Slashdot Mirror

← Back to Stories (view on slashdot.org)

As World Reacts To WanaDecrypt0r, Microsoft Issues Patch For Old Windows Systems (bleepingcomputer.com)

Posted by EditorDavid on from the Windows-Update dept.

An anonymous reader quotes the AP: Teams of technicians worked "round the clock" Saturday to restore hospital computer systems in Britain and check bank or transport services in other nations after a global cyberattack hit dozens of countries and crippled the U.K.'s health system. The worldwide attack was so unprecedented that Microsoft quickly changed its policy and announced that it will make security fixes available for free for older Windows systems, which are still used by millions of individuals and smaller businesses. [Windows XP, Windows 8, and Windows Server 2003]
An anonymous reader writes: The patches are available for download from here. Microsoft also advises companies and users to disable the Windows Server Message Block version 1 protocol, as it's an old and outdated protocol, already superseded by newer versions, such as SMBv2 and SMBv3... Microsoft had released a fix for that exploit a month before, in March, in security bulletin MS17-010 [which] included fixes for Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016.
Below the fold are more stories about the WanaDecrypt0r ransomware.
  • The Los Angeles Times says the attack "shows why Apple refused to hack terrorist's iPhone," and why Google, Apple, and Microsoft resist calls for backdoors. "Though the NSA hasn't confirmed it was hacked, the purported leak of its tools shows that even supposedly secret vulnerabilities can get into the wrong hands.... when flaws the agencies discover pose a threat to the nation's businesses and consumers, they should be forced to help secure systems."
  • Science fiction writer Charlie Stross blogged a humorous take on the event, sharing a "Rejection Letter" from Reality Publishing Corporation that argues the plot of his newest thriller -- MS17-010 -- "does not hold up to scrutiny." (A government agency hoards known vulnerabilities about vital infrastructure, then suddenly loses control of them...)
  • troublemaker_23 shares ITWire's call for a "public statement of contrition" from Microsoft, which reminds readers that "the ransomware and exploits are just the effects. The vulnerabilities in Windows are the cause."
  • There's now a first-person account about the discovery of the kill switch, which insists that registering that domain "was not a whim. My job is to look for ways we can track and potentially stop botnets..."
  • Slashdot reader Lauren Weinstein says some antivirus services (and firewalls incorporating their rules) are mistakenly blocking the kill switch's site as a 'bad domain', which allows the malware to continue spreading. "Your systems MUST be able to access the domain above if this malware blocking trigger is to be effective, according to the current reports that I'm receiving!"

7 of 150 comments (clear)

  1. While the world burned... by __aaclcg7560 · · Score: 3, Insightful

    At my job we finished phasing out the Windows XP and Windows Server 2003 systems from the network last year, the few Windows 8 tablets we have in test are Windows 8.1, and everything else is up-to-date with the latest patches. While the rest of the world burned, it was a quiet Friday as everyone took off for the weekend..

  2. Kind for Microsoft behaviour by Okian+Warrior · · Score: 4, Insightful

    For an ancient unsupported version of their product. Make sure you put that into your narrative.

    Lots of people on the net would support the product, if Microsoft allowed them to.

    The fact that it's unsupported is a dodge - in reality, Microsoft comes out with new products and forces people into them in order to make more profit.

    And in this instance, the "forced upgrade" policy is causing people to die. it's completely unreasonable for people with expensive equipment running Windows XP to have to repurchase their hardware just because Microsoft wants them to spend another $100 for a new OS.

    If the OS is truly obsolete and unsupported, Microsoft should release it into the public domain.

    1. Re:Kind for Microsoft behaviour by AmiMoJo · · Score: 4, Insightful

      XP isn't unsupported. Microsoft will happily provide patches if you pay them. All that has ended is free support.

      You buy proprietary software, you have to accept paying for support as long as you want to keep using it, and paying whatever the vendor demands.

      The NHS should require equipment to use free software, or for the vendor to supply security patches for its lifetime.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  3. Re:Services not running == safe? by Anonymous Coward · · Score: 3, Insightful

    Several years ago, somebody did a study of the worst types sites on the web, the ones most likely to infect your computer.

    Porn wasn't even close to the top.

    The absolute worst offender?

    Church sites.

    What they figured out is that religious people are stupid, believing in a god is only one symptom of that stupidity. They have some moron in the church design their website for free, but the moron doesn't actually know anything about security. So there's unpatched code all over that church site, it gets hacked quickly, and it's distributing malware for years before anybody ever does anything about it.

    And their followers are stupid enough to believe in a god, so they're also stupid enough to click on anything on that church site. Boom, whole church is infected.

  4. oo-er by Hands+of+Blue · · Score: 3, Insightful

    As much as I like to complain about micro$oft, I'm hard-pressed to fault them for this event, and certainly can't fault their response to it.

    I'd say most of the blame lies on the staff and, more so, the policies at the institutions where the event occurred. Government and healthcare orgs are notoriously slow to update mission-critical systems, and while some of this blame can be placed on their reliance on custom software built for old environments or a lack of funds for upgrades, at the end of the day all institutions had been given the same end-of-service deadline, and a majority of them cleared it.

    Hospitals are far from the only organisation to rely on frequently-antiquated specialty software and embedded devices, but they are perhaps the most critical example.

    1. Re:oo-er by F.Ultra · · Score: 4, Insightful

      Hardly, if it's any one who should take more responsibility here it's the vendors of said embedded devices. To even implement such devices on software that they know will be EOLd while still be connected to a network is beyond me.

  5. Re:Kind for Microsoft to fix their own bugs by __aaclcg7560 · · Score: 4, Insightful

    The source would be available for anyone with knowledge to patch/fix as the source is open for all to see.

    If you wrote code in 2002 would you still understand the code 15 years later?

    Too many times I open up a source file from last week, look at the code, and think: "Who wrote this shit?! Oh, I did. Meh..."