January I said that position is already untenable. Gone. Doesn’t exist. For five months now. What “Nightmare Eclipse” demonstrated in public with three flaws is what we already knew.

In fact, given the sensationalist naming, I would lay this at the feet of politicians overheating “War Department” rhetoric and belligerent acts as national duy. A UFC arena replacing the White House, which itself is in fire-ready-aim acts of war? Think about that when you read “Bone Shattering Drop” statements.

Microsoft is in denial. It has responded with a blog post shaming researchers on coordinated disclosure, with a reminder that its private Digital Crimes Unit brings cases against those who enable criminal activity. Yeah, ok Pinkerton, if you claim to be a law enforcement group maybe enforce it against yourself? The threat to the public doesn’t go one direction here. The person who bottles the pollution, which is basically anyone now, faces the same laws, in principle, as the billionaires who push the pollution to be bottled. Am I right Volkswagen? The company that spews vulnerable code, at scale like a broken sewer pipe, faces what Digital Crimes Unit exactly?

A working exploit is like science, downstream evidence that the upstream pollutant exists. Microsoft authored defects so widely their entire history has been an example of what not to do. The whole virus industry was literally created by Microsoft. Katie Moussouris, who used to work for Microsoft, said it plainly: the bugs are Microsoft’s, they wrote the code, and they own the risk to customers.

I have found this kind of failure in their security-branded code by hand, myself, for decades. Last month I even openly documented an authentication bypass in Microsoft’s own agent governance toolkit, marketed as a security checkpoint, with the authentication functions disconnected.

They ship pre-authentication architectural failure in the product being sold to prevent it. That is a pollution pattern, where a proof-of-concept on GitHub of the emitter does not create the emission.

Windows wants to exist in two states at once. Importance so high that disclosing its flaws is never justifiable. Importance so low that it will not carry a warranty, a liability, or a duty of care for the flaws it ships.

That’s impossible.

Microsoft has armies of lawyers working around the clock to block the law and enforce the law towards whatever is best for themselves. What about the laws holding them accountable for what they ship? Suddenly the 900 pound gorilla is missing, just like their origin story as the son of one of the most powerful lawyers in America avoiding accountability. Kevin Beaumont noted that Microsoft once hired SandboxEscaper after she published zero-day exploit code. Notably, the same conduct the claims say now is criminal was a hiring pitch when convenient for them.

The defect is the focus and Microsoft needs to truly own it, so that others don’t pwn it.