Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

WannaCry: Unpatched Windows 7 Systems Most Impacted

May 30, 2017

It doesn't seem fair really. XP got all the publicity and it turned out WannaCry couldn't remotely infect XP nearly as effectively (if at all) as Windows 7.

As SC Media reported, it is still a bad idea to use XP. It's no longer supported, has a long history of being exploited, and the latest versions of Windows are far more secure. But somehow, XP was made a scapegoat when so many more Windows 7 computers were infected because they hadn't been patched against the Windows SMB vulnerability that WannaCry exploited.

Like countless attacks before it, WannaCry had no trouble spreading because so many unpatched systems had their port 445 open to the outside. Once again, if I had a dollar for every time "failure to patch" was at fault, I would be wealthy beyond imagination.

WannaCry spread because of a vulnerability in Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. It's the same type of old-school vulnerability that allowed worms like Slammer and Conficker to spread around the globe more than a decade ago.

Microsoft addressed the issue in its MS17-010 bulletin in March, but companies using older, no-longer-supported versions of the operating system wouldn't have seen it unless they were signed up for custom support, Microsoft's special extended – and paid-for – support.

Microsoft has begun phasing out Windows 7, though it continues to offer limited extended support options for business customers. Windows 7 Service Pack 1 will expire in two and a half years' time, on January 14, 2020. Even so, Windows 7 remains in heavy use and, as the WannaCry outbreak demonstrated, many of those systems are not getting patched in a timely manner.

The equation is simple: Unpatched Windows 7 + port 445 open = trouble. Once a single device was compromised, the attack spread like wildfire.

During its investigation, SophosLabs confirmed that systems most at risk in the attack had been running unpatched versions of SMB on Windows 7. That's why the usual advice is to not have open 445 ports looking to the outside.

During testing, SophosLabs found that XP wasn't the effective conduit for infection via the EternalBlue SMB exploit that many thought it was, while Windows 7 was easily infected. The research showed that WannaCry ransomware can affect XP computers – but not via the SMB worm mechanism, which was the major propagation vector for WannaCry.

Various security companies arrived at a similar conclusion, putting the infection rate among Windows 7 computers at between 65% and 95%. SophosLabs puts that number even higher – its analysis of endpoint data for the three days that followed the outbreak showed that Windows 7 accounted for nearly 98% of infected computers.

That percentage came as a surprise, since XP was almost universally cited as the exploited operating system. Microsoft even took the highly unusual step of making a security update for platforms in custom support (such as Windows XP) available to everyone.

SophosLabs offered some possibilities explaining why XP was harder to infect, but acknowledges that it – and others – are not yet fully confident in their theories.

But no matter. The lesson is patch, patch, patch, but there are caveats. Some IT personnel hold back some patches because they need to tweak their systems for compatibility. Otherwise, they risk deploying a patch that breaks other programs. Meanwhile, some organizations have continued to use old versions of Windows because they lack the financial and human resources to upgrade or their legacy systems aren't yet equipped to work with Windows 10 or other modern operating systems.

The best advice is still for organizations to keep their patching up to date and to use current versions of Windows. Or, if you must continue using older versions for compatibility reasons, sign up for Microsoft custom support so you continue to receive security updates. Equally important? Set your firewalls to block access to port 445. If you haven't checked on whether this has been done, now would be an excellent time.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

WannaCry: Unpatched Windows 7 Systems Most Impacted

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer