In this case the defect is with how Microsoft handles MSI files. It is Microsoft's problem to fix.
Now, I can guarantee you 100%, based on its track record, that a code execution and sandbox vulnerability exists right now in Adobe PDF readers. Should Windows be required warn users before opening a PDF file that it could be dangerous? What would be different for any other non-trivial software that consumes a non-trivial file format?
No, they only should only have to make a public release about their own, known defects. They shouldn't even have to notify users directly, just make it publicly known. Though it would be nice if they kept track of other vendor's defects and alerted users.
In this case the defect is with how Microsoft handles MSI files
Except, of course, that Windows is absolutely correct in validating them as a MSI file. It just happens that it fails to correctly validate a file that is both a valid MSI and a valid JAR. Windows itself is incapable of doing anything dangerous with the (to its perspective) nonsense data appended beyond the validated contents of the file.
This is essentially a TOCTOU bug involving one vendor performing the check (MS) and one vendor performing the use (whoever shipped the JRE), both of which are technically correct in the most narrowly-scoped sense but produce a significant issue when combined.
Now, I can guarantee you 100%, based on its track record, that a code execution and sandbox vulnerability exists right now in Adobe PDF readers. Should Windows be required warn users before opening a PDF file that it could be dangerous? What would be different for any other non-trivial software that consumes a non-trivial file format?
No, they only should only have to make a public release about their own, known defects. They shouldn't even have to notify users directly, just make it publicly known. Though it would be nice if they kept track of other vendor's defects and alerted users.