It’s time to update XP, Windows Server 2003 despite Microsoft’s emergency patch

While Microsoft releasing a patch for unsupported versions of Windows to fix vulnerabilities that could be exploited by the hacking tools dumped by the ShadowBrokers helps organizations hanging onto legacy systems, it also makes the case for keep these systems around even longer.

Enterprises hanging on to old software years after it is no longer supported, regardless of the reason, gives attackers a security hole to exploit. Newer and more modern versions, especially operating systems, have security features that make it harder for attacks to succeed, and the fact that they are still being supported means vulnerabilities are being fixed regularly. Microsoft ended support for Windows XP in April 2014 and Windows Server 2003 in July 2015, but there are still over 100 million legacy Windows systems still in use around the world. It makes perfect sense, then, to worry about the possibility of widespread attacks against legacy systems when the ShadowBrokers revealed three hacking tools utilizing vulnerabilities in older versions of Windows in its cache of stolen hacking tools.

Microsoft believes the vulnerabilities pose “elevated risk for destructive cyber attacks” by nation-state actors, Adrienne Hall, general manager of Microsoft’s Cyber Defense Operations Center, wrote in a blog post. The company decided to release updates for all supported and unsupported versions of Windows because “applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt,” Hall wrote.

The updates for older versions of Windows, including Windows XP and Windows Server 2003, need to be applied manually and can be found in the Microsoft Download Center or the Update Catalog.

Microsoft was clearly concerned that attackers, both state-sponsored and of the cybercriminal variety, could use these hacking tools in various campaigns, similar to the way the WannaCry ransomware, which included the ExternalBlue exploit code from the ShadowBrokers dump, used its worm-like capabilities to infect thousands of companies around the world in a very short period of time. Even though WannaCry did not work against Windows XP systems (the outbreak spread by infecting unpatched Windows 7 systems), Microsoft released an emergency patch for Windows XP addressing the SMBv1 vulnerability to prevent WannaCry, or later copy-cat variants, from infecting XP systems. The disclosure of three more tools—ExplodingCan (CVE-2017-7269), EsteemAudit (CVE-2017-9073 ), and EnglishmanDentist (CVE-2017-8487)—which target vulnerabilities in older Windows versions appears to have spooked Microsoft again into releasing manual updates. Microsoft hasn’t said it has seen attacks utilizing these tools, nor has it identified concrete reasons to explain what this step was necessary this time around.

On the surface, the move smacks of a responsible company. Microsoft doesn’t owe anyone updates for unsupported software, and WannaCry didn’t target Windows XP (don’t forget, Windows 7 is still under support), but decided the potential for damage by these three tools was bad enough to warrant an emergency patch. Organizations that have been unable to move off legacy systems buy expensive extensive support systems. For example, the United States Navy paid $9 million for continued extended support, although the Pentagon and branches of the military also are moving forward with programs to move off Windows XP.

By releasing patches, Microsoft is ensuring organizations that don’t have extended support but still run Windows XP and Windows Server 2003 can protect their networks. However, it also sends a disquieting message. One of the key reasons for upgrading when software enters end-of-life is to switch to a version that is still being updated. When Microsoft bends policy, the message seems to be, “Well, if it’s really bad, we got your back.”

It creates two tiers of critical vulnerabilities: the vulnerabilities that need to be patched as soon as possible because they are under attack or can be used in attacks soon, and the really critical ones where Microsoft will make an exception to patch legacy software. Microsoft deviated from policy two months in a row to address vulnerabilities that were exposed by the ShadowBrokers, but this wasn’t unprecedented. Back in 2014, a month after Windows XP entered end-of-life, Microsoft released an emergency patch for XP’s Internet Explorer 8 to address a critical vulnerability that affected IE from versions 6 to 11.

ExplodingCan is serious because the exploit targets older versions of Microsoft’s Internet Information Services (IIS) webserver, version 6.0, in particular. Microsoft said ExplodingCan will let attackers gain remote code execution on Windows Server 2003, which has been end-of-life since July 2015, so anything still running IIS 6.0 will likely be production servers running very specific applications that cannot be easily replaced. EsteemAudit targets a vulnerability in the Windows Remote Desktop Protocol on Windows XP systems, and can be exploited if the RDP server has smart card authentication enabled.

These legacy systems are not so unusual, as they include production machinery and SCADA systems. Any kind of outage for these most-used infrastructure will pose significant problems for the organization. Security teams should be already taking additional steps to secure and monitor these vulnerable systems, such as restricting open ports and disabling unused protocols (disable SMBv1, already!), looking at third-party services for custom patches, and applying strict authentication and access control rules. The extra time and resources is the trade-off for keeping legacy systems that has to stick around.

“Our decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies,” Eric Doerr, general manager of the Microsoft Security Response Center, wrote in a blog post. “Based on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly. As always, we recommend customers upgrade to the latest platforms. The best protection is to be on a modern, up-to-date system that incorporates the latest defense-in-depth innovations. Older systems, even if fully up-to-date, lack the latest security features and advancements.”

There isn’t currently an attack underway across unsupported versions of Windows, but the fact that it was possible highlights how important Microsoft thought it was to bend policy. There’s no guarantee that there will be another update for XP and Server 2003 systems when the next round of cyberattacks hits, but Microsoft is definitely sending out mixed messages.