When Microsoft recently released a new update for unsupported Windows users, it was a great relief because they were an easy target by cyber criminals who exploit existing flaws. However, security experts are reading more from this update.
Why Microsoft found it noble to patch the outdated versions ?
At a time when outdated windows users have become the main targets by different threats, Microsoft looked far beyond the notion of profitability. Microsoft pointed that MS 17-010 flaw (a bug in SMB that the WannaCry ransomware utilized to infect machines) was the most significant, and had to act before attackers started using it. Notably, the supported versions had received the updates in March prior to WannaCry emergence.
However, as ransomware started exploiting the code, the threat continued to increase. Notably, Microsoft does not provide updates for unsupported versions of its operating systems. However, it appears that this is a special case as officials pointed they had enough reasons to believe that attackers were targeting the vulnerabilities.
“The release of these updates is not a departure from our policy on high standards and working on the supported versions,” insisted Eric Doerr of Microsoft Security Response Unit.
He added that the decision to expand the updates was informed by evaluation of the threat landscape by Microsoft experts.
The best recommendation is upgrading to the latest Microsoft operating system that comes with most up-to-date defense innovations. Even if the older systems are up-to-date, they are still vulnerable because they lack advanced security features.
The bigger picture in the Microsoft update
Releasing updates to unsupported versions is not an easy decision that Microsoft can make without a huge premise. Microsoft issued updates to about 20 flaws for older unsupported versions which is monumental work. The decision to commit resources to building these fixes and testing operating systems that have been out for more than 3 years indicates that the company has sufficient information on imminent attacks via the flaws.
Like other vendors, Microsoft does not simply work with its clients, but also with other security companies, software developers, and law enforcement agencies. More importantly, it works with security researchers and CERTs that share info about threats and related issues. Therefore, when the company releases an update for the out-of-date operating system including vulnerabilities that are as old as 7 years, – it means that clients must run to get the best supported operating system. You do not want to experience the bitter lesson that the victims of recent ransomware such as Telefonica experienced.
Experts in systems security understand that attackers like exploiting old vulnerabilities. Even with the great preference for zero days, most attackers prefer known and older flaws in older operating systems. Operating systems like Vista and XP lack defense and mitigation measures in later operating systems. Often, devices that run on such operating systems have gone unpatched for years and, therefore, are highly vulnerable.
Is your organization operating any of the devices on such old operating systems, you must act right away. In fact, you have to take action right away; not any later, not tomorrow.