Microsoft withheld a free patch from users of old software that “could have slowed the devastating spread of ransomware WannaCry to businesses,” opting to charge those using older versions instead, according to a report.
“Microsoft wanted hefty fees of up to $1,000 a year from businesses for ‘custom’ support and protection against attacks like WannaCry, which locks your computer unless you pay the hackers in bitcoin, said the publication,” reported CNET on Thursday. “While Microsoft finally did make the patch available free of charge to Windows XP machines last Friday, damage had already been done.”
“The company has since been trying to convince customers, business or otherwise, to switch to its newer and more secure Windows 10,” they continued, adding that “Despite the lack of cover, plenty of Microsoft’s customers are still running older software that may still be vulnerable.”
A Microsoft spokesman defended the company’s actions to CNET, claiming that users have a choice to upgrade and are warned about the security problems of using old software.
“Recognizing that for a variety of business reasons, companies sometimes choose not to upgrade even after 10 or 15 years, Microsoft offers custom support agreements as a stopgap measure,” said the spokesman to CNET. “To be clear, Microsoft would prefer that companies upgrade and realize the full benefits of the latest version rather than choose custom support.”
“Security experts agree that the best protection is to be on a modern, up-to-date system that incorporates the latest defense-in-depth innovations,” they continued. “Older systems, even if fully up-to-date, simply lack the latest protections.”
Following last week’s WannaCry global attack, which disrupted organizations and services around the world, including Britain’s National Healthcare Service (NHS), Microsoft criticized the U.S. government for poorly storing cyberweapons, which had been leaked from the National Security Agency (NSA).
“The WannaCrypt exploits used in the attack were drawn from the exploits stolen from the National Security Agency, or NSA, in the United States,” Microsoft explained in a statement. “That theft was publicly reported earlier this year. A month prior, on March 14, Microsoft had released a security update to patch this vulnerability and protect our customers.”
“While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally. As a result, hospitals, businesses, governments, and computers at homes were affected,” they claimed.
Citing the recent WikiLeaks releases that included leaked code for CIA programs, Microsoft added that “this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” calling it “an emerging pattern in 2017.”
“The governments of the world should treat this attack as a wake-up call,” they expressed, claiming that government agencies “need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.”
Several journalists, however, claimed in articles that Microsoft was just as responsible for the attack as the U.S. government.
“By failing to support older versions of its operating system, the IT company provided the hackers that stole the NSA’s IT Tomahawk Missile the opportunity they needed,” expressed one writer for the Independent, while the Inquirer voiced similar concerns in an article titled “Microsoft, it’s not just the NSA. If you want to kill WannaCry, fix broken Windows.”
This week, cybersecurity firm Proofpoint warned that a bigger global attack was on the way.
“It uses the hacking tools recently disclosed by the NSA and which have since been fixed by Microsoft in a more stealthy manner and for a different purpose,” said Proofpoint, who discovered the “Adylkuzz” attack. “As it is silent and doesn’t trouble the user, the Adylkuzz attack is much more profitable for the cyber criminals.”
“It transforms the infected users into unwitting financial supporters of their attackers,” they continued, explaining that Adylkuzz lays low on infected devices and mines the crypto-currency Monero, before sending the financial gain to the perpetrators.