Microsoft slams NSA for enabling recent Ransomware attack

[William Gayde]

The "WannaCry" ransomeware attack has been making headlines for the speed at which is spreads as well as the sheer number of victims it so far. As of Monday morning there are about 200,000 victims in at least 150 countries around the globe. There are renewed fears of further damage as workers return to their jobs Monday morning. The virus exploited a vulnerability in Windows that was originally discovered by the US National Security Agency. This exploit, code named "EternalBlue", was published online back in April by a hacker collective known as the Shadow Brokers.

Over the weekend, top Microsoft executive Brad Smith slammed the NSA for its process of the "stockpiling of vulnerabilities." In the modern digital battlefield, Smith compared the issue to the military having some of its Tomahawk missiles stolen. He highlighted the immense work Microsoft has done to help secure their products such as employing 3,500 security engineers. Microsoft also took the unprecedented step over the weekend of releasing a security patch for Windows XP; a product they no longer support.

Shortly after the vulnerabilities were leaked online in April, Microsoft did release a general patch that fixed most of the exploits used by the NSA. Unfortunately, many large corporations still run outdated systems and are slow to implement changes. This is one of the reasons that large institutions like FedEx and British hospitals were infected. “The fact that so many computers remained vulnerable two months after the release of a patch illustrates this" he said.

Smith also make clear that continuous patching and security updates were critical to maintaining a secure system. “As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past.”

Permalink to story.

https://www.techspot.com/news/69310-microsoft-slams-nsa-enabling-recent-ransomware-attack.html

 

[Greg S]

You can't fix stupid. If an important security update is pushed out, you install it. Period.

 

[bmw95]

This honestly is sort of Microsoft's own fault. The reason companies are slow to implement updates is because MS updates often cause more issues than they solve the moment they're released, so companies wait a bit before updating. If the updates had a reputation for being more stable upon release, I'm sure this wouldn't be nearly as much an issue.

 

[OutlawCecil]

Microsoft has yelled at Google for finding and announcing vulnerabilities as well. It's funny how they release a product with holes in it then complain that people are pointing them out. How about you show appreciation and fix them as they come?

 

[wiyosaya]

IMO, M$ should be blaming itself for not fixing this years ago.

 

[treeski]

Microsoft has yelled at Google for finding and announcing vulnerabilities as well. It's funny how they release a product with holes in it then complain that people are pointing them out. How about you show appreciation and fix them as they come?

1. Microsoft did fix it, two months ago. It's unpatched machines that were vulnerable.
2. Microsoft yells at Google because Google is perfectly aware of Microsoft's patch release schedules, and doesn't have the decency to wait a couple days before going public.

 

[treetops]

Don't worry Trumps appointed cyber security wizard Rudy Giuliani will handle this! smfh

 

[Panda218]

Don't worry Trumps appointed cyber security wizard Rudy Giuliani will handle this! smfh

I took this as sarcasm hopefully that's what you were shooting for!

 

[Uncle Al]

HAHAHAHAHA ....... it's like the Republicans & Democrats with all the finger pointing. Better quote Rodney King on this one and say "Can't we all just get along?" .......

 

[hahahanoobs]

The reason companies are slow to implement updates is because MS updates often cause more issues than they solve the moment they're released, so companies wait a bit before updating.

Recent source?

 

[gamoniac]

Microsoft has yelled at Google for finding and announcing vulnerabilities as well. It's funny how they release a product with holes in it then complain that people are pointing them out. How about you show appreciation and fix them as they come?

When you try to use 1s and 0s do crazy things, nothing is simple.

Unless you are deep in computing, it is difficult to understand the immensity of the construction of an OS. All OS' are an accumulation of millions of man-days of work in computing. There are layers of components from hardware devices, to drivers, to OS itself, to protocols and standards, to services, to applications to web sites/scripts, etc. All these do not even cover compatibility, versioning, future upgrades, and human flaws. I can go on forever. All OS' have flaws, including variants of Linux (including Apple) are all subjected to flaws and abuses. It is always easier to burn than to build something. We just have to keep patching them or chose not to use them at all.

As far as fixing them and deploying as quickly as possible, that is not an easy task in and by itself. Besides, in this case, as pointed in the article, the hospitals chose not to patch it.

 

[infiltrator]

You can't fix stupid. If an important security update is pushed out, you install it. Period.

I agree, however, there are still people out there with the mentality that, if it's not broken why fix it.

 

[Darth Shiv]

This honestly is sort of Microsoft's own fault. The reason companies are slow to implement updates is because MS updates often cause more issues than they solve the moment they're released, so companies wait a bit before updating. If the updates had a reputation for being more stable upon release, I'm sure this wouldn't be nearly as much an issue.

EXACTLY! MS devs DO NOT GET THIS. People who deal with large corporate infrastructure, patching, regression testing daily get this. MS traditionally is the worst offender for production issues. 10 to 1 at least more from MS and security product vendors than malware.

Edge is another example of breaking support which has an enormous effect on our bottom line compared to a SMB exploit. Win 10 forced upgrades. Installing MS keyloggers, Cortana, .NET 4.6 and 4.6.2 critical flaws. Microsoft is by far the worse risk for our organisation.

 

[Darth Shiv]

Microsoft has yelled at Google for finding and announcing vulnerabilities as well. It's funny how they release a product with holes in it then complain that people are pointing them out. How about you show appreciation and fix them as they come?

When you try to use 1s and 0s do crazy things, nothing is simple.

Unless you are deep in computing, it is difficult to understand the immensity of the construction of an OS. All OS' are an accumulation of millions of man-days of work in computing. There are layers of components from hardware devices, to drivers, to OS itself, to protocols and standards, to services, to applications to web sites/scripts, etc. All these do not even cover compatibility, versioning, future upgrades, and human flaws. I can go on forever. All OS' have flaws, including variants of Linux (including Apple) are all subjected to flaws and abuses. It is always easier to burn than to build something. We just have to keep patching them or chose not to use them at all.

As far as fixing them and deploying as quickly as possible, that is not an easy task in and by itself. Besides, in this case, as pointed in the article, the hospitals chose not to patch it.

OS design is a 3rd year computer engineering course where I come from. You don't need to be in industry to "get" what an OS is or how complicated it is.

The differentiator that many do not get is the patching models and ecosystems of iOS, MacOSX, Linux, Windows, Android.

Windows is the dominant desktop ecosystem because of its incumbent applications and support. Microsoft has always introduced regressions in patches throughout the years but now with the new Win10 patching model, the risk factor from MS introduced regressions has substantially increased. Microsoft as a company has moved to more rapid development practices (more agile) and are much quicker to release regressions in their patches.

This is exactly the problem. The massive pre-existing corporate legacy application base vs the risk of regressions from bundled patches. We used to be able to just temporarily skip certain updates and take ALL the others. Now we have to skip entire cumulative sets until the regression is addressed which can take months or years.

 

[dogofwars]

They should blame themselves for the stupid culture of developping and fixing **** after the product is out.
No incentive for the programmers to fix the bug before hand but big pay out for fixing the bug they created in the first place. That is why we have so many problem today.

 

[merikafyeah]

The reason companies are slow to implement updates is because MS updates often cause more issues than they solve the moment they're released, so companies wait a bit before updating.

Recent source?

Microsoft often pushes non-security related updates into "security-only" patches which can break a normally functioning machine. Like this: https://www.ghacks.net/2017/04/12/microsoft-screws-up-windows-patching-even-more/

This is just one of many incidents over the years where a security update just makes things worse.

 

[wiyosaya]

This honestly is sort of Microsoft's own fault. The reason companies are slow to implement updates is because MS updates often cause more issues than they solve the moment they're released, so companies wait a bit before updating. If the updates had a reputation for being more stable upon release, I'm sure this wouldn't be nearly as much an issue.

EXACTLY! MS devs DO NOT GET THIS. People who deal with large corporate infrastructure, patching, regression testing daily get this. MS traditionally is the worst offender for production issues. 10 to 1 at least more from MS and security product vendors than malware.

Edge is another example of breaking support which has an enormous effect on our bottom line compared to a SMB exploit. Win 10 forced upgrades. Installing MS keyloggers, Cortana, .NET 4.6 and 4.6.2 critical flaws. Microsoft is by far the worse risk for our organisation.

Many don't get this, perhaps because it is their own personal computers at risk. In businesses, it is an entirely different matter. Updates that just don't work, and in the days of NT, that bring down many of the computers that they are installed on cost businesses perhaps more than this.

Personally, I have to ask the rest of the crowd, if M$ is just soooo goooooood at providing patches and at catching errors in the first place, why is XP getting a fix for this just recently?

M$ has always been an arrogant company. I remember reading in M$ developer literature 15-years ago already, "At Microsoft, we like to believe that we can always improve on a standard." To that, I could only think, then what the hell is the point to having a standard in the first place???

 

[hahahanoobs]

Microsoft often pushes non-security related updates into "security-only" patches which can break a normally functioning machine. Like this: https://www.ghacks.net/2017/04/12/microsoft-screws-up-windows-patching-even-more/

This is just one of many incidents over the years where a security update just makes things worse.

I was specifically curious about recent issues businesses have had, not updates affecting end users. I'm fully aware of the issues end users have had over the years.

 

[hahahanoobs]

Many don't get this, perhaps because it is their own personal computers at risk. In businesses, it is an entirely different matter. Updates that just don't work, and in the days of NT, that bring down many of the computers that they are installed on cost businesses perhaps more than this.

You liked the above comment that didn't answer my question, but you failed to answer it here. Perhaps you have some recent articles about how upset businesses are with Microsoft over their quality of updates... in a business environment. Thank you.

Personally, I have to ask the rest of the crowd, if M$ is just soooo goooooood at providing patches and at catching errors in the first place, why is XP getting a fix for this just recently?

Because people are too lazy, cheap and/or daft to download updates and/or update their damn OS! Oh, and the NSA!

M$ has always been an arrogant company. I remember reading in M$ developer literature 15-years ago already, "At Microsoft, we like to believe that we can always improve on a standard." To that, I could only think, then what the hell is the point to having a standard in the first place???

This isn't the final answer, but it's pretty damn hard to update millions of systems at once. So much so M$ hired 3500 more people to help. Some W10 versions let you disable and even pause updates so they are doing something to fix the issues on their end, but people need to do their parts too.

The whole, "if it ain't broke don't fix it" mentality has to go when it comes to computers connected to the Internet. Clearly this article proves it. If you wanna still use XP then disconnect it from the web.

 

[Legionnaire]

This honestly is sort of Microsoft's own fault. The reason companies are slow to implement updates is because MS updates often cause more issues than they solve the moment they're released, so companies wait a bit before updating. If the updates had a reputation for being more stable upon release, I'm sure this wouldn't be nearly as much an issue.

I disagree. The ultimate responsibility lies with the NSA. They force Microsoft to add these vulnerabilities, so they should protect them at all costs. If Microsoft could have their say they wouldn't put those vulnerabilities in there to begin with.

The NSA messed up here. Ah well... sh.t happens. The crisis has been solved now. At least now they will be a bit more careful with the new vulnerabilities that will be put into Microsoft's operating systems.

I do believe the NSA should pay Microsoft and all other institutes who were damaged by this. But we all know that's not going to happen. I guess this is yet another reason why so many servers run Linux. In a way this outcome was to be expected. It was a matter of 'when' rather than 'if'. It probably will happen again much later in the future and probably with another agency.

 

[kenc1101]

This honestly is sort of Microsoft's own fault. The reason companies are slow to implement updates is because MS updates often cause more issues than they solve the moment they're released, so companies wait a bit before updating. If the updates had a reputation for being more stable upon release, I'm sure this wouldn't be nearly as much an issue.

EXACTLY! MS devs DO NOT GET THIS. People who deal with large corporate infrastructure, patching, regression testing daily get this. MS traditionally is the worst offender for production issues. 10 to 1 at least more from MS and security product vendors than malware.

Edge is another example of breaking support which has an enormous effect on our bottom line compared to a SMB exploit. Win 10 forced upgrades. Installing MS keyloggers, Cortana, .NET 4.6 and 4.6.2 critical flaws. Microsoft is by far the worse risk for our organisation.

Many don't get this, perhaps because it is their own personal computers at risk. In businesses, it is an entirely different matter. Updates that just don't work, and in the days of NT, that bring down many of the computers that they are installed on cost businesses perhaps more than this.

Personally, I have to ask the rest of the crowd, if M$ is just soooo goooooood at providing patches and at catching errors in the first place, why is XP getting a fix for this just recently?

M$ has always been an arrogant company. I remember reading in M$ developer literature 15-years ago already, "At Microsoft, we like to believe that we can always improve on a standard." To that, I could only think, then what the hell is the point to having a standard in the first place???

The question it seems to me is why are there so many systems running an operating system that was released in 2001 and had official support killed in 2014? Everyone knew Microsoft ended support for XP but some continued to roll the dice hoping nothing would happen. Microsoft had no responsibility to release a patch for an OS they had officially ended support for 3 years ago.

 

[Forebode]

This honestly is sort of Microsoft's own fault. The reason companies are slow to implement updates is because MS updates often cause more issues than they solve the moment they're released, so companies wait a bit before updating. If the updates had a reputation for being more stable upon release, I'm sure this wouldn't be nearly as much an issue.

EXACTLY! MS devs DO NOT GET THIS. People who deal with large corporate infrastructure, patching, regression testing daily get this. MS traditionally is the worst offender for production issues. 10 to 1 at least more from MS and security product vendors than malware.

Edge is another example of breaking support which has an enormous effect on our bottom line compared to a SMB exploit. Win 10 forced upgrades. Installing MS keyloggers, Cortana, .NET 4.6 and 4.6.2 critical flaws. Microsoft is by far the worse risk for our organisation.

Many don't get this, perhaps because it is their own personal computers at risk. In businesses, it is an entirely different matter. Updates that just don't work, and in the days of NT, that bring down many of the computers that they are installed on cost businesses perhaps more than this.

Personally, I have to ask the rest of the crowd, if M$ is just soooo goooooood at providing patches and at catching errors in the first place, why is XP getting a fix for this just recently?

M$ has always been an arrogant company. I remember reading in M$ developer literature 15-years ago already, "At Microsoft, we like to believe that we can always improve on a standard." To that, I could only think, then what the hell is the point to having a standard in the first place???

The question it seems to me is why are there so many systems running an operating system that was released in 2001 and had official support killed in 2014? Everyone knew Microsoft ended support for XP but some continued to roll the dice hoping nothing would happen. Microsoft had no responsibility to release a patch for an OS they had officially ended support for 3 years ago.

Why? Money. At times it's borderline impossible to get the budget to mass upgrade. You suggest till you're red in the face at times. You have to use worse case scenarios and you still may fail. So they roll the dice. Some companies fall on the argument, "that's why we have an IT staff." If there was enough staff to sit next to each user to slap their hand when they do something dumb, maybe that'll help.. though not enough.

Seems a bit ridiculous that the virus caused so much problems. While the refusal to upgrade/update OS's was the focus, their systems/network had to attribute. How the hell did a virus jump from a user/thinclient to the server? Do they have any security? Blame the NSA and virus makers all you want, if you systems haven't been up-kept for many years in such a large company, you have bigger problems.

As far as updates that cause issues on business machines. The source is reality. our Win10 field systems were wrecked with 1607 which broke IIS proprietary configurations. Also force-ably introducing/enabling game mode on win10pro business environment was stupid. Possible remedy would be an added note in win update to include usage patterns with manual update. If you never played games or have them installed, rate game mode as low priority or manual update only. If there's a program on your system that has an update but hasn't been used for 5 years, perhaps a popup suggesting to uninstall.

 

[ypsylon]

How about biggest ransomware attack which still is underway without any signs of abating.

Talking of course Windows10 Ransomware. Oh wait M$ is the main culprit here... what a coincidence...

 

[Rockstarrrr]

Dont be naive. This wasnt mistake by Microsoft but by NSA - the "flaw" is simple backdoor (and its dragging all the way to Windows XP, despite Vista and newer versions are all featuring different kernel) that was exploited by NSA for years - when the tools leaked it was just matter of a time. There is no doubt in my mind that all major software developers are required to make those kind of "backdoors" for NSA, CIA, FBI etc. How NSA got hacked (or more probably - it was Edward Snowden-like leak) is another topic..

 

[Emexrulsier]

Where's my NT4 update!!! I kid you not I have an NT4 server still running