The WannaCry (WannaCrypt) malware attack spread through unpatched old software. Old software is the bane of the tech industry. Software vendors hate old software for many reasons. One, of course, is that the old software has vulnerabilities that must be patched. Another is that the support costs for older software keeps going and growing. Plus, of course, newer software has new features that can generate business. Meanwhile, of course, customers running old software aren’t generating much revenue.
Enterprises, too, hate old software. They don’t like the support costs, either, or the security vulnerabilities. However, there are huge costs in licensing and installing new software – which might require training users and IT staff, buying new hardware, updating templates, adjusting integrations, and so-on. Plus, old software has been tested and certified, and better the risk you know than the risk you don’t know. So, they keep using old software.
Like a family that’s torn between keeping a paid-for 12-year-old car, instead of leasing a newer, safer, more reliable model, the decision about whether to upgrade or not upgrade is complicated. There’s no good answer, and in case of doubt, the best decision is to simply wait until next year’s budget.
However: What about a family that decides to go car-shopping after paying for a scary breakdown or an unexpectedly large repair bill? Similarly, companies are inspired to upgrade critical software after suffering a data breach or learning about irreparable vulnerabilities in the old code.
WannaCry might be that call to action for some organizations. Take Windows, for example – but let me be quick to stress that this issue isn’t entirely about Microsoft products. Smartphones running old versions of Android or Apple’s iOS, or old Mac laptops that can’t be moved to the latest edition of OS X, are just as vulnerable.
Okay, back to Windows and WannaCry: In its critical March 14, 2017, security update, Microsoft accurately identified a flaw in its Server Message Block (SMB) code that could be exploited; the flaw was disclosed in documents stolen by hackers from the U.S. security agencies. Given the massive severity of that flaw, Microsoft offered patches to old software including Windows Server 2008 and Windows Vista.
It’s important to note that customers who applied those patches were not affected by WannaCry. Microsoft fixed it. Many customers didn’t install the fix because they didn’t know about it, they couldn’t find the IT staff resources, or simply thought this vulnerability was no big deal. Well, some made the wrong bet, and paid for it.
Patches keep coming; they aren’t enough
This week, Microsoft blogged,
On May 12, 2017, the WannaCrypt ransomware served as an all too real example of the danger of cyber attacks to individuals and businesses globally.
In reviewing the updates for this month, some vulnerabilities were identified that pose elevated risk of cyber attacks by government organizations, sometimes referred to as nation-state actors or other copycat organizations. To address this risk, today we are providing additional security updates along with our regular Update Tuesday service. These security updates are being made available to all customers, including those using older versions of Windows. Due to the elevated risk for destructive cyber attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt.
The new patches go back even farther than those issued in March, covering Windows XP and Windows Server 2003.
While Microsoft is to be complimented on released those patches, customers should not be complacent. It is dangerous for consumers or consumers to keep running Windows XP, or heaven forbid, Windows 95. It’s equally dangerous to run Windows 2003 at all; anything left on that platform should be migrated. The same is true of smartphones running old versions of Android or iOS, laptops or notebooks running old versions of Macintosh OS, or even old versions of Linux. In some cases, those systems may seem super-reliable – but they are not secure, and can’t be secured.
Unfortunately, upgrades to the latest operating system may require hardware updates (such as more memory) – or a complete replacement. That’s often the case with phones and notebooks, and even servers might require a forklift upgrade.
That’s the price of security, however, Forget about the new features of new software; forget about the improved reliability or higher performance that comes along with new hardware. Old software simply can’t be secured. It must go. As my friend Jason Perlow wrote in mid-May, “If you’re still using Windows XP, you’re a menace to society.” He’s right. Get it done.