A Patch Tuesday Present From Microsoft
Microsoft has just thrown a lifeline to the millions of people and businesses still running outdated versions of Windows such as XP by issuing a set of patches for security flaws that the company says are at imminent risk of exploitation.
The move came on Microsoft’s normal monthly patch release date this week and it comes at a time when Windows users are being targeted by a number of different threats. The vulnerability in the group patched this week that stands out the most is the MS17-010 flaw, which is the bug in SMB that the WannaCry ransomware uses to infect new machines. Microsoft patched the vulnerability for supported versions of Windows in March, before WannaCry emerged and before other attackers began exploiting the flaw.
But as the ransomware worm continued to spread and exploit code for the SMB bug became public, the threat continued to grow. Microsoft typically doesn’t offer patches to customers running unsupported versions of its operating system, but this appears to be a special case and company officials said they have good reason to believe that attackers are, or soon will be, targeting the vulnerabilities patched this week.
“Our decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies. Based on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly,” Eric Doerr of the Microsoft Security Response Center said of the decision.
“As always, we recommend customers upgrade to the latest platforms. The best protection is to be on a modern, up-to-date system that incorporates the latest defense-in-depth innovations. Older systems, even if fully up-to-date, lack the latest security features and advancements.”
This is not a move that Microsoft would make on a whim. The company issued patches for nearly 20 flaws in older versions of Windows with this release, and that requires a considerable amount of work. The fact that Microsoft made the decision to commit the resources to building and testing those fixes for Windows XP, which has been out of support for three years, is a clear indication that its security team has good information about active or imminent attacks against those flaws.
Microsoft, like many other software vendors, works not only with its customers but with other software and security companies and law enforcement to help identify new threats. The company has close working relationships with various law enforcement agencies, CERTs, and security researchers around the world, and all of those parties share information about threats and attacks. So when Microsoft issues a group of patches like this for out-of-date operating systems – some for vulnerabilities that emerged as long ago as 2009 – it’s a sign that customers should run, not walk, to those machines and install the updates.
One of the reasons that Microsoft makes moves like this is that its researchers know how much attackers like old vulnerabilities. Despite the fascination with zero days, most attacks target older, known flaws, often in older operating systems. Platforms such as Windows XP and Vista don’t have the same defenses and exploit mitigations that modern operating systems do, and often the devices running those versions go untouched and unpatched for years at a time. If your organization has any of those devices, the time to patch is now. Not tomorrow. Now.