
Microsoft Issues WanaCrypt Patch for Windows 8, XP - my123
https://krebsonsecurity.com/2017/05/microsoft-issues-wanacrypt-patch-for-windows-8-xp/
======
Matt3o12_
Although it is probably good for the companies still using windows XP to
receive those updates, I do not think updating windows xp was such a smart
move because now those companies do not need to update once again and keep
running outdated windows machines.

If Microsoft did not provide this update for older OSes, I believe more people
would update because they simply had to. Smaller hacks might not be enough for
the manager of those machines to allocate resources to update, but this hack
might have been just fatale enough for them to update those machines.

And we should all expect to see such a hack again. This is not a one in a
century thing. Such costly hacks could easily happen a few times a year.

~~~
nathan_f77
Alternatively, Microsoft should continue to support Windows XP as long as
there are a large number of critical systems that rely on it. They are unable
to upgrade because it would break a lot of legacy software. I believe Windows
XP should have been supported for at least 50 years, considering how many
people still depend on it. IMO, Microsoft has acted irresponsibly, and the
decision was only driven by money. Sure, 2001 was a long time ago, but so
what? What's wrong with a PC that runs the same OS for 100 years? Sometimes
things work fine just the way they are. For all intents and purposes, most
machines running Windows XP are fast enough. Office workers aren't running
some insane virtual reality system, they're responding to emails and entering
data into some Visual Basic application.

I understand that newer versions of Windows do have stronger security, so it
is better if people can upgrade to a more secure version of Windows. But it
would have been better if those security features were somehow back-ported.
But seriously, can the current version of Windows please be considered
"finished"? Why not spend the next 50 years just maintaining Windows 10, just
the way it is? Imagine if they devoted all of their resources to finding and
fixing all of the possible security issues until it's virtually bulletproof,
and the price of a zero-day gets to a billion dollars. I think it's a shame
that Microsoft constantly releases unnecessary upgrades and tried to get
people to keep buying new licenses.

~~~
kogepathic
_> They are unable to upgrade because it would break a lot of legacy software.
I believe Windows XP should have been supported for at least 50 years,
considering how many people still depend on it._

It's not Microsoft's fault that people depend on Windows XP. IMHO it's the
fault of companies buying hardware and software from manufacturers who are
unwilling or unable to upgrade their product to run on newer versions of
Windows.

To put it another way: the only reason there is a huge demand for COBOL
programmers is because banks are too spendthrift to rewrite their software in
more modern languages.

 _> IMO, Microsoft has acted irresponsibly, and the decision was only driven
by money._

Welcome to the world of successful businesses. They don't do things for
altruistic reasons, they do it because it makes money.

 _> Imagine if they devoted all of their resources to finding and fixing all
of the possible security issues until it's virtually bulletproof, and the
price of a zero-day gets to a billion dollars. I think it's a shame that
Microsoft constantly releases unnecessary upgrades and tried to get people to
keep buying new licenses._

A lot to unpack here.

1) I personally don't think it's possible for anyone to design a general
purpose OS as complex as Windows that is bug free.

Just look up how small the space shuttle software was (IIRC ~600,000 LOC) and
how mind bogglingly expensive it was.

2) Businesses could already avoid a lot of this if they didn't view IT as a
cost centre and instead as an investment.

3) Yes Windows 10 is a privacy nightmare. But Microsoft has made real strides
in OS security since XP. It's wrong to claim that all they've done is put a
minimalist theme on the same old OS.

From a security perspective they absolutely are not "unnecessary upgrades"

~~~
muraiki
> To put it another way: the only reason there is a huge demand for COBOL
> programmers is because banks are too spendthrift to rewrite their software
> in more modern languages.

I heard that medical devices are approved (by whatever regulatory body) to run
an _exact_ set of software. As such, even applying a security update
invalidates the approval, because it could potentially introduce bugs that
place a patient's life at risk.

~~~
azernik
The computers that store patient records (which were compromised) are not
medical devices under any regulatory regime I know of.

And in any case the compromises were in the UK, which may have different rules
on this subject than the FDA.

~~~
muraiki
Yeah, my point was just that sometimes systems have out of date security for
reasons besides penny pinching and laziness. :)

------
mirimir
> Additionally, we are taking the highly unusual step of providing a security
> update for all customers to protect Windows platforms that are in custom
> support only, including Windows XP, Windows 8, and Windows Server 2003.

That's impressive!

~~~
ddalex
It's impressive that they had the patches, but chose to put the security of
their customers on a lower level than making more money by forcing said
customers to upgrade.

~~~
belltaco
This is more like a pharmaceutical company taking a financial hit to help in a
sudden epidemic by giving out antidotes/vaccines for free, for the sake of
public interest and the ecosystem.

Just because they had the vaccines ready in warehouses or could manufacture
more easily doesn't mean that their customers "deserved" them for free before
the epidemic hit.

If the customers actually desired security, they would've paid for XP/2003
patches or upgraded to a different supported OS. Those customers messed up on
their own, and Microsoft is giving them an out here.

~~~
qubex
I agree with you broadly but your analogy is flawed because patches have zero
marginal cost (once developed, code can be infinitely duplicated at no
additional cost) whereas vaccines are physical entities and therefore giving
one to somebody entails not giving that same item to somebody else. If
Microsoft had already developed these patches why not distribute them widely,
since it costs nothing to do so and takes nothing away from paying customers?

------
mikelabatt
The patch was finalized already in February. I wonder why it took so long to
release it?

[https://twitter.com/mikelabatt/status/863356853576749056](https://twitter.com/mikelabatt/status/863356853576749056)

~~~
qb45
So a month before patches for supported versions of Windows.

Does that mean I can get info on current Windows 0days simply by subscribing
to XP support program?

~~~
belltaco
Many of the researchers already test to see if they work on XP.

You could do what you said but it's pretty expensive and only works for a bulk
deal at around $200/PC/year with a large number of PCs at a minimum.

~~~
qb45
I surely won't be doing it myself, but I can imagine some spook making this
small personal sacrifice of becoming an employee at some Windows XP shop just
to smuggle patches to his mothership for vulnerability analysis.

I hope that the fact this patch was signed in February doesn't imply that it
was published in February and available to every semi-competent cyberwarfare
unit in the world.

------
faragon
In my opinion, hospitals should never run any kind of software accessing
complex protocols locally. Should run everything, except real-time critical
devices, using virtualized remote applications, so the security gets ensured
at data-center level, instead of at client level.

~~~
syshum
Ahh yes the magic cloud, solving all security problems

Move to the Cloud and never have to worry about security again /s

~~~
viraptor
You're taking it to a weird extreme of magic. There are reasons to run things
locally and there are reasons for centralisation. Medical centres (at least on
my area) often run on thin clients, because that's a better solution than
having local technical staff in each village and town. This makes things like
security controls easier to manage. It also makes things like backups a part
of the contract rather than part of infrastructure you need to buy. On the
other hand when the internet goes down, your results may not be available.

Look at tradeoffs. There are no magic solutions. Pretending that cloud
services don't solve any problems is as bad as pretending they solve all.

------
pja
If a bug is wormable & your OS is still in widespread use then this ought to
be the least you can do. If you’re unwilling to put the effort in, then open
source the OS in some form so that someone else can.

There are vast numbers of XP boxes out there. They represent a risk to all of
us.

~~~
irl_
There was a Microsoft Research project that made it possible to run Windows XP
(or Server 2003, I don't remember exactly) as a PV guest.

That was really cool, but the whole project disappeared.

If it had been open source, I bet it would still be actively maintained to
this day.

Edit: Found the paper [https://www.microsoft.com/en-us/research/wp-
content/uploads/...](https://www.microsoft.com/en-us/research/wp-
content/uploads/2003/10/2003-sosp.pdf)

~~~
i336_
I will admit I've just rapidly paged through that PDF, but it looks like I'm
reading a Xen introductory paper.

Xen is open source.

I found some PV IO drivers at
[https://wiki.xen.org/wiki/Xen_Windows_GplPv](https://wiki.xen.org/wiki/Xen_Windows_GplPv)
which mention XP (search for 'XP' including (!) single quotes), and a quick
Google does immediately give hits on running XP as a HVM guest.

I'm (genuinely) curious what you're describing/referring to here. What project
disappeared?

~~~
my123
He's talking about Windows on Xen, which existed at a time, but was never
released, like a lot of research projects. AMD-V and Intel VT made it mostly
moot though.

~~~
i336_
So you mean like... NTOSKRNL et al essentially retrofitted to run in a kind of
userspace?

Nice.

I don't expect that kind of thing to ever leave a research environment though.
It would mess with too many people's heads and give people too many ideas of
running bare-metal kernels other than NT.

Now I think about it, I realize the reason why HW virtualization really took
off is because it let vendors keep their operating systems as actual operating
systems in the traditional sense of the word, making for fewer legal issues
(among many other reasons).

Also, I thought Xen was essentially just a super-thin layer to kickstart
VT-x/AMD-V. I didn't know it could do anything else. In fact, I thought there
was only emulation and hardware-assisted virtualization. Is there a middle
ground I'm not aware of?

~~~
my123
Yes. It's paravirtualization. Oh, Drawbridge is full NT in user-space, is in
production now for SQL Server on Linux, but Dk (Drawbridge) is much newer. :)

~~~
i336_
TIL. That's really cool. Now I'm wondering if there are any small fully-
paravirtualized hypervisors and guests I can play with. I guess Linux's
support for various forms of I/O acceleration is more or less it.

I didn't know Drawbridge was _that_ amazing - that's incredible.

And now I'm starting to understand Microsoft's vision: they have WSL to get
Linux infrastructure onto Windows, and Dk to get selected Windows
infrastructure onto Linux. Impressive.

But now I think about it that way, I know Dk will only ever be an internal
framework - if that got released we'd basically have "perfect Wine" and it
would allow quite a few too many applications to move off of NT.

~~~
my123
WSL uses Drawbridge picoprocesses internally by the way. :)

The Drawbridge NTUM(User-Mode NT kernel) is maintained as NT 6.2 (Windows 8)
which is new enough for almost all purposes - except modern Windows apps.

------
r721
Funnily, WannaCry itself doesn't work on WinXP:

[https://twitter.com/GossiTheDog/status/863339558364229634](https://twitter.com/GossiTheDog/status/863339558364229634)

~~~
emmelaich
Interesting, but I suspect that a slight variant of it would work.

------
acqq
Not all vulnerabilities are equal. If I understand correctly, the reason this
one enabled extremely easy spread of ransomware is that, reading the
description of MS17-010, it is enough for the computer to be a part of the
local network and have the "file sharing" enabled to be infected.

------
Angry25
Ok, having to scrap an excellent hp laptop that had vista (did not buy it in a
month that Microsoft thought they had to offer free upgrades to W 7) My
doorstop was not past it's prime. If car companies treated customers like
window does, the brakes would fail at 4 years and the 40 page online agreement
would say that the purchaser would not be able to hold the auto mfg. liable
for intentional brake malfunction. Kind of like GM screwed Americans by filing
for bankruptcy, getting federal funding and saving 10 cents on the ignition
switch that killed many people. Microsoft and GM could be good companies, they
choose not to be.

------
kozak
Looks like humanity needs some long-term-support version of an operating
system, where "long term" would mean 50 years or so (not five or ten).

~~~
jpineman
Enter rolling distributions, where each upgrade is guaranteed to work. Even if
you can't upgrade from version A to C, you can upgrade from A to B to C. Why
can't Microsoft products also upgrade this way, even between major versions?

~~~
tallanvor
Except you can see Youtube videos of examples where people started on early
versions of DOS in a VM and upgraded all the way to Windows 10. Name one
company that does more work to ensure backwards compatibility. You can even
read Raymond Chen's blog about times where Microsoft developers wrote shims to
emulate bugs in previous versions so that specific applications would continue
to work.

And no, Microsoft can't guarantee everything developed by a 3rd party will
continue working, and nor should they.

The bottom line when it comes to places like the NHS is that they decided to
cut costs by either not entering into a custom support agreement with
Microsoft so that they could continue to get security patches for XP, or by
upgrading their systems to run on newer versions of the OS.

------
emmelaich
The title probably should include the word WannaCrypt since that's the
motivation.

Good on Microsoft for doing this.

~~~
i336_
> _The title probably should include the word WannaCrypt since that 's the
> motivation._

Your comment was directly above
[https://news.ycombinator.com/item?id=14330193](https://news.ycombinator.com/item?id=14330193)
when I saw this page. Screenshot:
[http://i.imgur.com/8fydOGG.png](http://i.imgur.com/8fydOGG.png)

I'm starting to seriously dislike HN's lack of moderation transparency. I
don't know who changed the title - if it was the post author or a moderator -
and when.

------
webwanderings
For the life of me, and embarrassingly, I could not locate this patch (or any
patches) to download manually, for offline install on 2008 server which would
not get online updates (the reasons I would leave unknown).

~~~
nabaraz
Try again. The page has been updated with a direct link (CDN).

Here is the direct link to executable just in case. [1]

[1] -
[http://download.windowsupdate.com/c/msdownload/update/softwa...](http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-
kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu)

~~~
aruggirello
Wait - a critical security update distributed via plain HTTP instead of
HTTPS...? I checked all the links provided for my computers, too - they're all
[http://](http://)

~~~
sschueller
Probably because some windows xp boxes can't connect to https servers running
TLS 1.2 so the patches are available under http as well.

------
awqrre
Does that mean that they will fix all future (major) remote vulnerabilities?

~~~
lukealization
It's an interesting conundrum. One could argue this is a precedent. Then it
becomes a question of "for what levels of severity do they patch vulnerability
for?".

~~~
coleca
Exactly! IMHO Microsoft shouldn't have released the patch to people that
aren't paying for extended support. It is just going to encourage cheap CIOs
to continue to ignore their dying infrastructure. They just doomed themselves
to another 10+ years of Windows XP support.

------
dom0
Original title is "Customer Guidance for WannaCrypt attacks"

------
gressquel
I can't get this to work on Win 8. The application starts up, then says
"Searching for updates on this computer". I have been waiting for like 15
minutes now

~~~
blablabla123
Have you considered getting Windows 10? The update isn't so expensive.

~~~
gressquel
I am on 8.1, problem is I tried upgrading to windows 10 a year ago. I was one
of the "early adopters". I cant remember properly but there was
incompatibility with Visual Studio with Xamarin on. I was reliant on
developing an app at that time and could not afford downtime, so I reverted
back to 8.1.

I will try upgrading again when I get time.

~~~
my123
8.1 still gets updates until 2023. They only mean 8.0 with those packages. :)
They should add a clearer error message when trying to install an 8.0 package
though.

------
SimeVidas
Can a Windows laptop that doesn’t have the Windows Update patch get infected
just by being connected to the Internet via a home Wi-Fi network?

------
themihai
Am I wrong to say that app sandboxing would fix this kind of issues and a lot
more(i.e. keyloggers) ?

------
jwilk
Please remove "?utm_source=t.co&utm_medium=referral" from the URL.

~~~
eddyg
I hate dinglequeries too.

I wish more people would learn what can and can't be removed from a URL before
sharing it. It's not that difficult, and it's easy to test that the "minified"
version still works.

~~~
nabaraz
Just curious, why do you care so much about them? They are just data for
analytics. Everyone is probably just clicking on them not typing manually.

~~~
Sylos
Because they are data for analytics. Not everyone is a fan of that, especially
when the URL points to the servers of a company with such a terrible privacy
policy.

~~~
samtoday
Surely if you dislike analytics, keeping these bogus utm parameters is "good"?
They are misleading the webmaster in some form.

------
RichardHeart
People need it. People want it. Allow the people to pay for it.

~~~
cube00
They do, it's called custom support, but it's very expensive (think six
figures)

------
rocky1138
Was Vista affected by this?

------
swang
Is Windows 7 not affected?

