This is not the headline you want you want to read, when you have written Microsoft into your cyber security plan as an A1 trusted supplier of services!
Hackers exploited Windows 0-day for 6 months after Microsoft knew of it | Ars Technica
Mine and your expectations of Microsoft is as soon as they know of a vulnerability, they will fix it and issue us with a patch – NO EXCUSES. My cyber security plan and your cyber security plan relies on this. I did not write to Microsoft demanding to know their stance on cyber security when writing our client’s cyber security policies – I relied on Microsoft’s reputation.
The Lazarus threat actor gang took advantage of a Microsoft defined security servicing criteria and exploited a flaw to install root kits on vulnerable computers, whilst Microsoft put the issue on its self-defined “to do” list.
Not good enough for a supplier with “trusted status”.
I will put Microsoft’s position here for balance by quoting the first sentence of the servicing criteria page linked above:
Our commitment to protecting customers from vulnerabilities in our software, services, and devices includes providing security updates and guidance that address vulnerabilities when they are reported to Microsoft.
Microsoft
That sentence is what your users depend on.
Clive Catton MSc (Cyber Security) – by-line and other articles
