Risk of ‘Destructive Cyber Attacks’ Prompts Microsoft to Update XP Again

Citing an elevated risk for destructive attacks, Microsoft today included patches for vulnerabilities in Windows XP among its Patch Tuesday updates.

Fearing destructive attacks precipitated by the availability of the nation-state exploits in the wild that spawned the WannaCry outbreak, Microsoft today announced that its Patch Tuesday updates would include fixes for older versions of Windows, including XP.

The move is unusual and mimics a similar one made in the hours following WannaCry’s appearance on May 12 when hundreds of thousands of Windows machines worldwide were compromised and their data encrypted.

Microsoft had pleaded with Windows admins to apply MS17-010, a security bulletin released in March, one month before the ShadowBrokers leaked a cadre of weaponized Windows exploits, but many did not take heed. Microsoft had to scramble as WannaCry made its way around the globe to release an emergency update late in the evening of May 12 for Windows XP and Windows 8 machines, easing any potential pain for unsupported versions of Windows; EternalBlue, the NSA exploit in question, targeted SMB running on Windows XP and Windows 7 computers.

“Due to the elevated risk for destructive cyber attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt,” said Adrienne Hall, general manager of Microsoft’s Cyber Defense Operations Center.

“In reviewing the updates for this month, some vulnerabilities were identified that pose elevated risk of cyber attacks by government organizations, sometimes referred to as nation-state actors or other copycat organizations,” Hall said. “To address this risk, today we are providing additional security updates along with our regular Update Tuesday service. These security updates are being made available to all customers, including those using older versions of Windows.”

Microsoft said that customers with automatic updates enabled are protected and would not have to take additional action to receive these updates. Microsoft said this is a rare decision and encouraged admins to apply the critical updates.

“Our decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies,” said Eric Doerr, general manager of the Microsoft Security Response Center. “Based on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly.”

Since WannaCry, security experts have been warning Windows admins about the ferocity of the EternalBlue exploit and that it could be loaded with any sort of payload, including wiper malware, banking Trojans, or more ransomware. Attackers have already on two occasions used it to spread cryptocurrency mining utilities.

It’s unknown whether Microsoft was given any advance warning of another upcoming leak or if there are rumblings of another WannaCry-style attack. The ShadowBrokers promised monthly leaks of anything from Windows 10 exploits to mobile attacks to stolen nuclear and missile data in a new subscription service it promised to start next month.

Microsoft also maintained that organizations should long ago have moved away from older, unsupported platforms such as XP. Windows 10, for example, contains many new mitigations that prevent exploits such as EternalBlue from successfully compromising computers. Opponents of today’s move—and of the May 12 emergency update—contend that these concessions on Microsoft’s part to provide these types of updates will allow organizations to rationalize staying on unsupported versions of Windows.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.