Microsoft reneges on update policy to push out patch for unsupported Windows XP and Windows 8 to help defend against ransomware attack
Friday’s ransomware outbreak, which used recently revealed weaknesses in Microsoft’s Windows operating system to spread further and faster than any before, has prompted the Redmond-based developer to break its own rules on software maintenance in an effort to keep users safe.
The ransomware, also known as “WanaCrypt0r”, “WeCry”, “WanaCrypt” or “WeCrypt0r”, used a vulnerability in a Windows Server component to spread within corporate networks. The weakness was first revealed to the world as part of a massive dump of software vulnerabilities discovered by the NSA and then stolen by a group of hackers calling themselves “Shadow Brokers”.
Microsoft fixed the flaw shortly before the stolen data was published, leading many to conclude it had been surreptitiously tipped-off by the security agency about the existence of the flaw.
But Microsoft’s policy is that some commonly used versions of Windows no longer receive security patches; those versions include Windows Server 2003 and Windows XP, both of which have not been sold for over a decade; and Windows 8, which some users prefer to the supported Windows 8.1 because of differences between the two versions of the operating system. Typically, the company only provides support to organisations which pay expensive fees for “custom support” for these out-of-date platforms.
Once WeCry began spreading, however, Microsoft took the “highly unusual” step of releasing free security updates for those out-of-support versions of Windows, which can be downloaded from its website.
How to defend against the ransomware
The vulnerability does not exist within Windows 10, the latest version of the software, but is present in all versions of Windows prior to that, dating back to Windows XP.
As a result of Microsoft’s first patch, users of Windows Vista, Windows 7, and Windows 8.1 can easily protect themselves against the main route of infection by running Windows Update on their systems. In fact, fully updated systems were largely protected from WanaCrypt0r even before Friday, with many of those infected having chosen to delay installing the security updates.
Users of Windows XP, Windows Server 2003 and Windows 8 can defend against the ransomware by downloading the new patch from Windows.
All users can further protect themselves by being wary of malicious email attachments, another major way through which the ransomware was spread.
A of Microsoft’s security response team, Phillip Misner, wrote: “We know that some of our customers are running versions of Windows that no longer receive mainstream support.
“That means those customers will not have received the … Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download.”
Although the malware’s main infection vector was through the vulnerability in Windows, it also spread in other ways which require changes in user behaviour to protect against. Phishing attacks with malicious attachments are the main way the malware ends up on corporate networks, meaning that users should be wary of opening such attachments if they seem unusual, as well as keeping all Microsoft Office applications up to date.
More and more antivirus platforms, including Microsoft’s own Windows Defender, are now recognising and blocking the malware, but relying on a purely technical fix means that a new variant of the software could sneak past the defences. Variations of the malware have already been seen in the wild, but they have lacked the capacity to spread themselves, which has vastly limited their proliferation.
For those who have been infected, paying the ransom may seem a tempting way out of trouble. But experts recommend against doing so, arguing that not only does it not guarantee restoration of any files, but it also funds future crime. And, for now, it appears that victims agree: fewer than 100 have actually paid up.