Note: My Web pages are best viewed with style sheets enabled.
In May 2017, widespread distribution of ransomware variously known under such names as WannaCrypt and WannaCry affected computers using various versions of Windows worldwide. Estimates indicated that well over 100,000 computers — possibly more than 200,000 — were affected, primarily through the remote encryption of important data and software. Hospitals, public transportation, and other major systems were shut down by a demand for payment of ransom to obtain decryption of the affected computers.
Of course, the criminals who distributed the ransomware are to blame. However, blame must also be shared by other parties.
Monthly, Microsoft distributes updates to its software to correct security vulnerabilities. More than seven years after releasing Windows 7 SP1, new security updates are still being distributed for that version of Windows. Most of those updates are described with the phrase "… could allow remote code execution …". For years, this has appeared so frequently to so many Microsoft products, including Windows and Office, that I believe Microsoft has failed to focus sufficient effort on testing for this error, which was the vulnerability attacked by ransomware.
Furthermore, Microsoft knew of the relevant security vulnerability in its various Windows versions at least by February 2017 but did not release the necessary updates until as late as May.
Finally, while Microsoft claims users of earlier versions of Windows would be better protected if they would only update to Windows 10. However, even Windows 10 contained the security vulnerability that allowed the spread of WannaCrypt. Indeed, a group of hackers claiming to be the distributors of WannaCrypt says that they know of additional vulnerabilities for ransomware in Windows 10.
I must admit that I always delay at least a week before installing Microsoft updates, even updates for serious security vulnerabilities. This is because too many such updates contain new errors, some of which are worse than what they are supposed to fix. Before installing updates, I monitor online discussions about what other users experience with the updates. More than once, such delays proved very beneficial by allowing me to avoid a catastrophy. However, not all errors in updates are noticed immediately. Since the end of 2014, I have installed 39 Microsoft updates that were defective and had to be replaced by subsequent updates; that was more than one defective update per month. Furthermore, three of those subsequent updates were themselves defective and required additional updates.
The NSA knew of the Windows security vulnerability. Rather than alert Microsoft so that updates could be promptly released to correct the problem, the NSA kept the vulnerability secret and used it to create software for use in spying on Windows users and disrupting computer operations in other nations. The problem was that the NSA failed to exercise sufficient security within its own computer operations, thereby allowing that software to be stolen and then distributed as ransomware. The NSA therefore put United States — people, businesses, organizations, and even the government itself — at risk instead of protecting us.
Many users of Windows fail to keep their systems current in terms of malware protection. When software updates are available to correct security vulnerabilities, they should of course be installed (perhaps after a short delay as I described under Microsoft). There is no excuse for failing to have a current anti-malware application and constantly updating that application's data that identifies malware. A good firewall is also a necessity.
However, users should not be a major target for blame. Often, security updates for software — including for Windows — are no longer available. Older versions of Windows — versions that are no longer being maintained by Microsoft — remain in use because the users have vital applications that will not work with newer versions of Windows. Yes, Microsoft repeatedly fails to provide compatibility for older applications in newer versions of Windows, despite the fact that those older applications still perform the tasks that users want performed. I know this; I lost some very useful capabilities when I was forced to upgrade from Windows XP to Windows 7. Staying with an older version of Windows can mean avoiding the substantial expense of replacing applications that still work quite well, but that also means forgoing updates to Windows. Thus, this becomes another item of blame to levy against Microsoft (which, as earlier noted, still has never-ending security vulnerabilities in its latest version of Windows).
18 May 2017
Updated 5 June 2017
David Ross home