Microsoft releases security update for Windows XP to block WannaCrypt attacks

Martin Brinkmann
May 13, 2017
Updated • May 15, 2017
Windows
|
69

Microsoft has released security updates for several unsupported versions of Microsoft Windows, including Windows XP, to block WannaCrypt ransomware attacks.

The ransomware WannaCrypt has been making the rounds in May 2017: it infects Windows machines, encrypts files, asks for ransomware, and spreads like a worm.

Microsoft published detailed information on the vulnerability on the new Malware Protection Center blog. According to the information, the attackers exploit te "recently" patched SMB EternalBlue vulnerability which sends custom packets to SMBv1 servers. Microsoft released patches for all supported versions of Windows on the March 2017 patch day.

While Microsoft did release patches for supported versions of Windows, it appears that the attackers did target Windows 7, Windows Server 2008 and earlier versions of Windows only.

The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack.

In a surprising move, Microsoft released security patches for unsupported versions of the Windows operating system that patch the SMB vulnerability on devices running these versions of Windows as well.

Security Bulletin MS17-010 describes the security update that you may apply to unsupported versions of Windows as well now.

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.

Microsoft has not found evidence of the entry vector, but thinks the following two scenarios are highly possible

  • Arrival through social engineering emails designed to trick users to run the malware and activate the worm-spreading functionality with the SMB exploi
  • Infection through SMB exploit when an unpatched computer can be addressed in other infected machines“

Microsoft released security updates for the following versions of Windows:

  • Windows XP, Windows Vista, Windows 8
  • Windows Server 2003, 2008, Windows XP Embedded

Administrators and users may download updates for affected operating systems from the Microsoft Update Catalog. Another option that administrators have is to disable the SMB functionality on machines to block exploits from targeting these systems successfully.

Unsupported versions of Windows have a sizable market share still. While stats are not 100% accurate, Net Market Share sees Windows XP at a market share of about 7% in April 2017, and Vista at about 0.70%. This means that every 14th or so device runs an unsupported client version of Windows. It is unclear how the situation looks like for Server operating systems.

Still, Microsoft's release of the patch ensures that companies, and home users, may patch their devices to protect them against the attack. One effect of patching systems is that this will also prevent the security threat from spreading faster or further.

We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download.

Now You: Are your devices patched? What's your take on Microsoft releasing patches for unsupported Windows editions?

Summary
Microsoft releases security update for Windows XP to block WannaCrypt attacks
Article Name
Microsoft releases security update for Windows XP to block WannaCrypt attacks
Description
Microsoft has released security updates for several unsupported versions of Microsoft Windows, including Windows XP, to block WannaCrypt ransomware attacks.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Anonymous said on October 19, 2021 at 11:17 am
    Reply

    Wasn’t there a patch for Windows XP?

  2. Sanj said on June 1, 2017 at 6:22 am
    Reply

    The MS update site provided for the fix is not working for Windows Vista

  3. Mark said on May 30, 2017 at 2:04 pm
    Reply

    LOL, the MS update site you listed for the security fixes in not secure.
    http ://www .catalog .update.microsoft. com/….

  4. wonton said on May 16, 2017 at 1:21 am
    Reply

    Maybe Microsoft helped a 3rd party to make this ransomware to cause mass hysteria so they can promote windows 10 and watch people jump to upgrade to windows 10. it would be perfect marketing they do other very shady things why not this ?

  5. Jim Cone said on May 15, 2017 at 4:53 pm
    Reply

    Re: microsoft ransomware fix for Windows XP

    For what it is worth…
    Installed the fix yesterday (May 14, 2017) and this morning (May15, 2017) could not access the internet using Firefox.
    Fontier Communications was no help.
    Did a system restore to just prior to the install and now have internet access.

    Thank you Microsoft – the cynic in me is wondering…

    1. AnorKnee Merce said on May 15, 2017 at 5:26 pm
      Reply

      @ Jim Cone

      Besides the Firefox problem, other Win XP users have also reported that their USB 2.0 ports stopped working after applying the WannaCry ransomware fix. Only a System Restore could recover USB functionality. Seems the update could not be uninstalled.

  6. AnorKnee Merce said on May 15, 2017 at 2:48 pm
    Reply

    http(semi colon)//www(dot)globaltimes(dot)cn/content/1046920.shtml

    Title of news article; ……. “Beijing braces for WannaCry 2.0” (21 hours ago)

    China was hit pretty hard.

  7. wyxchari said on May 14, 2017 at 11:23 pm
    Reply

    I have Windows XP hack posready and download updates every month until 2019.

  8. James said on May 14, 2017 at 9:33 pm
    Reply

    What if you have both “Server” and “Workstation” services disabled on Windows 7 Pro, have disabled all the “advanced sharing settings” and from Network Card Adapter Settings don’t have client for microsoft networks/File and Printer sharing for MS enabled ??

    Do you still need to do:

    1. How to enable or disable SMB protocols on the SMB server
    To enable or disable SMBv1 on the SMB server, configure the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
    Registry entry: SMB1
    REG_DWORD: 0 = Disabled
    REG_DWORD: 1 = Enabled
    Default: 1 = Enabled

    2. How to enable or disable SMB protocols on the SMB client
    To disable SMBv1 on the SMB client, run the following commands:
    sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
    sc.exe config mrxsmb10 start= disabled

  9. John in Mtl said on May 14, 2017 at 7:02 pm
    Reply

    @ Tau May 14, 2017 at 4:23 pm # wrote:
    “… the latest version of Common Sense.”

    Now that’s a patch many, many, many people should apply -:)

  10. quick question said on May 14, 2017 at 6:41 pm
    Reply

    question: can ransomware find drives without drive letters? Since they only go after files with certain extensions, it implies a search accessible drive. Temporarily removing the drive letter for backup areas a quick inoculation?

    1. umpalumpa said on May 16, 2017 at 4:26 pm
      Reply

      Without letter you should be fine. Just don’t mount it to folder :)

      Or you can have backups on disk in VHD file with exe extension :D

  11. Tau said on May 14, 2017 at 4:23 pm
    Reply

    Daily reminder security patches are necessary, you can select what you don’t want such as telemetry and other w10 BS. Something as massive and as inaudited openly as the windows source code cointains and will be forever subject to security vulnerabilities because of its nature. Antivirus software and the like only causes more problems increasing attack surface. EMET applies some exploit prevention measures available in 10 to W7 but it is not sufficient, a properly configured firewall, a good permission system (UAC also), a properly tweaked and patched 7 and a good browser with security addons will be a relatively reliable machine for daily usage, given the user is using the latest version of Common Sense.

  12. Nebulus said on May 14, 2017 at 12:50 pm
    Reply

    People should understand that an unpatched Win 10 is as dangerous as using XP (which is unpatched because it is not supported anymore). So using the latest OS alone is not enough to be secure.

    Also, using a properly configured firewall in WinXP would be enough to mitigate the SMB flaw without the need for a patch. Of course, the same can be said for the more recent operating systems as well.

  13. Heimen Stoffels said on May 14, 2017 at 10:44 am
    Reply

    LOL. So security experts and even the UK gov have really, really warned people, hospitals and companies to do away with those XP computers and here MS releases an update for XP. Now that warning doesn’t really feel like a warning anymore ’cause they can just go ahead and keep using XP now…

    1. 420 said on May 14, 2017 at 11:08 am
      Reply

      I would suspect that ms patched because it was affecting hospitals and such. If it were just lowly users, they could care a less.

      1. jern said on May 16, 2017 at 4:55 am
        Reply

        @Corky

        Microsoft President Slams NSA For Massive Ransomware Attack
        =============================
        “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” Smith wrote. “An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. … The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.”

        Source…
        http://www.huffingtonpost.com/entry/microsoft-blames-nsa-ransomware-attack_us_5919af2fe4b0fe039b3617ae?n6b&ncid=inblnkushpmg00000009

      2. Corky said on May 15, 2017 at 11:02 am
        Reply

        @jern, The details in the wording, yes it was reported that 90% of hospital trusts were still running WinXP but all that means is 90% of hospital trusts had at least one machine running WinXP, that one, or more, XP machine could be air gapped for all we know, without details it’s difficult to know how bad a headline figure of 90% actually is.

        Also yes the UK government paid extra for custom support however in an effort to save costs the health secretary cut the contract short and told NHS trusts that they’d need to pay for it out of their own budgets, given the choice between patient care or upgrading systems many cash strapped trusts chose patient care.

        Ultimately though the blame for this lies with the security service as they chose to horde zero day exploits instead of notifying software developers so it could be fixed.

      3. jern said on May 14, 2017 at 7:35 pm
        Reply

        ZDNet published an article in Dec. 2016 that said 90% of hospital trusts were still running WinXP. However, it’s possible some of them are paying for custom support from MS.

        That’s one situation where I would definitely argue for an upgrade.

  14. ilev said on May 14, 2017 at 8:43 am
    Reply

    So Microsoft patched Windows after the horses has bolted while the NSA used this hack for years hacking tens of millions security-holed Windows PCs ?

    1. Corky said on May 14, 2017 at 10:57 am
      Reply

      Microsoft patched the vulnerability pretty quickly TBH, if anything the blame lies squarely with the NSA as despite rules (maybe a law) being put in place that forced them to practice responsible disclosure they’ve been hording zero-day exploits so they can weaponise them instead of informing companies about vulnerabilities so they can be patched before becoming public knowledge.

      It’s a pretty damning indictment for allowing government agencies control over these sorts of things IMO, not matter how benign these agencies maybe towards law abiding citizens they can’t guarantee their tools won’t fall into the hands of nefarious actors.

      1. Corky said on May 16, 2017 at 5:38 pm
        Reply

        @AnorKnee Merce, You really need to take off your tinfoil hat and STOP replacing : and . for words.

        Obama didn’t spy on Trump you numpty and that you even think that he did shows you don’t understand any of the details on how the security services collect data or the legalities of it, stop listening to what other people are telling you and do your own research and form your own opinions.

        Like i said before, there’s a world of difference between Microsoft working with the NSA and hording zero-day exploits with or without the knowledge of Microsoft.

      2. AnorKnee Merce said on May 16, 2017 at 4:02 pm
        Reply

        @ Corky

        https(semi colon)//steemit(dot)com/shadowbrokers/@theshadowbrokers/oh-lordy-comey-wanna-cry-edition
        (8 hours ago)

        “Despite what scumbag Microsoft Lawyer is wanting the peoples to be believing Microsoft is being BFF with theequationgroup. Microsoft and theequationgroup is having very very large enterprise contracts millions or billions of USD each year. TheEquationGroup is having spies inside Microsoft and other U.S. technology companies. Unwitting HUMINT. TheEquationGroup is having former employees working in high up security jobs at U.S. Technology companies. Witting HUMINT. Russian, China, Iran, Israel intelligence all doing same at global tech companies. TheShadowBrokers is thinking Google Project Zero is having some former TheEquationGroup member. Project Zero recently releasing “Wormable Zero-Day” Microsoft patching in record time, knowing it was coming? coincidence?”

      3. AnorKnee Merce said on May 16, 2017 at 8:52 am
        Reply

        @ Corky

        There is a saying, “Action speaks louder than words”, ie no need for written evidence/proof.

        The various acts by M$ in recent times are evidence that M$ are a malevolent actor against Windows users’ privacy(eg forced Telemetry in Win 10), including against Windows users targeted by the NSA.
        ……. The NSA/FBI/CIA, while still under Obama, were even able to spy on the Trump Tower’s digital communications during the 2016 Presidential campaign, and were then able to force President Trump’s newly appointed NSA director Michael Flynn to resign by leaking and unmasking the intercepted digital communications to the liberal press.

      4. Corky said on May 16, 2017 at 8:22 am
        Reply

        @Don, Yea because you can really stop jerks being jerks can’t you, fact is if you don’t want people to act like jerks then don’t give them the opportunity or tools to behave in such a manner.

        I find it frankly hilarious that people are blaming anyone other than our own security services, if our governments developed a deadly biological weapon and accidentally let it fall into the wrong hands would you blame the ne’er do wells who used it to kill people, would you blame the dead people for not defending themselves, or would you blame the government who kept it secret, allowed it to be stolen, and didn’t bother protecting society from such a deadly biological weapon.

      5. Don said on May 15, 2017 at 11:28 pm
        Reply

        The blame for the encrypted computers belongs squarely at the jerks deploying the ransomware.

        Of course, there’s lots of blame to go around for giving the jerks the opportunity to deploy the ransomware: Microsoft for buggy software, the NSA for not reporting, corporate decision makers and individual users for not upgrading, and the developers of the ransomware.

      6. Corky said on May 15, 2017 at 7:25 pm
        Reply

        @AnorKnee Merce, There’s a world of difference between Microsoft working with the NSA and hording zero-day exploits with or without the knowledge of Microsoft, Microsoft cares a great deal for its reputation and it would be highly unusual for them to have knowledge of this vulnerability without fixing it.

        Also it’s not at all strange that Microsoft patched many of the leaked exploits before the Shadow Brokers released them, hitchens’s razor says the burden of proof regarding the truthfulness of a claim lies with the one who makes the claim so unless there’s some evidence to show collusion to keep the vulnerability secret then we assume it could be for many other possible reasons.

        Finally I’ve said this to you before but can you stop replacing : and . for words, you can post URLs directly.

      7. AnorKnee Merce said on May 15, 2017 at 5:16 pm
        Reply

        @ Corky

        For all we know, the outbreak of the WannaCry ransomware infection is the aftermath of the collaboration between M$ and the NSA, as per this link …….
        http(semi colon)//www(dot)independent(dot)co(dot)uk/news/edward-snowden-claims-microsoft-collaborated-with-nsa-and-fbi-to-allow-access-to-user-data-8705755.html (dated 12 July 2013)
        ……. So happen, the NSA hacking tools were hacked/stolen by Shadow Brokers in 2013.

        If M$ were collaborating with the NSA, M$ would have intentionally handed the Windows exploits, eg the Eternalblue/SMBv1 vulnerability, over to the NSA for their spying purposes. So, with the info revealed by Edward Snowden in 2013, the Shadow Brokers “hacktivists” got into the action by hacking the NSA specifically for M$’s Windows exploits.

        Isn’t it strange that M$ had already issued patches for the Eternalblue/SMBv1 vulnerability(MS17-010) in March 2017 BEFORE the vulnerability was publicly leaked by Shadow Brokers in April 2017.?
        ……. Maybe M$ have prophetic powers.

      8. Corky said on May 15, 2017 at 3:20 pm
        Reply

        @AnorKnee Merce, I understand wanting to blame Microsoft as I’m not one to sing their praises however in this instance i don’t see they’re to blame, operating system are some of the most complex pieces of code in existence and it’s almost impossible for vulnerabilities not to exist, even the simplest of programs like 7-zip have exploits.

        Make no mistake that the blame for this lies solely with the NSA as instead of following the Vulnerability Equities Process (VEP) introduced by the Obama administration which requires all government agencies to share discovered vulnerabilities with vendors unless they can successfully argue for a temporary stay, instead of doing that they kept hold of it for some considerable time so they could use it to spy on people.

      9. AnorKnee Merce said on May 15, 2017 at 2:31 pm
        Reply

        @ Corky

        The actual blame should lie with M$ for making an OS that is full of holes/vulnerabilities. The private Italian company Hacking Team, are selling a number of zero-day Windows exploits, which are mostly bought by government spy agencies.

  15. paul said on May 14, 2017 at 8:35 am
    Reply

    I think I’ll carry on with frequent system backups using macrium than use any patches from m$.

  16. Anonymous said on May 14, 2017 at 7:59 am
    Reply

    Microsoft do not want to give me the access of its Microsoft Update Catalog:

    ” To obtain updates from this website, scripting must be enabled.
    To use this site to find and download updates, you need to change your security settings to allow ActiveX controls and active scripting. To get updates but allow your security settings to continue blocking potentially harmful ActiveX controls and scripting from other sites, make this site a trusted website:
    In Internet Explorer, click Tools, and then click Internet Options. On the Security tab, click the Trusted Sites icon. Click Sites and then add these website addresses one at a time to the list: You can only add one address at a time and you must click Add after each one:
    http://*.update.microsoft.com https://*.update.microsoft.com http://download.windowsupdate.com
    Note: You might have to uncheck the Require server verification (https:) for all sites in the zone option to enter all the addresses. ”

    Mouarf.

  17. Billy Bob Bobston said on May 14, 2017 at 6:47 am
    Reply

    This is why Windows should not have certain features enabled by default – SMB is a perfect example. People often ask me why I consider most Linux based operating systems to be more secure? THIS is why.

    Also, what the hell is with these major corporations still using Windows XP? What exactly did these people expect was going to happen after years of being abandoned?

    1. Tim said on May 14, 2017 at 1:01 pm
      Reply

      @ Billy Bob Bobson

      The problem Microsoft face is turning it off breaks things. See this thread for the inside thinking behind it:

      https://twitter.com/NerdPyle/status/863520227576791040

      “Correct. SMB1 is still used in 12% of all SMB conversations even in W10. When it’s off in the next release it will cause a lot of pain. In that release it will be removed by default and require manual reenabling. You’ve thought about this for a few minutes. I’ve thought about it for a long time. There are many things to consider at this scale. Like I said, you can’t just turn off HTTP even though it’s the right thing to do. Deprecation on a billion computers takes care. It’s [SMB] completely deprecated. The timeline of 100% removal will be clearer once we see how the default removal in w10 goes. That will be the forcing function for vendors to stop requiring: Linux, NAS, printers, etc. That’s the irony: Windows has not used or needed SMB1 for 10 years. The usage is mostly from Linux systems and firmware. For instance, RHEL requires it through 6.x. Does not in 7. The success of Linux in the soho/consumer market is the inexpensive appliance market. Unscrupulous vendors found a common denominator: SMB1”

      1. Corky said on May 14, 2017 at 3:27 pm
        Reply

        @Tim, I have to say Ned Pyle is being very disingenuous when he claims the usage is mostly from Linux systems and firmware, the only reason Linux used it in the first place is because Microsoft chose to use a proprietary networked file system.

        You can’t blame others for using your proprietary technology and then point the finger of blame years later because people are still using it despite you having abandoned it, that’s part of the problem of proprietary technology, just because you’re no longer developing it doesn’t mean people are, or even can, stop using it.

    2. Corky said on May 14, 2017 at 10:42 am
      Reply

      Ain’t that the truth, Microsoft’s approach of throwing everything into an OS and enabling it all is deeply flawed and puts customers at risk for the sake of simplicity.

      Also the reason many major corporations still use Windows XP is simply down to money, some legacy software doesn’t play well with newer version of Windows and unfortunately if something is currently working it’s difficult to make a case for spending money on replacing it, it’s like how more often than not people won’t spend money on a burglar alarm until after they’ve been burgled.

    3. Alan Schuh said on May 14, 2017 at 8:48 am
      Reply

      A large number of government (all levels) computers still use XP, as upgrading requires new hardware and of course new software, an expensive undertaking. Also, a very large number of ATM’s and POS terminals use an XP embedded version.

      And, my 85 year old Mother uses XP, because she likes it.

    4. Steve_C said on May 14, 2017 at 7:58 am
      Reply

      “What exactly did these people expect was going to happen after years of being abandoned?”

      My experience of the corporations you write of, is not the same as many people’s imagining of organisations which appears to be of entities that just lay on the latest and greatest for their employees!! The actual ‘executives’ know it to be quite different – as do any employees who have the guts to not bow down.
      The executives of today largely expect the workforce/lackeys/drones to ‘make do’ with lacklustre hardware provided by contractors who only desire maximising their margins at the expense of a corporation that pays more attention to it’s highly paid consultants than it does to the poor sods who they employ to actually use the stuff to produce the goods/services they’re expected to churn out at ever more efficient levels. As for the software?!! Let’s not even deign to go there.

      From my perspective of witnessing decades of business/corporate behaviour; it’s just entropy manifesting itself. We’ve had more decades of peace, security and advanced human endeavour than the planet has ever seen – all driven by those with competence and leadership qualities who weren’t culled by WWII and to a lesser extent, Korea and Vietnam… and now; their less competent offspring/successors get to run the show.

      It’s just that they’re running the show into the dirt. If I was you, I wouldn’t be so surprised. It’s natural that the incompetent outnumber the competent! It’s no secret that only a very small percentage of people have ‘superior’ intelligence, let alone moral values and integrity! The truth is that the myths we’ve created for ourselves about “corporations” and “business” – or their leaders/executives/boards/management are nothing more than hollow fantasies worthy only of derision and lampooning… well; it’s possible Elon Musk might be an exception there, but I wonder about that even, given he can’t imagine a self driving model 3 getting trashed by someone who ‘rents’ it after it’s dropped it’s owner off to work. Even he presents the picture of “goodness and light” that’s so sacchrine it verges on the stomach churning – but watch how it gets lapped up!!!

      This whole “let’s hold hands and sing Kumbaya as we recognise how wonderful everything is before we go off to do what we’re told by our betters” bollocks needs tearing down! We’re being conned by flim-flam merchants and snake oil salesmen who pretend they have “our” interests at heart as long as we give them total support.

      I guess; in the end, we all get what we deserve – even if it is up our rear ends…

  18. Graham said on May 14, 2017 at 4:25 am
    Reply

    Okay, it affects Windows 8. What about 8.1, though? It’s not quite clear.

    1. TelV said on May 14, 2017 at 9:16 pm
      Reply

      Graham,

      As an added precaution remove the checkmark from “SMB 1.0/CIFS File Sharing Support” which you’ll find on the menu called “Turn Windows features On and Off”. The link to that can be found by doing the following:

      1. Hit Windows key + X to launch the Power Users menu.
      2. At the top, click “Programs and Features”.
      3. In the Programs and Features menu on the left near the top, click “Turn Windows features On and Off”.
      4. Remove the checkmark from “SMB 1.0/CIFS File Sharing Support” and click OK.
      5. Reboot.

      I have Windows 8.1 myself so fire away if you have any questions.

    2. Corky said on May 14, 2017 at 10:33 am
      Reply

      @Graham, It effects all version of Windows including 8.1, most systems running 8.1 should have received the patch as part of March’s security & quality patch release.

      If for some reason you can’t install the patches you can still temporarily disable SMB by following this guide from Microsoft.
      https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

    3. Steve_C said on May 14, 2017 at 7:24 am
      Reply

      Graham… it does NOT affect 8.1.

      Versions of Windows that receive security updates include 10, 7 and 8.1.

      If you’ve got Windows Vista, XP, ME, 98, 95, 3.11, 3.1, 3.0, 2.0 or 1.0 still running on your hardware, it will be susceptible and unsupported with security updates.

      Of course, that may change almost the instant that I type it, given how quickly announcements about support or the lack thereof seem to appear from these corporations faster than a genie from a freshly rubbed lamp – and not just Microsoft either… but; as of a couple of seconds ago, Microsoft’s site stated that security update support continues for Windows versions 7, 8.1 and 10.

      Besides, anyone who had 8 and didn’t upgrade to 8.1 – given it was FREE, i.e. “Gratis!!” and an improvement even the most unshifting of Windows haters even conceded was ‘better’ has reasoning that I fail to see any sense behind (and 8.1 provided a step to getting Windows10 for free as well!!)… but then I take another short look at my fellow human beings and realise there’s nothing that should amaze me anymore.

  19. P said on May 14, 2017 at 2:30 am
    Reply

    I’m a M$ h8r since August of 2012 but Kudos MS!

  20. LuckyJoe said on May 14, 2017 at 1:44 am
    Reply

    It’s a Major Critical Security Risk, so props to them patching up their OS’s.

  21. kanade said on May 14, 2017 at 1:42 am
    Reply

    Is it necessary to disable SMBv1 on top of applying March security patch?

    1. AnorKnee Merce said on May 15, 2017 at 2:14 pm
      Reply

      @ kanade

      Not necessary.

  22. Anonymous said on May 13, 2017 at 11:08 pm
    Reply

    No, my three Win 7 Pro machines remain unpatched since October of last year. I rely on HitmanPro Alert, Webroot,
    browser extensions, plus changes to Cyberfox config. I think I would be more inclined to trust the creators of “WannaCry” than MS.
    Almost makes me wanna cry.

    1. Tau said on May 14, 2017 at 4:16 pm
      Reply

      That’s risky. Antivirus software and the like only increases the attack surface already significant enough of an unpatched windows 7, as they have been for years. I don’t like updates either, but if you select them avoiding the w10 and telemetry stuff, they are *THAT* very important, more than that software. A properly configured windows firewall is also a good protection.

  23. flyli5411 said on May 13, 2017 at 9:29 pm
    Reply

    From Bitdefender
    Good to see Microsoft patch up systems
    Unlike other ransomware families, the WannaCry strain does not spread via infected e-mails or infected links. Instead, it takes advantage of a security hole in most Windows versions to automatically execute itself on the victim PC. According to various reports, this attack avenue has been developed by the National Security Agency (NSA) in the US as a cyber-weapon and it was leaked to the public earlier in April along with other classified data allegedly stolen from the agency.

    Until now, a number of hospitals, telecom companies or gas and utilities plants have suffered massive disruptions caused by data being held at ransom.

    As this ongoing outbreak is affecting countless computer users around the world, we are actively working on a free decryption tool to help victims recover their information without paying the ransom. Make sure to follow us on Twitter and Facebook to be notified when it becomes available.

  24. mike1354@gmail.com said on May 13, 2017 at 9:28 pm
    Reply

    From Bitdefender

    Unlike other ransomware families, the WannaCry strain does not spread via infected e-mails or infected links. Instead, it takes advantage of a security hole in most Windows versions to automatically execute itself on the victim PC. According to various reports, this attack avenue has been developed by the National Security Agency (NSA) in the US as a cyber-weapon and it was leaked to the public earlier in April along with other classified data allegedly stolen from the agency.

    Until now, a number of hospitals, telecom companies or gas and utilities plants have suffered massive disruptions caused by data being held at ransom.

    As this ongoing outbreak is affecting countless computer users around the world, we are actively working on a free decryption tool to help victims recover their information without paying the ransom. Make sure to follow us on Twitter and Facebook to be notified when it becomes available.

    Good for Microsoft to patch up systems

    1. Harushi said on May 14, 2017 at 3:25 pm
      Reply

      NSA, American again …

  25. Tom Hawack said on May 13, 2017 at 8:53 pm
    Reply

    I read, “Another option that administrators have is to disable the SMB functionality on machines to block exploits from targeting these systems successfully.” I’m interested with this alternative because I don’t update Windows since October 2016. I’m wondering how exactly to proceed.

    I’m afraid my technical ignorance is flagrant.

    I read at http://kb.bodhost.com/steps-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-servers/ :

    “The following post shows detailed steps to enable and disable the Server Message Block (SMB) versions SMBv1, SMBv2 & SMBv3 on the SMB server and SMB client.”

    I’m running Windows 7 SP1, workstation, no server. Can anyone deploy a helpin’ hand or point towards a source for beginners? Thanks ;)

    1. Tom Hawack said on May 14, 2017 at 12:22 pm
      Reply

      @Yuliya, many thanks. Makes it clear now; client/server is confusing for me when I thought that Windows 7 appeared only as a client. I’ll proceed with the steps you kindly stated. I imagine a reboot is required. No problem with the Registry but your notepad ready .reg lines are appreciated.

      @justakiwi, thanks for the Reddit link. Bookmarked and on my way to read it attentively.

      1. Tom Hawack said on May 15, 2017 at 6:49 pm
        Reply

        @AnorKnee Merce, thanks for the valuable info. I’m running Win7.
        I’ve read on CERT-FR that “disabling the SMBv1 may be a plus but shouldn’t replace installing the security release update [KB4012598.]” (apprx. translation from FRench). So I guess I’ll install that update considering the exceptional worldwide attack.

      2. AnorKnee Merce said on May 15, 2017 at 2:06 pm
        Reply

        @ Tom H

        According to Wiki – SMB page, SMBv1 came with Win 2000 and Win XP. So, when SMBv1 is disabled, Win XP computers on the Home or Company network will not be able to use “file and printer sharing” or other shared services through port 445.

        Even Win 10 has SMBv1 because there are still companies using Win XP Embedded POS(point of sale) that has an EOL in 2019 and other companies using Win XP together with very expensive extended custom support from M$.

    2. Yuliya said on May 14, 2017 at 11:08 am
      Reply

      If my understanding is correct, you’ve got both client and server SMB protocols on both Windows 7 client (Home/Pro/Ult/Ent) and Server 2008R2

      So to disable SMB1 on Windows 7 Ultimate (in my case)

      1. How to enable or disable SMB protocols on the SMB server
      To enable or disable SMBv1 on the SMB server, configure the following registry key:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
      Registry entry: SMB1
      REG_DWORD: 0 = Disabled
      REG_DWORD: 1 = Enabled
      Default: 1 = Enabled

      2. How to enable or disable SMB protocols on the SMB client
      To disable SMBv1 on the SMB client, run the following commands:
      sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
      sc.exe config mrxsmb10 start= disabled

      You must run these commands at an elevated command prompt.
      You must restart the computer after you make these changes.

      Source:
      How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server
      [https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012]

      I did it, and it seems I disabled it. Both commands return a message something like configuration successful.

      To enable it back, delete the created registry, or set it to 1 (for server SMB1 protocol) and run the following commands (for client SMB1 protocol) with admin rights:
      To enable SMBv1 on the SMB client, run the following commands:
      sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
      sc.exe config mrxsmb10 start= auto

      1. Miguen Fresno said on May 14, 2017 at 8:31 pm
        Reply

        Here’s how to disable SMB 1.0 for all versions of Windows, including Windows 10 and Windows Server 2016:

        http://www.sysadmit.com/2017/05/windows-deshabilitar-smb-10.html

        Just copy-paste it.

      2. Yuliya said on May 14, 2017 at 11:28 am
        Reply

        Regarding 1. How to enable or disable SMB protocols on the SMB server
        Instead of going through regedit, paste this in Notepad and save as .reg, i.e SMB1_disable.reg, then run it:

        Windows Registry Editor Version 5.00

        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters]
        “SMB1″=dword:00000000

  26. Tim said on May 13, 2017 at 8:41 pm
    Reply

    Is it called ‘Wannacry’ because that’s what Infosec Professionals and System Admins worldwide continuously want to do when people don’t listen to their repeated advice to migrate to newer versions of Windows and patch ASAP.

    1. Dave said on May 14, 2017 at 12:11 pm
      Reply

      I am System Admin and not recommend installing windows 10. This ransomware affects windows 10 the most so your argument is invalid.

      1. AnorKnee Merce said on May 15, 2017 at 1:55 pm
        Reply

        @ Jed & others

        The NSA hacking tools, eg the Eternalblue/SMBv1 exploit, were stolen by Shadow Brokers in 2013, ie when Win 10 was not yet released. Up to 2013, the NSA were secretly using these Windows exploits to target or spy on certain Win 8.1/7 computers or below. Hence, the recent WannaCry ransomware which adopted the Eternalblue/SMBv1 exploit, also did the same, ie did not target Win 10 computers.

        Win 10 also has SMBv1 = Win 10 is also vulnerable to this exploit. That is why M$ have also issued the MS17-010 patch for Win 10 in March 2017. IOW, the hackers can modify the WannaCry ransomware to also target unpatched Win 10 computers.

      2. system said on May 15, 2017 at 7:42 am
        Reply

        Windows 10 is not affected. Your argument(job) as System Admin is invalid.

      3. Party Cry said on May 15, 2017 at 12:50 am
        Reply

        Windows 10 was not affected.

      4. Jed said on May 14, 2017 at 9:55 pm
        Reply

        Microsoft themselves disagree with you: https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/ A fully up to date Windows 10 is protected from WannaCrypt.

  27. MdN said on May 13, 2017 at 8:00 pm
    Reply

    Yep. I had some free time so I just updated and then quickly rebooted back to Xubuntu. A nice gesture from them, though. By the way, the link for manual update is here:

    http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598&ranMID=24542&ranEAID=TnL5HPStwNw&ranSiteID=TnL5HPStwNw-a00B1Q5XRlj3SCX3J86fmg&tduid=(05f42ee2524aabd6ad722f0bd85b26b3)(256380)(2459594)(TnL5HPStwNw-a00B1Q5XRlj3SCX3J86fmg)()

    1. Barrie Brown said on May 15, 2017 at 7:21 pm
      Reply

      thanks for the link, mate!

  28. Platsch said on May 13, 2017 at 7:31 pm
    Reply

    Well, who would have thought that. Microsoft finally did something very decent. Thank you for that.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.