Microsoft took the highly unusual step Tuesday of releasing new Windows XP patches because of a “heightened risk” of nation-state activity and “attacks with characteristics similar to WannaCrypt. ”
According to a company statement, the same treatment is being afforded Windows Server 2003, another unsupported but widely used operating system dangerously vulnerable to attack.
“In reviewing the updates for this month, some vulnerabilities were identified that pose elevated risk of cyber attacks by government organizations, sometimes referred to as nation-state actors or other copycat organizations,” Adrienne Hall, a general manager at Microsoft’s security response center, wrote in a blog post. “To address this risk, today we are providing additional security updates along with our regular Update Tuesday service. These security updates are being made available to all customers, including those using older versions of Windows.”
Windows XP and Server 2003 users have to manually download the new patches.
The WannaCry ransomware outbreak impacted hundreds of thousands of machines around the world. Security researchers have suggested a nation-state may have been involved, but the truth remains unknown. Despite initial reporting suggesting Windows XP was the key to WannaCry’s success, Kaspersky Lab asserted that most victims of WannaCry were running Windows 7, an operating system that is still officially supported by Microsoft.
Released in 2001, Microsoft ended support for XP in 2014, but it remained in wide use, including by organizations like the United States Navy, which paid $9 million for extended support. Over 100 million people still used Windows XP as of late 2016, according to research, including millions of users in China. The Pentagon, Army and Navy run “Windows XP eradication efforts” to kill off software that’s long been declared past its “end of life” date by Microsoft.
Tuesday’s Windows XP patches, which came in addition to the regular round of updates to supported Microsoft software, follow last month’s equally unusual patches issued for Windows XP just one day after WannaCry began to spread.
WannaCry was weaponized when hacking tools leaked from the National Security Agency became public in April.
In February, Microsoft canceled a regular round of patches because of an unspecified “last-minute issue” that attracted a mountain of questions but few answers.
When the Shadow Brokers hacking group published leaked NSA tools, it was revealed that Microsoft had already issued patches against some of the attacks in March. Microsoft never identified who informed them of the need to patch against the stolen tools.
Microsoft’s Eric Doerr, another general manager of the company’s security response center, urged Windows XP users to upgrade to supported software.
“Our decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies,” Doerr wrote in a blog post. “Based on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly. As always, we recommend customers upgrade to the latest platforms. The best protection is to be on a modern, up-to-date system that incorporates the latest defense-in-depth innovations. Older systems, even if fully up-to-date, lack the latest security features and advancements.”