In Rare Move, Microsoft Offers Critical Security Patch For Windows XP, 8, Other OSes

[Guest]

The critical security fix should offer Windows XP, Windows 8, and Windows Server 2003, among others, the same protections as their Windows 10 counterparts.

In Rare Move, Microsoft Offers Critical Security Patch For Windows XP, 8, Other OSes : Read more

 

[randomizer]

This is the most sensible thing Microsoft has done with Windows in years.

 

[Achoo22]

It's hard to offer any praise for their actions when the backdoor existed for many years and Microsoft was demonstrably negligent in their handling of it.

 

[alextheblue]

Wow. That was unexpected... XP is positively ancient. I hope even with the out-of-support patch, companies will learn their lesson and start migrating systems any way they can. At a minimum, run legacy apps in a VM and handle all your other work including filesharing, email, etc on a fully patched host OS.

 

[JQB45]

We need to come up with a way of disabling wholesale file encryption *Accept* by authorized apps and services. Possible?

 

[jdwii]

XP is the best and i still use it every day as my OS.............NOT lol WTF come on guys what the hell i understand hating 10 but man XP is just so old upgrade to linux if you have to.

I would never trust a XP OS in 2017 for security reasons.

 

[Anders235]

" some of the affected organizations simply can't use new versions of Windows because they rely on legacy software or fear that patches will create problems with critical devices. "

This is an entirely bogus excuse that I'm tired of hearing. I've heard this from companies that partner with a Global Fortune 200 company and it's horsepuckey that comes down to, we don't wanna pay to upgrade.

Microsoft is not on the hook forever to support ancient OSes and neither is the IT profession. Disappointed that TH, a nominally IT site, pedals this kind of low-information rubbish.

 

[-Fran-]

Considering I still see ATMs and Cashier machines running WinXP for their day-to-day usage, this doesn't surprise me one bit. That would be even worse press than what MS has already had with this round of news.

Cheers!

 

[Mousemonkey]

" some of the affected organizations simply can't use new versions of Windows because they rely on legacy software or fear that patches will create problems with critical devices. "

This is an entirely bogus excuse that I'm tired of hearing. I've heard this from companies that partner with a Global Fortune 200 company and it's horsepuckey that comes down to, we don't wanna pay to upgrade.

Microsoft is not on the hook forever to support ancient OSes and neither is the IT profession. Disappointed that TH, a nominally IT site, pedals this kind of low-information rubbish.

I can only assume that you are not in the UK and thus know not of the NHS! :lol:

 

[InvalidError]

" some of the affected organizations simply can't use new versions of Windows because they rely on legacy software or fear that patches will create problems with critical devices. "

This is an entirely bogus excuse that I'm tired of hearing. I've heard this from companies that partner with a Global Fortune 200 company and it's horsepuckey that comes down to, we don't wanna pay to upgrade.

Some companies and institutions do rely on software for which the company and/or the source code no longer exists and cannot be updated. You also have various 100+k$ lab instruments running Windows XP with custom drivers and software to run their acquisition cards, good luck upgrading them to any newer Windows version, same goes for any machinery relying on PC-based controls where upgrading may not be possible without reverse-engineering and rewriting the control software or shelling out hundreds of thousands of dollars to replace an otherwise still perfectly working piece of equipment. There is a whole lot more to it than the $200 license seat cost.

If you think XP is ancient, many companies still run their payroll on 30+ years old VAX mainframes or 25+ years old AS400 mini-computers. Companies do not want to mess around with systems that are vital to parts of their core operations.

 

[Deleted member 1353997]

We need to come up with a way of disabling wholesale file encryption *Accept* by authorized apps and services. Possible?

Do you like UAC? Because what you're suggesting is basically forcing UAC prompts every time any app attempts to modify any file on your PC.

A lot of people already hated the UAC that showed up when installing new apps or changing Windows preferences. My guess is that if MS makes a stricter option for UAC, nobody's going to use it. And even if MS forces it on, people are just going to blindly click on "Allow". I mean, if your "Zelda Breath of the Wild for Windows PC" app wants file write access to update itself, why wouldn't you allow it? If you wouldn't, why did you download it in the first place?

There are plenty of people who have asked themselves all sorts of questions involving security, some smarter than you and me, all of them have dedicated several decades more of their time to it. Trust me: if you think your idea about improving security is good, you're either a bloody genius, or you're awfully naïve. No offense.

 

[JQB45]

We need to come up with a way of disabling wholesale file encryption *Accept* by authorized apps and services. Possible?

Do you like UAC? Because what you're suggesting is basically forcing UAC prompts every time any app attempts to modify any file on your PC.

A lot of people already hated the UAC that showed up when installing new apps or changing Windows preferences. My guess is that if MS makes a stricter option for UAC, nobody's going to use it. And even if MS forces it on, people are just going to blindly click on "Allow". I mean, if your "Zelda Breath of the Wild for Windows PC" app wants file write access to update itself, why wouldn't you allow it? If you wouldn't, why did you download it in the first place?

There are plenty of people who have asked themselves all sorts of questions involving security, some smarter than you and me, all of them have dedicated several decades more of their time to it. Trust me: if you think your idea about improving security is good, you're either a bloody genius, or you're awfully naïve. No offense.

How about making the UAC smart enough to realize a single piece of software is attempting to encrypt a bunch of files and at that point it could prevent the encryption of the files by checking that the application has permission to encrypt files.

Accessing a file would be handled differently than encrypting, that's a different issue..

There is only a handful of software that exists that has a legitimate need to encrypt file and the permission to encrypt files all other software can be denied by a UAC type program that can look up the program online and let the user know if the software is a trusted application or not.

I'm simply asking if its feasible?

 

[therealduckofdeath]

"For the sake of patient safety we have to run vulnerable and unsupported software on our computers"
I really hope a lot of decision makers gets the boot after this. Not only at the HSE but all other organisations who has leaders putting their networks at risk with this argument.

 

[InvalidError]

Accessing a file would be handled differently than encrypting, that's a different issue..

How is the OS supposed to tell the difference between a program accessing a file to update it and software encrypting files? From the OS' point of view, all it sees is software opening a file, reading it and writing it. The OS has no insight into what the software did to the file, a worm encrypting files looks no different than any other software doing a typical read-modify-write operation.

 

[Mousemonkey]

"For the sake of patient safety we have to run vulnerable and unsupported software on our computers"
I really hope a lot of decision makers gets the boot after this. Not only at the HSE but all other organisations who has leaders putting their networks at risk with this argument.

I don't think you understand how these organisations work.

 

[Deleted member 1353997]

How about making the UAC smart enough to realize a single piece of software is attempting to encrypt a bunch of files and at that point it could prevent the encryption of the files by checking that the application has permission to encrypt files.

Accessing a file would be handled differently than encrypting, that's a different issue..

There is only a handful of software that exists that has a legitimate need to encrypt file and the permission to encrypt files all other software can be denied by a UAC type program that can look up the program online and let the user know if the software is a trusted application or not.

I'm simply asking if its feasible?

No, it's not feasible.

In order to do this, the OS needs to understand the intent of the software's current write operation (i.e. the intent to encrypt). For all we know, the software may be simply archiving something (which is not much different from encrypting, really), or it may simply be overwriting a file for update or repair purposes.

If the OS can understand the purpose of a software, we wouldn't need to worry about malware.
If we could make such an OS, we wouldn't have to work anymore, because AIs would be advanced enough to do our thinking in our stead.

So once more: no, it's not (currently) feasible.

 

[therealduckofdeath]

@Mousemonkey, I've worked in several ITIL complaint organisations. Yes, it's a harsh paraphrasing, but it's what they've ended up doing. If you don't believe me, look up how many patients they had to relocate Friday because "not changing things" was preferred over fixing a known glaring security hole.

 

[Mousemonkey]

@Mousemonkey, I've worked in several ITIL complaint organisations. Yes, it's a harsh paraphrasing, but it's what they've ended up doing. If you don't believe me, look up how many patients they had to relocate Friday because "not changing things" was preferred over fixing a known glaring security hole.

Okay, wind back the clock and put yourself in the shoes of those who had to decide in the first place how the NHS was going to be computerised and how much it was going to cost. Do you commission a custom OS that will have to work with every bit of kit that existed at the time and in the future or do you use an "off the shelf OS" that already works with everything? As has already been noted, patches do sometimes break things and when it comes to hospitals lives could be put at risk.

 

[alextheblue]

Some companies and institutions do rely on software for which the company and/or the source code no longer exists and cannot be updated. You also have various 100+k$ lab instruments running Windows XP with custom drivers and software to run their acquisition cards, good luck upgrading them to any newer Windows version, same goes for any machinery relying on PC-based controls where upgrading may not be possible without reverse-engineering and rewriting the control software or shelling out hundreds of thousands of dollars to replace an otherwise still perfectly working piece of equipment. There is a whole lot more to it than the $200 license seat cost.

If you think XP is ancient, many companies still run their payroll on 30+ years old VAX mainframes or 25+ years old AS400 mini-computers. Companies do not want to mess around with systems that are vital to parts of their core operations.

The vast majority of the infected/disabled machines were not driving expensive equipment. Any machine driving expensive equipment should probably be heavily secured regardless of OS, only sending and receiving the bare necessary information. The infection (at least initially) came from someone opening an infected file from an outside source on a vulnerable OS - such as opening an email attachment. They DO have legacy software of various kinds on many machines (could be as basic as patient information software), but that doesn't mean they have to run Windows XP or an out-of-date Windows 7+. You can virtualize for necessary software and run a modern and up-to-date host OS with automatic backups. If you do all your web browsing, email, and other non-legacy operations on a fully patched host OS, the machine wouldn't have been infected. Meanwhile a locked-down VM only runs the necessary legacy software and doesn't allow any other programs to access the network, close all unused ports, etc.

At the end of the day if you have a problem and you just throw up your hands and say "Nothing can be done, even now after we've had our pants pulled down around our ankles" then you need to open your mind to other possibilities. If you have mission critical software, that's great... don't throw it out. In many cases they CAN'T throw it out. But maybe consider a different method of running that software, and running newer software everywhere it is possible, potentially including third-party security solutions. Otherwise you might as well just go offline.

 

[indyjeepman]

Alex...why should they migrate when the OS that they are migrating to will likely be obsolete in half of a decade? Smaller companies simply cannot afford to change operating systems and third part software on a whim from OS publishers.

 

[InvalidError]

The infection (at least initially) came from someone opening an infected file from an outside source on a vulnerable OS - such as opening an email attachment.

You don't need to open mail yourself: a short while ago, a critical bug was found in Microsoft's Defender which could lead to remote code execution from scanning mail for virus.

 

[alextheblue]

It's hard to offer any praise for their actions when the backdoor existed for many years and Microsoft was demonstrably negligent in their handling of it.

Existence of a vulnerability and knowledge of a vulnerability are two different things. They were made aware of it, and they fixed it for supported operating systems. People complain that MS is pushing patches too aggressively... then when unpatched systems are attacked, people cry that they were "negligent". They can't win. What do you want then to do, exactly?

For unsupported systems? It's even sadder. They're running something that is demonstrably unsafe, all the security experts have been telling them it's unsafe... and they're using it online. People have this entitled mentality, like MS should support it forever. I don't often see this line of thinking applied to other operating systems. I have mixed feelings about them patching this vulnerability in XP. I worry that these organizations will use this update as an excuse to continue running XP "safely" until the next big attack comes along.

 

[alextheblue]

Alex...why should they migrate when the OS that they are migrating to will likely be obsolete in half of a decade? Smaller companies simply cannot afford to change operating systems and third part software on a whim from OS publishers.

Most of the infected machines were not controlled by "smaller companies". It's less about the money and more about maintaining the status quo until something explodes. Entrenched mindsets. This isn't something new. Ever since the advent of internet-connected machines, keeping current for security purposes has also been part of the equation. Patching and updating systems that run legacy software is quite difficult. I am not being sarcastic, it can be a massive undertaking. But they should always be thinking about end-of-life OS replacement and other security concerns, coming up with plans, and setting things in motion whenever possible. Ironically I see smaller firms often being more aggressive with security updates compared to larger organizations, perhaps outside of tech firms.

As for your "why" question, I think the damage done to all of these systems should be the self-evident answer. If they don't update, they keep out-of-date and unsupported systems and remain vulnerable. It's their choice. In many cases they were running supported systems and pushed off updates due to a "we'll roll it out when we are ready" mindset. They should have been testing on select systems off the bat, and doing a staggered rollout looking for issues. It was their failure, and all the finger pointing towards outside factors in the world isn't going to fix anything.

The infection (at least initially) came from someone opening an infected file from an outside source on a vulnerable OS - such as opening an email attachment.

You don't need to open mail yourself: a short while ago, a critical bug was found in Microsoft's Defender which could lead to remote code execution from scanning mail for virus.

I didn't know Defender was on Windows XP. For systems that are running Defender and are supported, if those systems were patched... they still wouldn't have been infected. Although if you're using web-based email, that's another way to potentially mitigate such issues. Yes, they have confinements within which to work, but ultimately they took the easiest route possible of "do nothing", and it bit them in the hide.

 

[LORD_ORION]

None of you have any idea what you are talking about.
There is a long and expensive process for developing mission critical software. Some company that spent 50 million on flawlessly working XP era software is not going to spend millions more to rebuild it so the same thing works on the next OS. When it comes to Enterprise apps, one does not simply upgrade the entire network and spend million more to re-certify every couple of years.

 

[Mousemonkey]

None of you have any idea what you are talking about.
There is a long and expensive process for developing mission critical software. Some company that spent 50 million on flawlessly working XP era software is not going to spend millions more to rebuild it so the same thing works on the next OS. When it comes to Enterprise apps, one does not simply upgrade the entire network and spend million more to re-certify every couple of years.

Actually I do believe I alluded to that earlier in the thread.