Matthew Green, cryptography professor at Johns Hopkins University, has called Windows “the malware compatibility layer for everything.”

In a series of tweets, Green referenced tweets by Paul Rascagnères, a Threat Researcher at Volexity, in reference to Microsoft’s advisory Tuesday regarding CVE-2023-36884. That specific security issue is in reference to HTML remote code execution vulnerabilities in Office and Windows.

Interestingly, rather than a series of tweets describing the extent of the issue, Rascagnères posted a graph made by Charlie Gardner, another Volexity researcher, showing the issue.

Interestingly, Green makes the case that “computer security would be about 80% solved if we just deprecated every technology shown in this graphic.”

Green goes on to say that “Windows is the malware compatibility layer for everything” before explaining that Microsoft’s decision to maintain compatibility at all cost is hurting everyone’s security.

“It is simultaneously true that Microsoft can’t remove this legacy tech for valid business reasons, and also that literally no high-value system will ever be secure as long as it sits on top of this stack.”

Green’s assessment is a damning indictment of the state of Microsoft Windows.