Some of Microsoft’s customers have been charged $1000 per year per device for XP patches, with charges escalating so much the NHS abandoned support after just one year.
Update: "WannaKey" and WanaKiwi" can decrypt Wannacry - in some circumstances
Original story continues:
A new report in the Financial Times, entitled “Microsoft held back free patch that could have slowed WannaCry”, quotes people criticising Microsoft for holding back on patches for XP that could protect against known vulnerabilities.
An MDN report has some of the FT article’s details, as FT articles are behind a firewall unless first individually searched for via a search engine.
These vulnerabilities have since led to ransomware attacks on businesses around the world, including some in Australia, and most worryingly, hospitals as part of the UK’s NHS - reportedly leading to serious problems delivering services to patients.
{loadposition alex08}The report says Microsoft recently started charging enterprise customers for additional Windows 10 security, something criticised, given this protection should be standard in all versions of Windows 10.
Also criticised is the huge cost of custom support for the XP operating system, with fees into the millions of dollars for some customers, some of whom are presumably still unable to move to Windows 10 due to custom software, and for whom paying custom support fees is still a better deal than uprooting all hardware and software to the latest versions.
The report quotes a US government official suggesting Microsoft should have acted to protect XP users before the Wannacry ransomware attacked vulnerable computers.
This is especially so considering Microsoft reportedly knew, thanks to the NSA, that vulnerabilities were now in the open, and the fact that it issued patches for supported versions of Windows — but left unsupported users out in the cold — until it was forced to issue an "emergency patch" for XP users, by which time it was too late for many of those already affected by Wannacry.
Had patches been issued for the hundreds of millions still using older versions of Windows in production environments, Wannacry’s effects would have been vastly limited compared to what actually happened.
Zeynep Tufekci, an associate professor at the school of information and library science at the University of North Carolina, wrote a New York Times op-ed entited: “The world is getting hacked. Why don’t we do more to stop it?”
Within the op-ed, Tufekci stated: “Companies like Microsoft should discard the idea that they can abandon people using older software. The money they made from these customers hasn’t expired; neither has their responsibility to fix defects.”
Tufekci posted the following tweet, attacking those who consider XP ancient:
Tech folk keep saying Win XP is ancient. It's not. Software can't run infrastructure w/ expectation to junk it in a decade. Time to adjust.
— Zeynep Tufekci (@zeynep) May 15, 2017
The Verge quoted a ZDNet article stating: "The real problem here is that for decades the IT industry as a whole has been selling rubbish products. It's become fabulously wealthy by making products that are broken to begin with, and often, directly or indirectly, charging customers to fix them.”
The ZDNet article by Australian tech writer Stilgherrian quoted the owner of Pinboard stating: “Blaming people for using ancient software is really weird. There's no other context where we demand constant replacement of things that work."
Stilgherrian also wrote: “When you're running a hospital full of machines that go ping, you can't afford an update to kill those pings, because that in turn can kill people. Context matters.”
However, in another New York Times article entitled: “In Ransomware Attack, Where Does Microsoft’s Responsibility Lie?", we read of security experts having “challenged that argument, saying that Microsoft could not be expected to keep updating old software products indefinitely".
Mikko Hypponen, chief research officer of security firm F-Secure, is quoted as stating: “I can understand why they issued an emergency patch for XP after WannaCry was found, but in general, we should just let XP die.”
Naturally, the sound advice is to bite the bullet and upgrade to a supported version of Windows that receives timely patches, but if it were so easy and affordable to do so, millions upon millions still wouldn’t be using XP.
Reports suggest Microsoft is the big winner from the Wannacry ransomware, as it will force many XP users to upgrade at long last.
Also criticised has been security firm Sophos, which prior to the Wannacry outbreak had a microsite featuring the headline ‘The NHS is totally protected with Sophos,’ which clearly did not happen given the prominence of NHS Wannacry shutdowns specifically because of the Wannacry attack.
However, despite the NHS reportedly using XP systems, The Verge quotes a Kaspersky Lab claim that WIndows 7 64-bit users were hardest hit, with "less than one in a thousand" of those affected "using XP".
Windows 7 was one of the supported operating systems getting a patch about a month before Wannacry hit, so this report seemingly shows people aren't patching properly or in a timely manner, while also exposing that Microsoft still felt it necessary to issue an emergency Windows XP patch.
The following is just some of iTWire's Wannacry coverage:
- Alleged leaked NSA tool used to attack hospitals
- Ransomware mess: high time for Microsoft to act
- UK researcher unknowingly ends Windows ransomware attack
- Ransomware: Microsoft can no longer claim to be proactive
- Microsoft President slams NSA, CIA over stockpiling exploits
- Best way to avoid ransomware? Stop using Windows
- NSA told Microsoft about stolen exploits: officials
- Shadow Brokers claims Microsoft hand-in-glove with NSA
- Cryptocurrency miner attack used NSA exploits before WannaCry
- 'WannaKey' and 'WanaKiwi' can decrypt Wannacry - in some circumstances