Making sure your IT landscape is patched and configured is a well known mitigation to new threats, although not a definite protection. No matter how much you secure your environment, users can bypass the measures, 0-day threats can be identified etc., but it’s quite an efficient way of reducing the risks if managed appropriately.
Usually, malware spread via user interaction, such as ”phishing” or via the Internet. However, now and then, there are vulnerabilities found which doesn’t require a user to actively activate the threat.
One example is when a vulnerability in Server Message Block (SMBv1) enables malware to spread without any users activating it themselves, which can make the impact significant in a short timeframe. ( reference https://support.microsoft.com/en-in/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012)
SMBv1 have a dependency towards mainly two Windows OSes:
- Windows XP
- Windows 2003 server
April 8 2014 went Windows XP End-Of-Life
July 14 2015 went Windows 2003 server End-Of-Life
Windows Vista, Windows 7 and Windows 8.x was also affected. Vista became end-of-life in April 2017 which means that it was covered by the patch in March as well as Windows 7 and Windows 8.x.
This vulnerability, affecting OS which are mainly >10 years since released, some even End-of-Life since a few years back and no longer getting patches, shows that old environments still is target for new attacks.
Lack of Lifecycle Management
Let’s start with the OSes which are end-of-life.
In one way, I can understand the home users which still have Windows XP. If the home PC is still alive and the needs aren’t greater than a 5-7+ year old PC, then the average user won’t switch to another OS. There is a major gap between the awareness of topics like this and the actual usage of PCs, partly because of the generations using PCs, but also the basic understanding of IT and the risks associated. Windows 2003 server is another matter. Very few users at home use this and since it’s a 14-year old OS, EOL since almost two years (announced to be in good time before that), production environments like this really needs to get the appropriate attention. Of course, migration of a server environment includes cost, time, effort and in most case analysis and projects to make necessary changes
A company should by default never use an unsupported OS (client or server), sometimes even on new hardware, simply because of cost. The cost of upgrading, in due time, to new versions compared to the impact of an even like this, can’t be a bad business case.
Lifecycle Management needs to be established properly, ensuring that the IT environment is up to date and actively supported by the vendor. My opinion is that companies conducting Windows 7 migration projects after Windows 10 is released is, at least for me, hard to understand due to the already set limitation of support for windows 7.
For the ones, which are covered by the patch released in March 2017… 2 months before outbreak….
Patch Management is still very much a process which is used without any evaluation and risk management involved. Contracts still states SLAs related to vendor criticality independent of any evaluation of the threat, prioritization, impact analysis etc. And the Availability aspect is sometimes seen as a factor not to patch – as to avoid realising the risk of downtime.
Patch Management in 2017 should at least include:
- How does this vulnerability affect the environment?
- What other measures can be taken to protect the environment pre-patch, such as configuration of assets (for ex Windows 7 environment with SMBv1 enabled without any use)?
- Which assets are based on the vulnerability most critical to patch?
- Which assets can be covered by the standard patch cycle?
That a critical patch is released two months ago, where and evaluation would show that it indeed is critical (not only based on a Ransomware threat) and still not applied is a bad trend. Why this is, is another question, and a lot of companies should do a review of their current setup, internally or with the suppliers of IT services. Other countermeasures than the actual patch is often available but seldom used.
Maybe, for home PCs, patches like this, should be enforced. I’m not putting the responsibility on Microsoft but based on my experience, a lot of those users simply don’t have the understanding to be responsible for this, at least not in the way it’s done today.
In corporate environments, the companies need to take further responsibility to ensure the environments are up to date, hardware as well as software, that is relied upon. IT is not a once-a-decade investment and should be treated and prioritised as business critical, including funding for continuous development.
This is not the last time we see something like this, for each attack, the attackers get more knowledge and adapts to the everchanging landscape. And the companies within public sector seems to constantly be lacking more behind than other.… question for next time is – how much more severe will it get?