Microsoft is under fire for a mistake that left millions of PCs vulnerable for years, according to a new report.

Microsoft maintains a blocklist of vulnerable drivers that hackers can use to attack Windows. Drivers that have already been proven to have vulnerabilities are tempting targets for hackers since it saves them the work of creating a vulnerability from scratch. These types of hacks are called BYOV (Bring Your Own Vulnerability) attacks. Microsoft updates Windows with its blocklist, ensuring that Windows isn’t vulnerable to BYOV attacks..

At least, that’s how the system is supposed to work. According to Ars Technica, Microsoft failed to properly update Windows to utilize the updated blocklist. As a result, for nearly two years, Windows didn’t download the new lists, leaving millions of machines vulnerable.

To make matters worse, not only are BYOV attacks on the rise, but Microsoft even discouraged customers from using alternative security measures, assuring them Windows Update would protect them from these issues.

“Security vendors are going to tell you [that you] need to buy their stuff, but Windows has everything you need to block it,” David Weston, Microsoft Senior VP of Enterprise and OS Security, tweeted in late 2020.

Given Microsoft’s status as the leading operating system vendor, not to mention the second-largest cloud vendor, this is an embarrassing and inexcusable lapse, one the company will be dealing with for some time.