Everything, Everything

2024: January February March
2023: J F M A M J J A S O N D
2022: J F M A M J J A S O N D
2021: J F M A M J J A S O N D
2020: J F M A M J J A S O N D
2019: J F M A M J J A S O N D
2018: J F M A M J J A S O N D
2017: J F M A M J J A S O N D
2016: J F M A M J J A S O N D
2015: J F M A M J J A S O N D
2014: J F M A M J J A S O N D
2013: J F M A M J J A S O N D
2012: J F M A M J J A S O N D
2011: J F M A M J J A S O N D
2010: J F M A M J J A S O N D
2009: J F M A M J J A S O N D
2008: J F M A M J J A S O N D
2007: J F M A M J J A S O N D
2006: J F M A M J J A S O N D
2005: J F M A M J J A S O N D
2004: J F M A M J J A S O N D
Patching Legacy Operating Systems
Sunday 14th May, 2017 12:29 Comments: 0
With the WannaCry ransomware spreading across organisations, I have sympathy for those that are unable to install patches or upgrade operating systems when it results in an unreasonable expense and disruption to people. But this should be a handful of situations such as vendor hardware tied into poor support contracts (e.g. MRI machines). However, such hosts should be mitigated through the use of network segregation and potentially relay hosts that prevent sensitive network protocols (e.g. SMB) from being directly exposed. You could even stick IPS devices in place. All of that adds protection without having to buy tens of millions of pounds of new hardware.

I have much less sympathy for those running unsupported operating systems through choice, or those running legacy OS under valid support contracts (e.g. paying MS for XP support, or running POSReady 2009) that simply haven't patched their systems in a timely manner. Patches have been out for two months. You should have patched immediately. Thirty days is perhaps more reasonable. But two months after a well publicised vulnerability and your hosts are still vulnerable?

And that's ignoring the fact these systems have SMB ports exposed. Sure, over a management network that may be possible, but it sounds like many hosts may not even have the firewall enabled.

I've seen some criticism of Microsoft for only releasing the patch publicly after the worm has caused massive disruption. Part of me wishes they hadn't undermined their own support contracts with paying clients, but I'm mostly glad they understand the greater good for the Internet (and maybe their reputation with the general public) if they can prevent future comprises (even if people choose to use unsupported OS for even longer). Should they have released it sooner? Maybe, but hindsight is a wonderful thing.

Just like the person behind MalwareTech, who accidentally stopped the worm by registering a domain, people don't always know the consequences of their actions. It's a relief to me that the person registering the domain didn't cause the malware to delete files and trash Windows instead of encrypting files.
© Robert Nicholls 2002-2024
The views and opinions expressed on this site do not represent the views of my employer.
HTML5 / CSS3