{"id":3466,"date":"2017-05-13T16:40:45","date_gmt":"2017-05-13T23:40:45","guid":{"rendered":"https:\/\/kmtechblog.com\/?p=3466"},"modified":"2017-05-13T16:40:45","modified_gmt":"2017-05-13T23:40:45","slug":"microsoft-patches-windows-xp-fight-wannacrypt-attacks","status":"publish","type":"post","link":"https:\/\/kmtech.blog\/?p=3466","title":{"rendered":"Microsoft patches Windows XP to fight &#8216;WannaCrypt&#8217; attacks"},"content":{"rendered":"<p>Microsoft officially ended its support for most Windows XP computers back in 2014, but today it&#8217;s delivering one more public patch for the 16-year-old OS. As <a href=\"https:\/\/blogs.technet.microsoft.com\/msrc\/2017\/05\/12\/customer-guidance-for-wannacrypt-attacks\/\">described in a post on its Windows Security blog<\/a>, it&#8217;s taking this &#8220;highly unusual&#8221; step after customers worldwide including England&#8217;s National Health Service suffered a hit from &#8220;WannaCrypt&#8221; ransomware. Microsoft patched all of its currently supported systems to fix the flaw back in March, but now there&#8217;s an update available for unsupported systems too, including Windows XP, Windows 8 and Windows Server 2003, which you can grab <a href=\"http:\/\/www.catalog.update.microsoft.com\/Search.aspx?q=KB4012598\">here<\/a> (note: if that link isn&#8217;t working then there are direct download links available in the Security blog post).<\/p>\n<p><!--more--><\/p>\n<p>Of course, for home users, if you&#8217;re still running one of those old operating systems then yes, you should patch immediately &#8212; and follow up with an upgrade to something current. If you&#8217;re running a vulnerable system and can&#8217;t install the patch for some reason, Microsoft has two pieces of advice:<\/p>\n<ul>\n<li>Disable SMBv1 with the steps documented at <a href=\"https:\/\/support.microsoft.com\/kb\/2696547\">Microsoft Knowledge Base Article 2696547<\/a> and as <a href=\"https:\/\/blogs.technet.microsoft.com\/filecab\/2016\/09\/16\/stop-using-smb1\/\">recommended previously<\/a>.<\/li>\n<li>Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445<\/li>\n<\/ul>\n<p><iframe loading=\"lazy\" title=\"WannaCryptor (.WCRY) virus demonstration, removal and decryption tips\" width=\"1080\" height=\"608\" src=\"https:\/\/www.youtube.com\/embed\/wg44hFvsqyE?feature=oembed\"  allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen><\/iframe><\/p>\n<p>An <a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2017\/05\/12\/wannacrypt-ransomware-worm-targets-out-of-date-systems\/?platform=hootsuite\">additional blog pos<\/a><a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2017\/05\/12\/wannacrypt-ransomware-worm-targets-out-of-date-systems\/\">t<\/a> explains Microsoft&#8217;s analysis of how the malware spreads. On newer versions like Windows Vista, 7, 8.1 and 10, the March update tagged MS17-010 addresses the vulnerability it&#8217;s exploiting (that was revealed earlier this year by &#8220;The Shadow Brokers&#8221; when they leaked a stolen cache of NSA tools). While it&#8217;s not confirmed how the initial infections occurred, it&#8217;s believed the trojan horse was spread by email phishing links that drop the &#8220;EternalBlue&#8221; exploit released by The Shadow Brokers, as well as the WannaCrypt malware variant. Interestingly, it doesn&#8217;t even try to attack Windows 10, focusing solely on Windows 7\/8 and earlier operating systems that are still vulnerable to the attack.<\/p>\n<p>Once it&#8217;s on a computer, it goes on locking up the user&#8217;s files and arranging the ransom message. The spread of the initial release has actually stopped (after infecting <a href=\"https:\/\/intel.malwaretech.com\/botnet\/wcrypt\">more than 123,000 computers<\/a>) because <a href=\"https:\/\/twitter.com\/MalwareTechBlog\/status\/863191272969973760\">security researchers<\/a> registered a domain that the malware checks before the infection starts. As long as the software finds it, a sort of killswitch engages and no encryption occurs. However, <a href=\"https:\/\/twitter.com\/MalwareTechBlog\/status\/863191272969973760\">as @MalwareTechBlog notes<\/a>, anyone could modify the attack to remove the killswitch and begin attacking computers again.<\/p>\n<p>That&#8217;s because even without phishing links, another part of the exploit the searches out a vulnerable server component (SMBv1) on unpatched Windows machines and can infect them remotely. This probably won&#8217;t work across the internet for PCs behind a firewall or router, but if a server is connected directly to the internet, or a PC is on the same network as an infected computer, it can spread quickly &#8212; which is exactly what happened yesterday.<\/p>\n<p>https:\/\/twitter.com\/MalwareTechBlog\/status\/863187378705510400<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft officially ended its support for most Windows XP computers back in 2014, but today it&#8217;s delivering one more public patch for the 16-year-old OS. As described in a post on its Windows Security blog, it&#8217;s taking this &#8220;highly unusual&#8221; step after customers worldwide including England&#8217;s National Health Service suffered a hit from &#8220;WannaCrypt&#8221; ransomware. [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":3467,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4,7],"tags":[],"class_list":["post-3466","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-business","category-computers","et-has-post-format-content","et_post_format-et-post-format-standard"],"_links":{"self":[{"href":"https:\/\/kmtech.blog\/index.php?rest_route=\/wp\/v2\/posts\/3466","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kmtech.blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kmtech.blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kmtech.blog\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kmtech.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3466"}],"version-history":[{"count":0,"href":"https:\/\/kmtech.blog\/index.php?rest_route=\/wp\/v2\/posts\/3466\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kmtech.blog\/index.php?rest_route=\/"}],"wp:attachment":[{"href":"https:\/\/kmtech.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3466"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kmtech.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3466"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kmtech.blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3466"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}