World's Largest Chip Maker Will Lose $250M For Not Patching Windows 7 Computers

A major virus infection forced the closure of Taiwan Semiconductor Manufacturing Company (TSMC) factories last weekend..." writes Slashdot reader Mark Wilson, noting that it's the largest semiconductor manufacturer in the world, selling chips to Apple, Nvidia, AMD, Qualcomm, and Broadcom, and "responsible for producing iPhone processors."

Now Network World reports: The infection struck on Friday, August 3, and affected a number of unpatched Windows 7 computer systems and fab tools over two days. TSMC said it was all back to normal by Monday, August 6. TSMC did not say it was WannaCry, aka WannaCrypt, in its updates, but reportedly blamed WannaCry in follow-up conference calls with the press.... The company said this incident would cause shipment delays and additional costs estimated at 3 percent of third quarter revenue. The company had previously forecast revenues of $8.45 billion to $8.55 billion for its September quarter. A 3 percent loss would mean $250 million, though actual losses may come out lower than that. Still, that's a painful hit. TSMC also said no customer data was compromised....

TSMC isn't directly to blame here; someone [an infected production tool provided by an unidentified vendor] brought WannaCry into their offices and behind their firewall, but TSMC is still culpable because it left systems unpatched more than a year after WannaCry hit.

Yep, that's what you get

for not patching your systems.

Re:Yep, that's what you get

[RandomFactor]

The problem here us unlikely to be that IT was too lazy to upgrade or unwilling to patch. Quite the opposite is generally the case.

Vendors that supply process control systems will certify exactly what can and cannot be loaded on these systems including patches. It can take years to get a new patch certified from the vendor. And if you load anything uncertified you are taking on that entire liability hit and lose support and such. That's a career limiting move.

Oh and Windows 7? Not too bad, There are Windows for Workgroups based systems still running machines out there (probably older to be honest.)

I know of a situation where a system was infected and left that way but just firewalled off for years because they couldn't even load an AV on it. It seems asinine, and it is, but it is also how things have to be done sometimes.

Often there are quite limited options (if any) available for what you might select to control a particular industrial machine, so just shopping for a different vendor isn't really an option in this space. Not setting up manufacturing systems isn't an option, those are needed to make widgets and without widgets you have a plant or company and all that depend on it on the street. Remember these machines can and do kill or injure people if things go wrong, if you ignore the vendor, just like with any other negligence that harms employees, the liability to the company is rightly phenomenal.

Now you can make a case that loading the company patching software and AV on these system is prudent, as are all the other things /.ers do to maintain our own systems, and I'll grant that 99% of the time or more you would be right. But explaining that in front of a jury is not something you want to do on that 100th machine -especially- if you do it without the vendor's and your company's approval. Even just the not particularly uncommon case of a patch breaking some obsolete protocol, or the AV making the system stutter during operation can be terribly costly.

Re:Wrong headline

[snapsnap]

Depends on the price to switch to a system that isn't so insecure.

Where I work, we tried switching about fifty servers to Linux, but it failed due to the fact we couldn't find people that knew what they were doing for minimum wage. The two high school drop-outs that work for minimum wage do an OK job with keeping those Windows servers running. Windows is acceptable since our customer SLA is 95% so I think we can have almost five hours of downtime a week. Of course we often exceed that amount of downtime because of Microsoft-created problems, but the lost customers cost less than a Linux expert would cost.

Re:Wrong headline

[kzwork]

Talking about Windows TCO.

A word about these computers...

[GerryGilmore]

It appears that the affected machines were those running process control systems. Because of their VERY finicky nature (and usually being designed to be used on a closed intranet), they almost NEVER apply post-production patches.

I once worked on a medical device where each and very build installed MUST be a bit-perfect replication of the original. Any new release went through horrific levels of qualification and then IT had to be bit-perfect until the next release.

The typical "patch Tuesday" crap just cannot work in these environments.

Re:A word about these computers...

[GerryGilmore]

I normally don't respond to ACs, but you ask a pretty good question.

Basically, you don't know, and that's the rub. Let's take as an example the latest set Spectre/Meltdown patches. These are known to affect I/O performance (heavily-syscall-dependent) to a degree anywhere from 5-30%. Given that this is ONE patch, the same basic rules apply in, essentially, what are semi-real-time systems. That is, for each and every patch, you must apply the entire set of QA tests, which takes a lot of time and money. Performing this level of testing for patches that arise sometimes more-than-weekly is a non-starter. Just throwing a patch out there and waiting for customer support calls is NOT an option.

Again, remember that these systems are designed to be used in a closed, controlled environment. In this case, lax procedures allowed a virus inside and....wellll.

Not lost

[Kohath]

Just delayed until the next quarter.
Also, lower revenues are not money "lost".
Also, a newer story says it's $170 M, (2% of revenue), not $250M: https://digitimes.com/news/a20...

But it wouldn't be a modern news story without a bunch of exaggeration and misunderstood info, would it? The important thing isn't the correct facts, the important thing is to point and laugh at someone's misfortune. Because news...

Re:We stopped patching Win7 when MSFT changed EULA

[gweihir]

I know of a Fortune 500 company that will move to web-terminals after Win7, exactly because of all these problems. They found that qualifying Win7 and dealing with problems from all the updated and lack of security was more expensive than just making all their stuff (mostly custom applications) web-only in their intranet. There will not be any Win10 except by special permission.