Microsoft pinky swears that THIS TIME they’ll make security a priority
One June 20, I'm live onstage in LOS ANGELES for a recording of the GO FACT YOURSELF podcast. On June 21, I'm doing an ONLINE READING for the LOCUS AWARDS at 16hPT. On June 22, I'll be in OAKLAND, CA for a panel and a keynote at the LOCUS AWARDS.
As the old saying goes, "When someone tells you who they are and you get fooled again, shame on you." That goes double for Microsoft, especially when it comes to security promises.
Microsoft is, was, always has been, and always will be a rotten company. At every turn, throughout their history, they have learned the wrong lessons, over and over again.
That starts from the very earliest days, when the company was still called "Micro-Soft." Young Bill Gates was given a sweetheart deal to supply the operating system for IBM's PC, thanks to his mother's connection. The nepo-baby enlisted his pal, Paul Allen (whom he'd later rip off for billions) and together, they bought someone else's OS (and took credit for creating it – AKA, the "Musk gambit").
Microsoft then proceeded to make a fortune by monopolizing the OS market through illegal, collusive arrangements with the PC clone industry – an industry that only existed because they could source third-party PC ROMs from Phoenix:
Bill Gates didn't become one of the richest people on earth simply by emerging from a lucky orifice; he also owed his success to vigorous antitrust enforcement. The IBM PC was the company's first major initiative after it was targeted by the DOJ for a 12-year antitrust enforcement action. IBM tapped its vast monopoly profits to fight the DOJ, spending more on outside counsel to fight the DOJ antitrust division than the DOJ spent on all its antitrust lawyers, every year, for 12 years.
IBM's delaying tactic paid off. When Reagan took the White House, he let IBM off the hook. But the company was still seriously scarred by its ordeal, and when the PC project kicked off, the company kept the OS separate from the hardware (one of the DOJ's major issues with IBM's previous behavior was its vertical monopoly on hardware and software). IBM didn't hire Gates and Allen to provide it with DOS because it was incapable of writing a PC operating system: they did it to keep the DOJ from kicking down their door again.
The post-antitrust, gunshy IBM kept delivering dividends for Microsoft. When IBM turned a blind eye to the cloned PC-ROM and allowed companies like Compaq, Dell and Gateway to compete directly with Big Blue, this produced a whole cohort of customers for Microsoft – customers Microsoft could play off on each other, ensuring that every PC sold generated income for Microsoft, creating a wide moat around the OS business that kept other OS vendors out of the market. Why invest in making an OS when every hardware company already had an exclusive arrangement with Microsoft?
The IBM PC story teaches us two things: stronger antitrust enforcement spurs innovation and opens markets for scrappy startups to grow to big, important firms; as do weaker IP protections.
Microsoft learned the opposite: monopolies are wildly profitable; expansive IP protects monopolies; you can violate antitrust laws so long as you have enough monopoly profits rolling in to outspend the government until a Republican bootlicker takes the White House (Microsoft's antitrust ordeal ended after GW Bush stole the 2000 election and dropped the charges against them). Microsoft embodies the idea that you either die a rebel hero or live long enough to become the evil emperor you dethroned.
From the first, Microsoft has pursued three goals:
Get too big to fail;
Get too big to jail;
Get too big to care.
It has succeeded on all three counts. Much of Microsoft's enduring power comes from succeeded IBM as the company that mediocre IT managers can safely buy from without being blamed for the poor quality of Microsoft's products: "Nobody ever got fired for buying Microsoft" is 2024's answer to "Nobody ever got fired for buying IBM."
Microsoft's secret sauce is impunity. The PC companies that bundle Windows with their hardware are held blameless for the glaring defects in Windows. The IT managers who buy company-wide Windows licenses are likewise insulated from the rage of the workers who have to use Windows and other Microsoft products.
Microsoft doesn't have to care if you hate it because, for the most part, it's not selling to you. It's selling to a few decision-makers who can be wined and dined and flattered. And since we all have to use its products, developers have to target its platform if they want to sell us their software.
This rarified position has afforded Microsoft enormous freedom to roll out harebrained "features" that made things briefly attractive for some group of developers it was hoping to tempt into its sticky-trap. Remember when it put a Turing-complete scripting environment into Microsoft Office and unleashed a plague of macro viruses that wiped out years worth of work for entire businesses?
It wasn't just Office; Microsoft's operating systems have harbored festering swamps of godawful defects that were weaponized by trolls, script kiddies, and nation-states:
https://en.wikipedia.org/wiki/EternalBlue
Microsoft blamed everyone except themselves for these defects, claiming that their poor code quality was no worse than others, insisting that the bulging arsenal of Windows-specific malware was the result of being the juiciest target and thus the subject of the most malicious attention.
Even if you take them at their word here, that's still no excuse. Microsoft didn't slip and accidentally become an operating system monopolist. They relentlessly, deliberately, illegally pursued the goal of extinguishing every OS except their own. It's completely foreseeable that this dominance would make their products the subject of continuous attacks.
There's an implicit bargain that every monopolist makes: allow me to dominate my market and I will be a benevolent dictator who spends his windfall profits on maintaining product quality and security. Indeed, if we permit "wasteful competition" to erode the margins of operating system vendors, who will have a surplus sufficient to meet the security investment demands of the digital world?
But monopolists always violate this bargain. When faced with the decision to either invest in quality and security, or hand billions of dollars to their shareholders, they'll always take the latter. Why wouldn't they? Once they have a monopoly, they don't have to worry about losing customers to a competitor, so why invest in customer satisfaction? That's how Google can piss away $80b on a stock buyback and fire 12,000 technical employees at the same time as its flagship search product (with a 90% market-share) is turning into an unusable pile of shit:
Microsoft reneged on this bargain from day one, and they never stopped. When the company moved Office to the cloud, it added an "analytics" suite that lets bosses spy on and stack-rank their employees ("Sorry, fella, Office365 says you're the slowest typist in the company, so you're fired"). Microsoft will also sell you internal data on the Office365 usage of your industry competitors (they'll sell your data to your competitors, too, natch). But most of all, Microsoft harvest, analyzes and sells this data for its own purposes:
Leave aside how creepy, gross and exploitative this is – it's also incredibly reckless. Microsoft is creating a two-way conduit into the majority of the world's businesses that insider threats, security services and hackers can exploit to spy on and wreck Microsoft's customers' business. You don't get more "too big to care" than this.
Or at least, not until now. Microsoft recently announced a product called "Recall" that would record every keystroke, click and screen element, nominally in the name of helping you figure out what you've done and either do it again, or go back and fix it. The problem here is that anyone who gains access to your system – your boss, a spy, a cop, a Microsoft insider, a stalker, an abusive partner or a hacker – now has access to everything, on a platter. Naturally, this system – which Microsoft billed as ultra-secure – was wildly insecure and after a series of blockbuster exploits, the company was forced to hit pause on the rollout:
For years, Microsoft waged a war on the single most important security practice in software development: transparency. This is the company that branded the GPL Free Software license a "virus" and called open source "a cancer." The company argued that allowing public scrutiny of code would be a disaster because bad guys would spot and weaponize defects.
This is "security through obscurity" and it's an idea that was discredited nearly 500 years ago with the advent of the scientific method. The crux of that method: we are so good at bullshiting ourselves into thinking that our experiment was successful that the only way to make sure we know anything is to tell our enemies what we think we've proved so they can try to tear us down.
Or, as Bruce Schneier puts it: "Anyone can design a security system that you yourself can't think of a way of breaking. That doesn't mean it works, it just means that it works against people stupider than you."
And yet, Microsoft – whose made more widely and consequentially exploited software than anyone else in the history of the human race – claimed that free and open code was insecure, and spent millions on deceptive PR campaigns intended to discredit the scientific method in favor of a kind of software alchemy, in which every coder toils in secret, assuring themselves that drinking mercury is the secret to eternal life.
Access to source code isn't sufficient to make software secure – nothing about access to code guarantees that anyone will review that code and repair its defects. Indeed, there've been some high profile examples of "supply chain attacks" in the free/open source software world:
But there's no good argument that this code would have been more secure if it had been harder for the good guys to spot its bugs. When it comes to secure code, transparency is an essential, but it's not a sufficency.
The architects of that campaign are genuinely awful people, and yet they're revered as heroes by Microsoft's current leadership. There's Steve "Linux Is Cancer" Ballmer, star of Propublica's IRS Files, where he is shown to be the king of "tax loss harvesting":
Microsoft may give lip service to open source these days (mostly through buying, stripmining and enclosing Github) but Ballmer's legacy lives on within the company, through its wildly illegal tax-evasion tactics:
But Ballmer is an angel compared to his boss, Bill Gates, last seen some paragraphs above, stealing the credit for MS DOS from Tim Paterson and billions of dollars from his co-founder Paul Allen. Gates is an odious creep who made billions through corrupt tech industry practices, then used them to wield influence over the world's politics and policy. The Gates Foundation (and Gates personally) invented vaccine apartheid, helped kill access to AIDS vaccines in Sub-Saharan Africa, then repeated the trick to keep covid vaccines out of reach of the Global South:
The Gates Foundation wants us to think of it as malaria-fighting heroes, but they're also the leaders of the war against public education, and have been key to the replacement of public schools with charter schools, where the poorest kids in America serve as experimental subjects for the failed pet theories of billionaire dilettantes:
The management culture of Microsoft started rotten and never improved. It's a company with corruption and monopoly in its blood, a firm that would always rather build market power to insulate itself from the consequences of making defective products than actually make good products. This is true of every division, from cloud computing:
No one should ever trust Microsoft to do anything that benefits anyone except Microsoft. One of the low points in the otherwise wonderful surge of tech worker labor organizing was when the Communications Workers of America endorsed Microsoft's acquisition of Activision because Microsoft promised not to union-bust Activision employees. They lied:
Why wouldn't they lie? They've never faced any consequences for lying in the past. Remember: the secret to Microsoft's billions is impunity.
Which brings me to Solarwinds. Solarwinds is an enterprise management tool that allows IT managers to see, patch and control the computers they oversee. Foreign spies hacked Solarwinds and accessed a variety of US federal agencies, including National Nuclear Security Administration (who oversee nuclear weapons stockpiles), the NIH, and the Treasury Department.
When the Solarwinds story broke, Microsoft strenuously denied that the Solarwinds hack relied on exploiting defects in Microsoft software. They said this to everyone: the press, the Pentagon, and Congress.
This was a lie. As Renee Dudley and Doris Burke reported for Propublica, the Solarwinds attack relied on defects in the SAML authentication system that Microsoft's own senior security staff had identified and repeatedly warned management about. Microsoft's leadership ignored these warnings, buried the research, prohibited anyone from warning Microsoft customers, and sidelined Andrew Harris, the researcher who discovered the defect:
The single most consequential cyberattack on the US government was only possible because Microsoft decided not to fix a profound and dangerous bug in its code, and declined to warn anyone who relied on this defective software.
Yesterday, Microsoft president Brad Smith testified about this to Congress, and promised that the company would henceforth prioritize security over gimmicks like AI:
Despite all the reasons to mistrust this promise, the company is hoping Congress will believe it. More importantly, it's hoping that the Pentagon will believe it, because the Pentagon is about to award billions in free no-bid military contract profits to Microsoft:
You know what? I bet they'll sell this lie. It won't be the first time they've convinced Serious People in charge of billions of dollars and/or lives to ignore that all-important maxim, "When someone tells you who they are and you get fooled again, shame on you."
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
Anya is live and ready to show you everything. Watch her strip, dance, and perform exclusive shows just for you. Interact in real-time and make your fantasies come true.
✓ Live Streaming✓ Interactive Chat✓ Private Shows✓ HD Quality
Anya is LIVE right now
FREE
Free to watch • No registration required • HD streaming
There has been a definite shift in what I report upon since starting this series in September. Some of that is due to my own experience level in doing the research; I have a better grasp on the ebb and flow of digital patterns now. When I started this job, I figured I would be reporting on the different types and families of malware more often, giving out warnings for what’s out there lurking in the dark corners of the internet for the unwary. But that’s not really what I do at all. Mostly, I report on vulnerabilities, and the exploitation thereof. And boy are there a lot of them these days.
Patch Tuesday has become a marker in my schedule for expecting to hear news that ranges from the ridiculous (how are we still seeing elevated privilege oversights?) to the terrifying (patching remote access in kernel spaces) to the exasperating (DNS outages that were repaired by reverting to a previous version). Microsoft products have become so pervasive and widely used that practically every corporation, small business, educational facility, hospital, airline, and personal computer is subject to this day. Indeed, my own computer restarted itself after updating this morning. What was once a time to prepare for rebooting all the systems in a network has turned into a ‘what will go wrong now?’ scenario. And there are so many little things being updated, upgraded or fixed that it’s nearly impossible to keep up with them all, especially in a short form report like mine. What takes priority? Which one do I think I’ll be seeing later this week as having been exploited?
Two years ago – when Patch Tuesday unofficially turned 20 years old – CrowdStrike published an article on the changes and exponential growth leading to the need for this day. The article included a graph of the number of vulnerabilities patched by year, dating back to 1999. That graph is a steady upward curve, peaking in 2020 with roughly 1300 patches and fixes. And while the following years were considerably lower than that, never once has the need for patching dropped back to levels predating 2013, the tech boom year that Microsoft released both Windows 8.1 and the Xbox One, along with many other tech companies releasing new versions of products, or entirely new ones. In the subsequent years since the article was written, not much has changed save one aspect.
The move to more remote work has increased both the demand for secure software able to deliver the tools necessary for it and the vectors by which it can be attacked. If the internet is a highway, then vulnerabilities are the cracks and potholes. Anyone who’s ever driven down an interstate can tell you that the work to repair the road surface is never ending. The running joke where I live is that there are two seasons: winter and construction. And the more traffic there is, the faster that surface degrades from constant use. The analogy isn’t quite 1:1 in digital space, but it’s comparable. Greater web traffic means that the vulnerabilities that exist are more likely to become problematic simply because of the sheer volume and variations of use. Keeping up with that is Sisyphean in scope, a repetitive task carried on infinitely.
But the real issue is versions of products and software being released with those vulnerabilities unaccounted for in the first place. CrowdStrike’s article talked about how the onus has been put on the consumer to be aware of risks rather than on the vendor to release a product without flaws. Some of this is a volume issue again, this time stemming from the wide variety of technology, software, applications, cloud offerings and more that is the hallmark of industry growth and innovation. Microsoft as an entity is inescapable, even in other operating systems. Those ‘risks’ are deemed acceptable because there isn’t really an alternative. (There’s a term for that...)
Today is ‘Exploit Wednesday’, the informal designation for what follows all the patches publicly released the previous day. The rest of my week will be waiting to see what happens, hence the somewhat less technical nature of today’s report. Yesterday’s patches included 3 zero-day fixes and 57 flaws, which is down from November and October. A good way to end the year, one might say.
The rest of my personal schedule may be chaotic and I often lose track of what day of the week it is (for instance I almost took my garbage to the curb last night even though pickup is tomorrow), but some things remain constant. Yesterday was Patch Tuesday for Microsoft – among others – and that means I have a quick rundown of updates and fixes to report on today.
Bleeping Computer, from whom I’ve gotten this catalog of changes, points out that this list only includes those releases from this day. Out of bounds patches to Mariner, Azure, Copilot, Microsoft Teams, and Microsoft Partner Center and the 131 Microsoft Edge/Chromium flaws that were fixed by Google earlier this month are not counted. What is are the 120 other vulnerabilities and bugs, 17 of which are considered critical. 61 Elevation of Privilege Vulnerabilities, 6 Security Feature Bypass Vulnerabilities, 31 Remote Code Execution Vulnerabilities, 14 Information Disclosure Vulnerabilities, 8 Denial of Service Vulnerabilities and 13 Spoofing Vulnerabilities. No zero-days were reported this time, although there are some vulnerabilities that are noteworthy and should be addressed by security admins.
Microsoft Office, Word and Excel have all received patches and should be updated as soon as possible to prevent remote code execution. Others that Bleeping Computer listed are CVE-2026-35421, Windows GDI Remote Code Execution Vulnerability: This flaw can be exploited by opening a malicious Enhanced Metafile (EMF) file using Microsoft Paint. CVE-2026-40365, Microsoft SharePoint Server Remote Code Execution Vulnerability: An authenticated attacker can perform a network-based attack that remotely executes code on a SharePoint server. And CVE-2026-41096, Windows DNS Client Remote Code Execution Vulnerability: An attacker-controlled DNS server could send a specially crafted DNS response to a vulnerable Windows system, causing the DNS Client to incorrectly process the response and corrupt memory. This would allow the attacker to run code on the vulnerable system remotely. The complete list of updates is contained in the article.
Other updates today include Adobe has released security updates for After Effects, Premiere Pro, Media Encoder, Commerce, Illustrator, and more. AMD disclosed updates for an elevation of privileges vulnerability in the CPU operation (op/µop) cache on Zen 2‑based. Apple released security updates for macOS, iOS, watchOS, iPadOS, visionOS, and tvOS. Cisco released security updates for numerous products, including a DoS flaw that requires manual rebooting of affected systems for recovery. Fortinet released security updates for two critical flaws in FortiSandbox and FortiAuthenticator. Google released Android's May security bulletin, which fixes 10 vulnerabilities. Ivanti released security updates for a high-severity Endpoint Manager Mobile (EPMM) remote code execution vulnerability, which was exploited in zero-day attacks. Mozilla released security updates for five Firefox vulnerabilities. Palo Alto Networks warned of a critical PAN-OS User-ID Authentication Portal flaw that was exploited in attacks as a zero-day. Patches have still not been released, but mitigations are available. SAP released the May security updates, which include fixes for one high-severity and two Critical flaws. vm2 released security updates for a critical vulnerability in the popular Node.js sandboxing library.
I’ll see you tomorrow with my regularly scheduled bite sized breakdown of pertinent and/or interesting news.
Anya is live and ready to show you everything. Watch her strip, dance, and perform exclusive shows just for you. Interact in real-time and make your fantasies come true.
✓ Live Streaming✓ Interactive Chat✓ Private Shows✓ HD Quality
Anya is LIVE right now
FREE
Free to watch • No registration required • HD streaming
Always On VPN IKEv2 Security Vulnerability April 2026
Microsoft published its Security Updates for April 2026 today, and the good news is that there are no Windows Server Routing and Remote Access (RRAS) vulnerabilities this month. However, they disclosed a critical remote code execution (RCE) vulnerability that impacts deployments using Internet Key Exchange version 2 (IKEv2).
IKE Service Extensions RCE
CVE-2026-33824 addresses a security…
Yesterday’s patches from Microsoft covered 58 flaws, including 6 actively exploited zero-day vulnerabilities, of which three had been previously disclosed to the public. This is in addition to three Microsoft Edge flaws fixed earlier this month. This patch day also began the roll out of the refreshed Secure Boot certificates for Windows 11 users, a coordinated security update to ensure only verified and trusted bootloaders are running during startup. This is to prevent malicious software that may be present from executing during system startup (which is how many forms of malware maintain persistence).
Among the vulnerabilities covered by this month’s patches are 25 Elevation of Privilege vulnerabilities, 5 Security Feature Bypass vulnerabilities, 12 Remote Code Execution vulnerabilities, 6 Information Disclosure vulnerabilities, 3 Denial of Service vulnerabilities and 7 Spoofing vulnerabilities. Bleeping Computer has detailed these patches in their article.
Other updates covered in the article include:
Adobe’s security updates for Audition, After Effects, InDesign, Substance 3D, Adobe Lightroom Classic, and other software. None of the flaws are exploited. BeyondTrust’s security updates for a critical RCE flaw in its Remote Support (RS) and Privileged Remote Access (PRA) software. CISA issued a new binding operational directive requiring federal agencies to remove network edge devices that have reached the end of support. Cisco released security updates for Secure Web Appliance, Cisco Meeting Management, and more. Fortinet released security updates for FortiOS and FortiSandbox. n8n fixed critical vulnerabilities that act as a patch bypass for the previously fixed CVE-2025-68613 RCE flaw. And SAP released the February security updates for multiple products, including fixes for two critical vulnerabilities.
For those of us who keep track of what our devices are doing, there has also been a roll out of Sysmon functionality for Windows 11users enrolled in the Windows Insider program. For those who don’t know what this is, Sysmon (System Monitor) is the built-in logging program, similar to the types of programs used for analysis like Elastic’s Kibana.
This month’s patches, while still numerous, are less than January’s by almost half. That said, new vulnerabilities seem to crop up every day as both the Internet of Things and the way we interact with it gets bigger. The most critical fixes are in Azure, while others rated as ‘important’ cover a range of apps from GitHub Copilot to the Office Suite to kernel elevation privilege flaws. The full report list is available here. As always, I’ll be keeping my eye on any developments regarding exploitation of these flaws in the coming days.
Yesterday was the first Patch Tuesday of the year. Today, Windows users will find that their computers have restarted overnight and most will not even notice any changes...one hopes. Today is informally known as Exploit Wednesday, after all. So let’s recap the updates to security and fixes for known issues, shall we?
This patch addresses 114 flaws, including one actively exploited and two publicly disclosed zero-day vulnerabilities, as well as eight "Critical" vulnerabilities, 6 of which are remote code execution flaws and 2 are elevation-of-privilege flaws (source: Bleeping Computer). Among those are 57 Elevation of Privilege vulnerabilities, 3 Security Feature Bypass vulnerabilities, 22 Remote Code Execution vulnerabilities, 22 Information Disclosure vulnerabilities, 2 Denial of Service vulnerabilities and 5 Spoofing vulnerabilities.
The actively exploited zero-day is an information disclosure flaw in the Desktop Window Manager (CVE-2026-20805), which allows an authorized attacker to disclose information locally. Successful leveraging of the vulnerability lets attackers read memory addresses associated with the remote ALPC port. While the flaw has been reported by Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC), details of the exploitation in the wild have not been released to the public.
The other two zero-day vulnerabilities are the Secure Boot expiration bypass (CVE-2026-21265), which is also covered in a Bleeping Computer report, and the Windows Agere Soft Modem Driver Elevation of Privilege vulnerability (CVE-2023-31096), which Microsoft previously announced they would be removing at a future date.
Microsoft is not the only company to release patches this week. A number of others have followed suit on the monthly update schedule, including Adobe, Cisco, Fortinet, D-Link, Google, n8n, Trend Micro and Veeam, to name a few. The details of each are listed in the first link of this article, as well as a breakdown of the security updates to resolve vulnerabilities across the board. Eight of these patches have a severity rating of critical.
It’s become something of a habit for me to pay close attention to Patch Tuesday, not only because it’s good to know what’s changed, but because there will inevitably be attempts to exploit these now publicly listed vulnerabilities in the coming days. As your friendly neighborhood WISPer, it’s my job to report on those attempts. And every month there seems to be more and more of both fixed bugs and exploits thereof, something I’ve talked about before. But I won’t lie, it would be nice to have the rest of my week be boring. It’s unlikely – threat actors never rest – but it would be nice.
