While Microsoft griped about NSA exploit stockpiles, it stockpiled patches: Friday's WinXP fix was built in February
And it took three months to release despite Eternalblue leak
Exclusive When the WannaCrypt ransomware exploded across the world over the weekend, infecting Windows systems using a stolen NSA exploit, Microsoft president Brad Smith quickly blamed the spy agency. If the snoops hadn't stockpiled hacking tools and details of vulnerabilities, these instruments wouldn't have leaked into the wild, sparing us Friday's cyber assault, he said.
"This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem," said Smith.
Speaking of hoarding, though, it's emerged Microsoft was itself stockpiling software – critical security patches for months.
Around January this year, Microsoft was tipped off by persons unknown that the NSA's Eternalblue cyber-weapon, which can compromise pre-Windows 10 systems via an SMBv1 networking bug, had been stolen and was about to leak into the public domain. In March, Microsoft emitted security fixes for supported versions of Windows to kill off the SMB vulnerability, striking Eternalblue dead on those editions.
In April, exactly a month later, an NSA toolkit of hacking weapons, including Eternalblue, was dumped online by the Shadow Brokers: a powerful loaded gun was now in the hands of any willing miscreant.
In May, just last week in fact, the WannaCrypt ransomware, equipped with this weapon, spread across networks and infected tens of thousands of machines worldwide, from hospital computers in the UK and Fedex terminals in the US, to railways in Germany and Russia, to cash machines in China.
On Friday night, Microsoft issued emergency patches for unsupported versions of Windows that did not receive the March update – namely WinXP, Server 2003, and Windows 8 RT. Up until this point, these systems – and all other unpatched pre-Windows 10 computers – were being menaced by WannaCrypt, and variants of the software nasty would be going after these systems in the coming weeks, too.
The Redmond tech giant was praised for issuing the fixes for its legacy Windows builds. It stopped supporting Windows XP in April 2014, and Server 2003 in July 2015, for instance, so the updates were welcome.
However, our analysis of the metadata within these patches shows these files were built and digitally signed by Microsoft on February 11, 13 and 17, the same week it had prepared updates for its supported versions of Windows. In other words, Microsoft had fixes ready to go for its legacy systems in mid-February but only released them to the public last Friday after the world was engulfed in WannaCrypt.
Here's the dates in the patches:
- Windows 8 RT (64-bit x86): Feb 13, 2017
- Windows 8 RT (32-bit x86): Feb 13, 2017
- Windows Server 2003 (64-bit x86): Feb 11, 2017
- Windows Server 2003 (32-bit x86): Feb 11, 2017
- Windows XP: Feb 11, 2017
- Windows XP Embedded: Feb 17, 2017
The SMBv1 bug is trivial, by the way: it is a miscalculation from a 32-bit integer to a 16-bit integer that can be exploited by an attacker to overflow a buffer, push too much information into the file networking service, and therefore inject malicious code into the system and execute it. Fixing this programming blunder in the Windows codebase would have been easy to back port from Windows 8 to XP.
If you pay Microsoft a wedge of cash, and you're important enough, you can continue to get security fixes for unsupported versions of Windows under a custom support license. It appears enterprises and other organizations with these agreements got the legacy fixes months ago, but us plebs got the free updates when the house was already on fire.
Smith actually alluded to this in his blog post over the weekend: "We are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003." [Italics are ours.]
Custom support is a big earner: Microsoft charged Britain's National Health Service $200 per desktop for year one, $400 for year two and $800 for a third year as part of its contract. UK Health Secretary Jeremy Hunt cancelled the contract after a year as a cost-saving measure. The idea was that a year would give NHS trusts time to manage their upgrades and get modern operating systems, but instead it seems some trusts preferred to spend the money not on IT upgrades but on executive remuneration, nicer offices, and occasionally patient care. Defence Secretary Michael Fallon claimed on Sunday that "less than five per cent of [NHS] trusts" still use Windows XP.
Naturally, Microsoft doesn't want to kill the goose that lays such lovely golden eggs, by handing out patches for old gear for free. And supporting a 16-year-old operating system like Windows XP must be a right pain in the ASCII for its engineers. And we appreciate that computers still running out-of-date operating systems are probably doing so for a reason – perhaps it's a critical device or an MRI scanner that can't be upgraded – and thus it doesn't matter if a patch landed in February, March or May: while every little helps, the updates are unlikely to be applied anyway.
On the other hand, we're having to live with Microsoft's programming mistakes nearly two decades on, mistakes that Microsoft is seemingly super reluctant to clean up, unless you go the whole hog and upgrade the operating system.
Most crucially, it's more than a little grating for Microsoft, its executives, and its PR machine, to be so shrill about the NSA stockpiling zero-day exploits when the software giant is itself nesting on a pile of fixes – critical fixes it's keeping secret unless you pay it top dollar. Suddenly, it's looking more like the robber baron we all know, and less like the white knight in cyber armor.
We asked Microsoft to comment on the timing of its patching, but its spokespeople uselessly referred us back to Smith's blog. Meanwhile, here's some more technical analysis of the WannaCrypt worm and how a kill switch for the nasty was found and activated over the weekend. ®
Sponsored: Becoming a Pragmatic Security Leader