X
Tech

Microsoft warns of 'destructive cyberattacks,' issues new Windows XP patches

Last month's devastating WannaCry ransomware outbreak was just a warning shot. In an unprecedented move, Microsoft today released critical security updates to block another wave of similar attacks, making those patches available on unsupported versions like Windows XP and Server 2003.
Written by Ed Bott, Senior Contributing Editor
xp-patch-wannacry.jpg

Citing an "elevated risk for destructive cyberattacks" by government organizations or copycats, Microsoft today released an assortment of security updates designed to block attacks similar to those responsible for the devastating WannaCry/WannaCrypt ransomware outbreak last month.

The accompanying alert highlights the risk of "potential nation-state activity." It does not name the nation-state it suspects of being on the verge of unleashing this attack.

Read also: Microsoft confirms that latest security fixes thwart NSA hacks

Today's critical security updates are in addition to the normal Patch Tuesday releases, Microsoft said. They'll be delivered automatically through Windows Update to devices running supported versions, including Windows 10, Windows 8.1, Windows 7, and post-2008 Windows Server releases.

But in an unprecedented move, Microsoft announced that it was also making the patches available simultaneously for manual download and installation on unsupported versions, including Windows XP and Windows Server 2003. Both of those operating systems are still deployed by significant numbers of business customers years after their official support lifecycles ended.

The new updates can be found in the Microsoft Download Center or, alternatively, in the Update Catalog. For links, see this Security Summary page. Anyone running an unsupported operating system should look in this article for guidance and download links:

Microsoft security advisory 4025685: Guidance for older platforms

In a blog post shared with ZDNet in advance of today's release, Microsoft's Adrienne Hall, general manager of the Cyber Defense Operations Center, cited an "elevated risk of cyberattacks by government organizations, sometimes referred to as nation-state actors, or other copycat organizations."

The announcement noted that the updates were designed to provide "further protection against potential attacks with characteristics similar to WannaCrypt."

A Microsoft spokesperson declined to comment when asked whether the company had received warnings of an imminent attack, either from security researchers or government agencies. However, the tone and timing of today's announcement suggests that today's critical updates are much more than a routine precaution.

As is company policy, details of the vulnerabilities addressed were not made available until the updates themselves were released.

Last month's fixes were related to flaws in older versions of the Server Message Block (SMB) protocol. Those vulnerabilities affect all versions of Windows and are also targeting Linux servers with a new active exploit.

Today's fixes address three separate vulnerabilities, not related to the earlier SMB flaws, that were originally disclosed by the Shadow Brokers hacking group and had not previously been patched. For details, see "Microsoft: Latest security fixes thwart NSA hacking tools."

In a separate blog post, Eric Doerr, general manager of the Microsoft Security Response Center, noted that these additional critical security updates "address vulnerabilities that are at [heightened] risk of exploitation due to past nation-state activity and disclosures."

Doerr cautioned customers running unsupported platforms not to expect similar patches in the future:

Our decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies. Based on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly. As always, we recommend customers upgrade to the latest platforms. The best protection is to be on a modern, up-to-date system that incorporates the latest defense-in-depth innovations. Older systems, even if fully up-to-date, lack the latest security features and advancements.

This is just the latest in a series of unprecedented developments for Windows Update. In February, for the first time ever, the company skipped its normal Patch Tuesday deliveries, delaying them until the following month. In hindsight, it's now apparent that Microsoft was scrambling to deliver patches that would repair the vulnerabilities that resulted in the global WannaCry ransomware outbreak.

Read also: China on WannaCry: It wasn't us, honest | Why millions of us are still vulnerable to known exploits | Ransomware-as-a-service schemes are now targeting Macs too | Want ransomware-proof Windows? It won't work against Windows 10 S, claims Microsoft

Then, in May, after the WannaCry ransomware hit with devastating effect, Microsoft released an emergency patch for unsupported operating systems, including Windows XP. Normally, those updates would be available only to enterprise customers who had paid dearly for custom support contracts.

In a lucky break, security researchers last month noted that a bug in the WannaCry exploit code caused most Windows XP computers to crash rather than being infected. There's no guarantee that XP users will be so fortunate when the next wave of cyberattacks hits.

Editorial standards