Only twice has Microsoft issued a patch for old, out-of-support versions of Windows: in 2017, just before the massive WannaCry cyber attack, and just recently.
With newly discovered vulnerabilities from Intel, and even one in Windows 10, a very high number of computers around the world are potentially exposed right now. While we haven’t seen exploits yet to take advantage of these vulnerabilities, they likely aren’t far off. Conditions have scarcely been better for a massive cyber attack on the scale of WannaCry.
Last week, I had the chance to break this down for listeners of the Brad Davis Show.
Why is this Windows vulnerability special?
One point I aimed to drive home on the radio was that the Windows vulnerability is unusual because, like the vulnerability that enabled WannaCry, it requires no action from the user for a hacker to take advantage of it. For most cyber attacks to happen, someone has to click a bad link, open an attachment, or fall for some kind of ruse. In this case, simply having an unpatched system is enough to be affected potentially.
This key difference is why Microsoft took the step of releasing security patches for out-of-service Windows versions like XP and Server 2003 for only the second time ever.
The following Windows versions are affected:
- Windows 7 (end of support 1/14/20)
- Windows XP (end of support 4/8/14)
- Windows Server 2008 R2 (end of support 1/14/20)
- Windows Server 2008 (end of support 1/14/20)
- Windows Server 2003 (end of support 7/14/15)
What defensive steps should be taken?
For consumers, the fix is simple. Turn on automatic updates, and make sure your software is up to date. There are instructions from Microsoft to manually install patches here.
Businesses using any of these versions of Windows, particularly on their servers, may need help ensuring that they are properly patched. This would also be a good time to assess backup systems and restore capability, and to look ahead to any products in your system that will reach their end-of-support date soon. Since all it takes is one oversight to allow a hacker into the system, this isn’t something companies should take on without an IT partner unless they are fully confident in their ability to do so.
Glossary of a vulnerability
Those of us in the IT world can sometimes develop our own language. In preparing for my interview on the Brad Davis Show, I wanted to be sure I could describe this issue in terms any listener could relate to. It actually took some thought to prepare explanations of terms I take for granted. Here’s what I came up with in case it’s helpful!
Vulnerability (n)
A glitch in computer software or hardware that potentially allows unauthorized access to a cyber criminal. Vulnerabilities happen frequently and companies fix them--that's one reason your computer is always asking for updates. You could liken a vulnerability to a broken window lock in your house. It's not a problem on its own, but it could make breaking in very easy.
Exploit (n)
Code written by a cyber criminal to take advantage of a vulnerability in order to gain access to systems and data.
Patch (n)
A fix for a vulnerability issued by a company like Microsoft. Patches are installed when software is updated, or can be manually installed if software updates are turned off.
WannaCry (n)
One of the largest cyber attacks in history, it affected 300,000 computers in 150 countries including major organizations such as, FedEx, banks, and telecom companies. WannaCry sprang out of a Windows XP vulnerability like the one we're seeing now.
