Microsoft Corp. has taken the unprecedented action of issuing a patch against the headline-grabbing WannaCry ransomware for older, unsupported versions of their ubiquitous operating system, including Windows XP, Windows 8 and Windows Server 2003.
The patch itself, which fixes a so-called SMBv1 flaw that Microsoft addressed in a security update for Windows 7 and 10 in March, relates to a vulnerability first exposed in a release of software developed by the U.S. National Security Agency by the Shadow Brokers hacking group in April.
“We … know that some of our customers are running versions of Windows that no longer receive mainstream support,” Microsoft said in a blog post on its TechNet site. “That means those customers will not have received the … Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download.”
According to tracking site NetMarketShare, 7.04 percent of users online were using Windows XP as of April, while a further 6.96 percent and 1.59 percent of users were still using Windows 8.1 and 8 respectively.
While the issuing of patches for unsupported versions of Windows has been received positively, some believe that the use of patches to address vulnerabilities is the wrong way to deal with these problems as they arise.
“The critical warning here is that relying on security patches to address vulnerabilities is a failed strategy,” Tal Ben-David, co-founder and vice president of Karamba Security Inc., told SiliconANGLE. “This malware tsunami built on EternalBlue took advantage of a Windows SMBv1 vulnerability that Microsoft patched on March 14. Yet, the patch was not applied [initially] to all Windows machines worldwide, exposing them to the attack.”
Ben-David said the problem is that potentially dangerous situations can arise in new places Windows is used. “What happens when the vulnerability is in a car, or any other life-risking IoT device?” he said. “A patching strategy would let hackers put lives at risk for months. The only answer is to harden car or other life-risking IoT systems to factory settings, which will secure those systems against attacks, without relying on security patches.”
Microsoft clearly was not happy about having to take such steps. In a blog post, President and Chief Legal Officer Brad Smith slammed the “stockpiling of vulnerabilities by governments.” WannaCry code is based on a Windows hacking method developed by the U.S. National Security Agency.
While Windows 8 users can get the patch using Windows Update, users of Windows XP, which did not include the more modern Windows Update feature, must manually apply the patch, which is available for download here. XP users must have Service Pack 3 installed for the security update to work.