Microsoft aren't stupid. They have learned lessons from the days in the 90s and early 2000s when they were a laughing stock in terms of security, and since then Windows security has improved enormously. OK, so it's not perfect, but what software is? Dirty Cow, Shellshock and Heartbleed for example weren't exactly minor flaws, but the world moved on. What's key is that administrators need to know how to secure their estates. If they've failed to apply the patch, that's their failure, not Microsoft's, but patching was not the only way to have curtailed this weekend's outbreak. Admins may have had their reasons for not patching - maybe to do so would have invalidated some kind of certification on an embedded system for example - but there should have been other controls in place to limit the spread of this outbreak or others like it. Something that's puzzled me about events this weekend is that hardly anyone is mentioning firewalling. Servers generally need ports 135-139/445 to be accessible in order to act as, well, servers - but workstations don't. Why aren't people - even cash-starved organisations like the NHS - using the Windows firewall to protect at least their workstations on an ongoing basis? How did this infection spread between organisations without being stopped by a border firewall at any point? Was nothing learned from the Blaster days? (I don't have the answer.) Although the malware was probably injected into multiple organisations in numerous countries via multiple phishing attacks, the spread as reported seemed too fast between organisations and countries for it to have been driven by phishing attacks alone, and I haven't seen any reports showing people how to spot the phishing attempts. So I'm guessing a lot of the propagation even between orgs was by MS17-010. It would be interesting to find out if anyone saw unusual spikes in SMB traffic over the weekend? Or if there are insights into any of the semi-rhetorical questions I posed above? Cheers, Jon