But, even by those standards, the take offered by Kelly Bissell, vice-president of Microsoft Security, at a forum in Canada on Tuesday, takes some beating.
“We’re not patching our systems. We’re taking the approach, ‘I’ll patch these systems if I can.’ But what you’d better do is patch now, even at the risk of breaking an application," he was quoted as saying by a reporter at ITWorld Canada.
In other words, once Microsoft has issued patches, it takes a hands-off approach to security. It is for the user to patch, else he/she bears the blame for any attacks.
|
|
But Microsoft is so eager to take any opportunity to disclaim responsibility for the countless flaws in its products — there are so many every month that the company has set aside a specific day to release them — that Bissell, one guesses, could not prevent himself from (to use a cricket analogy) trying to slip one past the keeper.
Microsoft, which will mark half-a-century in the IT business in a couple of years, possesses one thing in spades: chutzpah. I have referred to this in the past on more than one occasion, most recently when Microsoft put out a post on 1 April, 2020, in which it said: "Microsoft works with healthcare organisations to protect from popular ransomware during COVID-19 crisis: Here’s what to do."
This is basically the equivalent of someone saying they are cleaning up the steps in front of your house after defecating there – and acting as if cleaning it up is some kind of virtuous act.
Bissell was also at pains to try and paint attacks as succeeding not because of their sophistication, but because patching had not been done.
Now patching may sound simple to the average home user of Windows. But in the enterprise, it is a highly labour-intensive process. Every company has its own range of productivity applications — its software operating environment — and always tests extensively to ensure that nothing breaks due to the latest updates.
Many moons ago, I interviewed one of the better security professionals, ex-NSA hand Dave Aitel. This was his take: "Patching is terribly expensive. You have to test and test to ensure that your applications all work after the patch. And then deploying a patch in a medium-sized firm will cost many hundreds of thousands. How many companies are prepared — or even have — this kind of money to spend on deploying a patch?"
It's possible that Bissell was unaware of this. Or he may have just taken a chance with his comments. hoping that nobody would ask him an awkward question.
Again, as I have pointed out on more than one occasion, Microsoft even ditched its own operating system when it came to mobile phones – in 2020, the company said it planned to release a phone that runs Android. Security was said to be the main reason. There have been one or two iterations of these phones, and then the company stopped making them. This is the ultimate condemnation of Windows, something like a man disowning his own child.
But I'm sure that the the old tactic of "nothing to see here" will continue to be used whenever Microsoft executives get the chance. There's a sucker born every minute as the old saying goes and Microsoft wouldn't mind all of them ending up as licensed Windows users.
My thanks to senior security researcher Brett Callow of Emsisoft for pointing me to Bissell's remarks.
