25 May 2017

Why patching Windows XP forever won't stop the next WannaCrypt

By Nick Heath 

The effects of WannaCrypt ransomware attack were far-reaching. Europol dubbed it "the largest ransomware attack observed in history", with more than 200,000 victims in 150 countries. Computer systems were knocked offline in hospitals across England, European car plants, in Russian banks and Chinese schools and colleges.

But does Microsoft have the power to mitigate the effects of a similarly devastating attack by changing how it patches old systems? On the face of it, it appears so.

In the aftermath of the WannaCrypt attack, Microsoft took the extraordinary step of patching Windows XP, Windows Server 2003 and other unsupported OSes, to fix the flaw that WannaCrypt exploited to infect systems.

However, supported versions of Windows received this same patch from Microsoft back in March. Had that patch been applied to unsupported versions of Windows at that time it's possible the scale of the WannaCrypt infection could have been significantly reduced, particularly as a single machine infected with WannaCrypt attempts to spread ransomware to every machine on its network.

Obviously Microsoft hasn't got the resources to patch every flaw in every operating system it's ever released. The company told TechRepublic that, in this instance, it had taken the extraordinary step of patching unsupported operating systems 'given the potential impact to customers and their businesses'.


But because of the huge consequences of outbreaks on the scale of WannaCrypt, shouldn't Microsoft consider patching the most severe flaws, as defined by the Common Vulnerability Scoring System, in all operating systems, even those that have fallen out of support?

If it could curtail another major outbreak on the scale of WannaCrypt, isn't it worth trying? After all, Microsoft has compared the vulnerability that WannaCrypt exploited to a Tomahawk missile. Such a move would also help shield those affected who were unable to upgrade from older versions of Windows because newer versions weren't supported by specialised equipment their organization relies upon.


Writing in the New York Times, Zeynep Tufekci said this is precisely the sort of approach that Microsoft should take.

However, security experts point out that such a move could inadvertently actually worsen global IT security.

"The question whether Microsoft should proactively patch its unsupported operating systems against the most severe vulnerabilities is a very good one and not as simple as it may seem," said Ziv Mador, VP of security research for SpiderLabs at Trustwave.

"Clearly, once an attack of the magnitude we're currently experiencing with WannaCry starts, it makes perfect sense for Microsoft to release patches also for the vulnerable end-of-life versions. It would be unwise to let the worm spread without releasing a patch because it clearly can help organizations and consumers protect themselves quickly and effectively."
Unforeseen repercussions

But the unintended consequence of Microsoft proactively patching the worst bugs in old operating systems could be a greater number of individuals and businesses feeling it was safe to carry on using what would still be a fundamentally insecure operating system, he said.

Firstly, these systems would remain unprotected against the multitude of malware that exploited less severe, unpatched flaws in the OS, according to Mador. On top of this, he said, Microsoft keeps improving security technologies in Windows, adding new defense layers, such as the forthcoming Windows Defender Application Guard.

"That means that computers running later versions of Windows are significantly at lower risk of being successfully exploited and infected," he said, citing Microsoft research that found newer versions of Windows have lower malware infection rates.

"If Microsoft constantly and proactively releases security updates also for the older unsupported versions of Windows, that can end up with more organizations and users not upgrading to supported ones."

"Providing security updates to EOL [end of life] versions of Windows is therefore a double-edged sword. From the security perspective, it has a positive impact in the short term but may have a negative effect overall."

He added that malware that replicates itself to other computers, dubbed "worms", rarely hit the scale of WannaCrypt.

"The last significant worm that propagated through a Windows vulnerability was Conficker, back in 2008."

Patching these older systems could also be undesirable for the organizations involved, according to Javvad Malik, security advocate for AlienVault.

"Microsoft has done the right thing by making the patch available even for older, unsupported systems. But it shouldn't proactively push out the patches, as there are usually some business reasons why companies are still running old and unpatched systems," he said.

"By forcefully pushing a patch, it could do just as much harm, causing systems and applications to become unreliable."

David Chismon, senior security consultant at MWR InfoSecurity, felt that it would be unfair to place the burden of patching old systems, even only for the most severe flaws, on Microsoft.

"Continuing to support outdated operating systems costs Microsoft significantly as each patch has to be tested rigorously to reduce the risk of the patch stopping something working. It is not reasonable to expect a company to support a product forever, particularly when not paying them to do so."

A better solution would be for companies that cannot upgrade for financial or software compatibility reasons to keep these unsupported machines offline and on a separate network from the rest of the organization, he said.

No comments: