The flaw itself is not particularly dangerous for most users: it can only be used to crash Windows computers with file shares that are exposed to the Internet. But when an exploit was published on Thursday, the vulnerability was initially assigned the highest risk rating by CERT. That rating has since been downgraded, as details of the flaw became more clear.
In any case, Microsoft’s reaction to the exploit announcement included statements that are demonstrably false, and seem to have been motivated by the company’s frantic efforts to get everyone on the planet to switch to Windows 10.
“Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible.”
This is simply false. The same work is done for Linux and MacOS. The unnamed Microsoft staffer who said this may have borrowed it from this TechNet blog post, without checking its veracity.
“We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
This is totally misleading. Windows 10 is arguably the safest version of Windows yet, but the vulnerability affects all versions of Windows. Worse, the vulnerability is completely unrelated to web browsing.
It looks like Microsoft has issued standing orders to its PR department to push Windows 10 at every opportunity, and not to worry too much about accuracy.
Microsoft is expected to issue an update for the vulnerability on February’s Patch Tuesday.