Microsoft released a patch for a handful of legacy operating systems that are no longer available after detecting a critical vulnerability. The company warns users to quickly patch their systems to prevent another WannaCry ransomware attack.
It is “highly likely” that malicious actors will write an exploit for this vulnerability, Simon Pope, director of incident response at the Microsoft Security Response Center (MSRC), said in a blog post on Tuesday announcing the vulnerability.
The Pope in his blog post said that it is no coincidence that later versions of Windows are not affected. “Microsoft invests heavily in strengthening the security of its products, often through significant architectural improvements that cannot be backported to previous versions of Windows.”
Vulnerable in-support systems include Windows 7, Windows Server 2008 R2 and Windows Server 2008, Microsoft said.
Microsoft also gives out fixes for unsupported systems such as Windows 2003 and Windows XP. Although Windows 2003 and XP are no longer being serviced by technology giants and no longer receive patches to address security issues, many medical companies, especially medical devices, continue to use these platforms.
Customers having Windows 8 and Windows 10 are not affected by this vulnerability.
It released fixes for a critical remote code execution vulnerability, CVE-2019-0708, in remote desktop services—formerly known as terminal services—that affects some older versions of Windows, Microsoft said in the blog post
Microsoft said the vulnerability is “wormable,” meaning that any future malware that exploits this vulnerability could propagate from the vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.
The WannaCry ransomware attack in May 2017, which involved over 300,000 machines in 150 countries, targeted Windows operating systems where such operating systems did not have security updates. According to Kaspersky Lab data, around 98% of computers affected by ransomware used a version of Windows 7. An important concern for hospitals around the world is the use of old operating systems that are no longer updated or supported. More or less the same time, malicious software disguised from ransomware, called NotPetya, it was spreading all over the world. Both caused enormous financial damage worldwide, with WannaCry at $ 8 billion in damages and NotPetya at $ 3 billion.
Windows has released patches to protect the systems against the previously announced vulnerability, including Windows XP and Windows Server 2003, despite the fact that the company generally does not support these previous systems. However, XP users must manually download patches from the Microsoft update website. According to a 2017 Spiceworks study, companies around the world still use Windows XP on 11% of their laptops and desktops. Although this has probably decreased over the past two years, it still leaves a significant number of machines with exposed systems that need manual updates for the patch.
Failure to patch the vulnerabilities will lead to serious incidents, such as the infringement of Equifax in 2017, which led to the theft of 143 million personal information of Americans. In that case, the United States Department of Homeland Security had issued a vulnerability warning, a Web application vulnerability patch was available for before 2 months, but Equifax failed to heed and implement the fix. A report by the US House Oversight Committee accused the company in its entirety, saying Equifax failed to implement an adequate security program to protect this sensitive data,” and that “such a breach was entirely preventable”.
Companies use different types of software in their daily activities and software vendors provide many patches for their products. According to a study by the Ponemon Institute in April 2018, “68% of companies have difficulty setting priorities for what needs to be repaired first”. Limitations of IT staff and competing priorities within organizations can hinder these efforts, as patching requires timely investment and sometimes takes important steps to take business aspects offline to implement corrections. Companies with external partners and supply chains face even more complex risks because their systems are often integrated or dependent, and the principal companies do not have direct control over partner systems to ensure patches are applied. Even limiting external risks by establishing contractual clauses that external partners can meet certain security requirements can help.