Skip to content

Microsoft fixed Wannacrypt on XP in February, didn’t release

The Register reports:

[O]ur analysis of the metadata within these patches shows these files were built and digitally signed by Microsoft on February 11, 13 and 17, the same week it had prepared updates for its supported versions of Windows. In other words, Microsoft had fixes ready to go for its legacy systems in mid-February but only released them to the public last Friday after the world was engulfed in WannaCrypt.

Here’s the dates in the patches:

  • Windows 8 RT (64-bit x86): Feb 13, 2017
  • Windows 8 RT (32-bit x86): Feb 13, 2017
  • Windows Server 2003 (64-bit x86): Feb 11, 2017
  • Windows Server 2003 (32-bit x86): Feb 11, 2017
  • Windows XP: Feb 11, 2017
  • Windows XP Embedded: Feb 17, 2017

This is bad.

Published inHackerterrorcybercyber


    • kris kris

      I understand that.

      Point being that many people failed to understand and assess the importance of this patch when it was released for systems under support, and patched late. And now we know that Microsoft also did not assess the importance of this patch in time, and only released it to the general public after WannaCry already happened, for version of their products under Custom Support.

      I am pretty sure that there is way more XP out there than anybody can measure, as long as the measurement is done by looking at websites on the public internet on websites that are intended for consumption by humans. That is, there is likely to be a large number of very long lived installations on supposedly isolated networks that are running mostly unupdateable, unsupported versions of Windows.

      • Bernd Wachter

        I remember telling some people in an embedded XP project over a decade ago that what they’re building will last more than a decade, they didn’t plan for patches, and they didn’t plan for moving to a new generation once XP is end of life, and that the whole thing will spectacularly blow up if they don’t do any of that.

        Everybody laughed, assured me the devices will be replaced before XP EOL, there’s no need to plan for it, because it’ll just happen soon enough, and we don’t need to patch it, because it’s not connected to the internet. I didn’t have to deal with them after that, but guess what’s still running, and guess what just got owned.

        I think we’re at the point where we need to treat XP outside a support contract like a car not passing the mandatory inspection to be operated on a public road, and – just like such a car – forcefully retire them. In this case Microsoft should just forcefully push a patch to every non-supported instance they can reach to disable the network stack.

        We also need to hold companies operating old unpatched stuff liable – if you get into an accident with an unsafe car you get into trouble, no matter if it was your fault or not. We should apply the same to computers spreading worms because they’re not fully patched.

  1. So what’s the point of Microsoft announcement of the EOL of XP , of 3 years ago? They mentioned that it won’t have patches for any security issues. Thats what EOL means. This WannaCry is really unprecedented in terms of servicing an already dead system.

  2. Timo Buhmann

    Of course, EOL should be a sufficient reason to update. However, the world consists of more than just 0 and 1. Companies like Microsoft should be more aware of their responsibility by bringing systems to market to this extent.

    • Bernd Wachter

      Not EOL is the reason to update, end of mainstream support is. Microsoft gave customers for all XP based products, including the embedded ones, 5 years after ending mainstream support to get their things in order. Those 5 years are more than enough to deal with any problem you could have with future Windows variants. It’s even enough time to get your special software that won’t work anymore rewritten from scratch, if necessary.

      Instead I’ve seen customers start entering the main rollout phase for migrating away from Windows 2000 just as mainstream support for XP ended. That’s suicidal, and if you do that you deserve all the bad things happening to your infrastructure when you get surprised by EOL.

      And if you do get surprised by EOL you still had the option of paying a few million per year to get support from Microsoft. Nobody was left hanging here by the vendor. If you’re not willing to pay that much for being incompetent in the first place then just close down your company and do something like gardening.

  3. Reto Bürli

    My sympathy is limited. Some people will do anything to avoid changing a running system. If Microsoft started spreading around the patches they made for the versions of XP they still support (for ATMs) or special customers with expensive contracts without an imminent threat, CTOs everywhere would say “See? They were not serious about desupporting XP. We don’t need to migrate!”

Leave a Reply

Your email address will not be published. Required fields are marked *