In a move that has surprised the world, Microsoft just urgently released a patch for older Windows operating systems including unsupported versions of Windows XP and Windows 2003. When was the last time that happened? Yes, that’s right – WannaCry.
Microsoft pushes harder than ever to eliminate the long tail of legacy devices. There are a few reasons for this:
Microsoft has long had a schedule for ridding itself of legacy OS versions: end-of-life for Windows 7 is scheduled for January 14, 2020, and Windows 7 will become entirely unsupported as of March 14, 2020. At that time, it will no longer receive software updates, even though it currently represents 33.38% of the Windows market.
It seems the main fix is for CVE-2019-0708, a RCE (remote code execution) vulnerability in Remote Desktop Services. This vulnerability doesn’t require any user interaction and allows an attacker to execute arbitrary code on the victim’s system. According to Microsoft, in order to exploit this vulnerability, an attacker would have to send a specially-crafted request to the target systems Remote Desktop Service via RDP. The update resolves the issue through improved handling of connection requests.
Given that Windows XP and other patched version of Windows are so far out of support, how is it possible that there are so many of these devices still running unsupported versions of Microsoft’s software? The reasons can be complicated, and vary from lack of investment in new hardware to old, but mission-critical, industrial infrastructure that can’t easily be taken offline for updating. These include areas such as
On top of that, there are devices that use industrial control interfaces that are so old they don’t physically exist on newer systems and computers that do not have sufficient RAM to run Windows 10.
Although patching is not a cybersecurity silver bullet, it doesn’t mean it is not helpful. Just remember WannaCry: “the biggest ransomware offensive in history.” Within 24 hours, WannaCry had infected more than 230,000 computers in over 150 countries. This outbreak exploited a vulnerability that had been known for 91 days and that had already been patched by Microsoft.
WannaCry spread quickly around the globe, and also crippled the UK’s National Health Service. 18 months after the incident, the Department of Health has attempted to calculate the financial cost of WannaCry and puts the total figure at GBP92m.
At SentinelOne, we help our clients to see the unpatched devices, with their priority. No additional installation is needed.
There is no doubt that the cybersecurity industry is having a tough week. In other news, three AV firms were allegedly hacked with their source code sold on the market, followed by Crowdstrike’s underwhelming S1 filing highlighting massive cash burn, and then the WhatsApp encryption scandal. Just when it seemed things couldn’t get much worse this week, a new speculative execution bug that leaks data from Intel chips’ internal buffers was revealed.
Finally, in case you missed it, Adobe fixed an unprecedented number of vulnerabilities this week in a single update:
Given the sudden glut of bad news, our advice is: install these updates to as many devices as possible on your network. We know there will be more, so make sure your security procedures are in place and, if you aren’t already a SentinelOne customer, install a free demo to see the difference we make. We’ve proved time and time again that our automated, easy-to-use technology can cope with such open vulnerabilities and keep our clients safe, with or without a dedicated SOC team.
Subscribe to our blog to stay up to date with the latest breaking news.