Don’t Blame Microsoft For WannaCrypt Vulnerability Exploitation
It’s a rare occurrence that I find myself defending Microsoft’s actions but the rampant finger pointing after the WannaCrypt ransomware is an all-to-often reminder that Windows should be treated as a mission critical application and not a microwave that warms up your food.
The short story is that there is an exploit that was stolen from the National Security Agency (NSA) that Microsoft then patched on all supported versions of Windows two months ago; this attack vector was used against organizations who are using outdated software like Windows XP. Unfortunately, one of those corporations is the NHS (Nation Health Service) in England which impacted hospital operations by locking up critical data and requiring a BitCoin payment to release the information.
After this issue became widespread and the vulnerability was running rampant, the blame game started. Was it Microsoft’s fault for no longer supporting Windows XP and other software, was it the NSA’s fault for having their weapon stolen, was it the NHS’s fault for running outdated software or someone else? If you do a quick search on the web, you can find many pointing the finger at just about everyone with Microsoft getting the most amount of heat for the situation which is honestly laughable; they NYT’s Opinion section posted that the company should provide security updates to all of its outdated software for all of eternity.
Let’s review the situation here, every supported version of Windows that is running updated patches was not impacted by this vulnerability. This includes Windows 7, Windows 8.1, and Windows 10; if you are running something older than this, the finger should be pointing at yourself.
When Microsoft stopped supporting Windows XP, to which they had extended the product lifecycle on multiple occasions, it was only a matter of time before a massive cyber attack occurred against these users and unfortunately, it was a hospital hit the hardest. In fact, Microsoft actually released an emergency patch for Windows XP last week to explicitly stop this ransomware from spreading after the issue became widespread; the company was under no legal obligation to do this but simply did it to help out those users who are running expired software.
If you are thinking that Microsoft should still be required to support Windows XP, as some editorials have suggested, this is a mistake. What other vendor is still supporting software sixteen years after release for free. If you are willing to pay, and some customers have shown they are willing to do so, you can continue to have Windows XP patched but it will not come cheap. At the same time, this is no different than any other software that has expired from any other vendor; Microsoft is not a charity, creating security patches costs real money and someone has to pay if you are not willing to upgrade to a modern OS. Further, software built over a decade ago is not designed for modern hardware or sophisticated attacks that we frequently see today.
This cyber-attack is also another reason to be diligent about patching your environment as well. Yes, I know that I have preached that there are instances where it is better to wait and see if a patch is going to break your system as Microsoft has released broken updates, but that timeline is in days and weeks, not months. The patch to secure your environment against WannaCryp has been out for two months, that is more than enough time to deploy the update.
WannaCrypt should be a wake-up call to the C-Suite that IT is not a black hole where the money goes to vanish. If management is not willing to support an IT infrastructure that is capable of protecting against modern threats, then management can only blame themselves for an event like this occurs.
Microsoft is not at fault for WannaCrypt and they have done more than enough to support Windows users as all of their in-lifecycle software is protected. You have two options, upgrade to supported software or roll the dice and run unsupported software which will allow you to save some money that you will inevitably be paying out to ransomware vendors or security professionals to salvage your data in the near future.