WannaCry, the ransomware attack that swept the globe last Friday, used an approach that was clever even by ransomware standards. This spring, the Shadow Brokers group leaked exploit techniques used by the U.S. National Security Agency to further its mission. One of them was a vulnerability in the Windows Server Message Block service, which has been used to create quickly propagating worms. In WannaCry’s case, the payload was ransomware.
Microsoft had released a patch for the vulnerability back in March, but only for the operating systems it still supported (Windows Vista and above), leaving Windows XP—which is still used by massive numbers of people and was exploited by WannaCry—off the list.
It’s tempting to be critical here, as many commentators have been. Why didn’t the organizations affected by WannaCry just apply that patch two months ago? And why in the world are there critical systems still running Windows XP?
But it’s not that easy. Patching, as with most of information security, is subject to the whims, politics, and priorities of human decision-makers. Patching a single home laptop is very different than patching large and complex enterprises. We have a patching problem. Security is not a box you plug in with blinky lights or a threat feed you subscribe to. It is a mindset, a way of thinking, a process, which is why patching—and security more broadly—is hard.
Patching requires significant effort on the vendor side in the form of writing, testing, and pushing code. Naturally when things are this complicated, they can go wrong—really wrong. In 2014, Apple released the iOS 8.0.1 update, which inadvertently disabled the cellular connection and disabled Touch ID. Sony, in 2013, released a firmware update that bricked some PlayStation 3 gaming consoles. Microsoft had an automatic Office patch that locked some Office 365 users out of their accounts for 12 days. In fact, there is a Top 20 list of worst Microsoft Windows automatic update meltdowns. Patches break things because—among other reasons—it’s impossible for a vendor to test against every possible configuration.
The trauma and uncertainty of a botched patch (even having to deal with a post-patch reboot) becomes justification for organizations, particularly those with complicated networks or with limited resources, to turn off automatic updates. Individuals, too, may delay updates out of fear that they will create headaches. The result is that many systems go unprotected as the risk being exploited is traded off with the risk of patching. As of January, more than 200,000 websites were still vulnerable to Heartbleed, a critical bug that emerged three years ago. Microsoft released the patch for MS017-10, the vulnerability that WannaCry exploited, on March 14—two months before it tore across the world.
The problem goes beyond customers being reluctant to install patches. Microsoft is probably one of the best in the business at creating, testing, and deploying patches, but it simply cannot get people to migrate off Windows XP. Even though Windows XP has had many security vulnerabilities historically, and Microsoft stopped issuing updates for it more than two years ago, a whopping 7 percent of global computers are still running it. Myriad reasons exist as to why users won’t upgrade, but they generally include things like support for older applications, the cost of a new machine or software, and the ease of piracy. Certain geographical regions seem more inclined to stick with XP, including in China, which banned Windows 8 after Microsoft beefed up anti-piracy measures, and Eastern Europe, where the proportion of users running XP climbs into the 20–30 percent range. Microsoft has tried different incentives, including $100 off coupons for newer Windows versions and deceptively forcing users to download Windows 10 upgrades, but they have not been enough to unseat the persistence and ubiquity of XP.
WannaCry should be a massive wake-up call for any organization or person who is running XP or tends to be very late to patch. MS017-10, while devastating, is just one more addition to the list of XP vulnerabilities. In fact, malware authors perform their own return-on-investment calculations. Aside from the opportunistic aspect, they specifically target company computers running Windows XP and its embedded systems variant, because they assume that if the system hasn’t been upgraded, it’s because it could be running something important. In 2017, no information security officer, public or private sector, should let their organization leave vulnerable Windows XP systems on the public internet with no countermeasures, such as network isolation, hardening of OS, or disabling unnecessary services. Patching and migrating from legacy software needs to be a clear part of an organizational risk management strategy. Everyone should be asking these questions: How often do we patch? Do we rely on legacy software? What services depend on that software? Worst of all is when organizations don’t even realize they have a system running outdated software.
In the aftermath of WannaCry, Microsoft made an emergency decision to create patches for Windows XP and Windows Server 2003. That may have protected some customers who were not yet affected by WannaCry, but it left the company in an awkward spot. It had been in the business of supporting XP for certain customers who paid for this premium support. (It is unclear why the U.K. National Health Service was not a premium Microsoft customer.)
Microsoft cannot be expected to take on the costly process of supporting this software forever, but it most certainly cannot have it both ways. Just like with discontinued cars, it’s not practical to demand that a vendor continue to support a system that is end-of-life. But by choosing to turn end-of-life software into a profitable business, Microsoft found itself in a difficult position and was obligated to issue “highly unusual” patches as to guard against its own moral hazard. This creates a distorted incentive structure with users believing they can rely on Microsoft to issue these emergency patches for unsupported software when things are really bad. As a result, they may be less inclined to migrate away quicker. That is deeply counterproductive—the goal should be to move people away from this software.
Windows is the world’s dominant operating system and therefore has a huge target on its back. Any actor who wishes to possess an offensive toolkit will start by collecting as many Microsoft vulnerabilities as possible. (Adobe and Java are not far behind.) Most likely there are more vulnerabilities out there being bought, sold, and researched heavily by governments who seek to hoard these for future use. Prioritizing offensive capabilities over defense will continue to undermine the internet and the future of technology. Everyone is to blame; the NSA let a weaponized exploit leak, businesses all over the world were relying on unpatched and legacy systems, but lessons learned should be the nature and reality of the world we live in today. Applying these lessons to the many Internet of Things devices that are and will remain unpatchable should prompt a deeper and more useful discussion in what the public is willing to accept. We all have to try harder. The future of the internet is at stake.
Update, May 22, 2017: A headline on this piece has been updated to clarify that though Windows XP is a major security threat, it didn't necessarily play a large role in the spread of WannaCry.