Microsoft Issues XP Patch to Battle WannaCry Ransomware

Microsoft has issued patches to fix the vulnerability that the WannaCry ransomware was able to exploit.

While initially patched in March, Microsoft has issued the first publicly available patch for Windows XP since its end of support in 2014. In an advisory, Microsoft said that it took ‘the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003’. It also confirmed that customers running Windows 10 were not targeted by the ransomware.

Initially, Microsoft issued a security update which addressed the MS17-010 vulnerability that these attacks are exploiting in March. For customers using Windows Defender, an update was released which detects this threat as Ransom:Win32/WannaCrypt.

As for the XP patch, Phillip Misner, principal security group manager at the Microsoft Security Response Center, said: “This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.”

The impact of computers running Windows XP has reportedly been a factor in the massive infection. A Freedom of Information Act request from Citrix revealed that 90% of NHS Trusts in England were still running XP in 2016. 

According to Silicon, the UK government was paying Microsoft £5.5 million to continue providing security support for Windows XP. This deal came to an end in May 2015 and was not renewed, with the government citing “good progress in moving away from Windows XP across departments and government organizations”. 

Further reports have emerged about how the ransomware, which has gone on to impact more than 140,000 users and businesses in more than 100 counties, became such a problem. According to Forbes, the NSA tools that hacker group Shadow Brokers dumped included one named “EternalBlue”, which was being used as one method for rapidly spreading the WannaCry ransomware variant.

CrowdStrike's vice president of intelligence Adam Meyers told Forbes that the initial spread of WannaCry was coming through spam, in which fake invoices, job offers and other lures are being sent out to random email addresses. Within the emails is a .zip file, and once clicked that initiates the WannaCry infection.

Rick Holland, Digital Shadows’ VP of Strategy, said: “Just over eight weeks later, we are seeing the initial implications of not deploying this SMB patch. If you don’t already have a ransomware response playbook, hopefully today isn’t the test run. You should also formalize your ransomware minimization strategy; you might not be able to prevent it all, but it doesn’t mean you shouldn’t try.”

Andrew Clarke, EMEA director for One Identity, said: “This is an unusual move by Microsoft and serves to demonstrate the seriousness of this type of attack. IT teams with these type of platforms need to act quickly and implement the update to enable them to operate safely next week.

“With hindsight, this incident stresses the importance of continual risk assessments of an organization’s business operations; from fundamental patch management to wider issues that consider access. It re-enforce the significance of getting Identity and Access Management right, as it was only a matter of time before an attack happened on this large of a scale to take advantage of those organizations who haven't taken this critical step.”

What’s Hot on Infosecurity Magazine?