Microsoft issued an urgent warning to users of older Windows systems to apply an update in order to protect against a potential widespread cyber attack. The company pushed out a patch for the high-severity vulnerability that affects Remote Desktop Services available in Windows 7, Windows Server 2008 R2, and Windows Server 2008. The company also took the unusual step of porting the bug fix to Windows XP and Windows 2003, two operating systems that are otherwise no longer receiving support updates.
The decision to patch the older versions of Windows suggests that an exploit on a global scale is possible. Simon Pope, the director of incident response at the Microsoft Security Response Center, referenced the possibility of another WannaCry level attack should an attacker target the vulnerability. While Pope said that Microsoft has not observed any attempt to take advantage of the security issue, he said it is “highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”
Microsoft’s decision to invoke WannaCry should speak to just how serious a potential exploit could be. To date, the ransomware attack that terrorized individuals and organizations around the world in May 2017 is one of the worst cyber attacks on record. The attack, which encrypted files on infected machines and demanded victim pay a ransom in bitcoin in order to regain access to their information, affected as many as one million machines and extracts hundreds of thousands of dollars from victims. If Microsoft is raising the specter of that attack, it knows that it has a potentially devastating vulnerability on its hands and needs users to act quickly.
One notable aspect of WannaCry: it was entirely preventable. Microsoft issued a security patch for the vulnerability that was exploited in the attack nearly two months earlier, but many people—and worse, many organizations—failed to apply the critical update.
The unfortunate truth it the same thing could be happening again.
Experts at industrial cybersecurity platform CyberX analyzed traffic from more than 850 operation technology networks and found that 53 percent of industrial sites are still running unsupported versions of Windows. That includes Windows XP and Windows 2003, two operating systems that Microsoft has rushed out a patch to prevent widespread exploitation of the lingering security vulnerability.
“The problem stems from the fact that patching computers in industrial control networks is challenging because they often operate 24-7 controlling large-scale physical processes like oil refining and electricity generation,” Phil Neray, VP of Industrial Cybersecurity at CyberX. “For companies that can’t upgrade, we recommend implementing compensating controls such as network segmentation and continuous network monitoring.”
The same issues that led to major corporations, hospitals and even traffic lights being infected are still present today. Namely, updating systems—especially ones that are a part of a major network of machines that need to seamlessly communicate with one another—is occasionally a Herculean task that organizations are not equipped to undergo in short order.
Even with automatic updates available, many people—including security experts—just cannot stay on top of security patches. A 2015 survey by Google found that more than one in three security professionals don’t keep their systems up to date. Only 64 percent of security experts update their software automatically or as soon a new patch is made available. For the general public, that number drops to just 38 percent. Meanwhile, people are more than happy to come up with excuses to turn off automatic updates.
That’s not even an options with the latest Windows vulnerability when it comes to older, out-of-date operating systems. To install the necessary patch, Windows XP users will have to manually download the update from Microsoft. They at least have more public advance notice this time, as the WannaCry patch was released to relatively little fanfare. That possibility of a sequel to that attack might be enough to scare people and companies straight into installing the necessary update. For those who would be put in harm’s way by a potential exploit, the clock is already ticking.