macrovector - Fotolia

How Windows patching leaves security exposed

Four years on since it devastated IT systems across the NHS, WannaCry remains a threat to organisations around the world

Next month, Microsoft will stop issuing security updates for Windows 10 build 1909, two years after its release. This may not be receiving the same headlines as end of support for Windows 7 or Windows XP, but it was an unpatched, unsupported Windows operating system that hackers exploited to bring down IT in the NHS in May 2017.

Data provided by IT asset management firm Lansweeper has revealed that about 20% of enterprise devices currently run older operating systems, such as Windows 7 (6.7%), Windows 8/8.1 (6.6%), Windows XP (2%) and even Windows Vista (0.25%).

WannaCry shut down machines, took out hospital equipment and harmed numerous businesses. Microsoft issued a patch for the majority of its operating systems from the latest Windows 10 version right back to Windows XP and Windows Server 2003, that were unsupported. Industry reports on the virulence of WannaCry found that the majority of affected users ran Windows 7.

End of support for this version of the Microsoft desktop operating system only ended in January 2020. But, recognising that machines that embed the Windows 7 operating system may still be running, in January 2021, Microsoft began offering Extended Security Updates (ESU), for which its volume licensing customers can pay an additional fee.

ESU is available for Windows 7 Professional until 2023, as is ESU for embedded Windows 7, while Windows Embedded POSReady 7 has ESU until 2024. However, ESU for the point-of-sale and embedded versions of Windows 7 are only available from hardware manufacturers providing devices that run embedded Windows 7.

A day they’ll never forget

Speaking at a Gresham College lecture, Tarah Wheeler, a fellow at New America and Fulbright scholar, described the WannaCry attack as something many IT professionals would never forget. She said: “The IT personnel that I’ve spoken to at the NHS who remember that day, remember it like someone in the United States would remember where they were when Kennedy got shot, or when they first heard on 11 September of the World Trade Center coming down.”

Wheeler’s research into the aftermath of WannaCry has found that over a quarter of organisations that recognised they were vulnerable to WannaCry in 2017 are still at risk. She found that many organisations still rely on unsupported and outdated Windows 7 software and have not updated their PC equipment. “Many people don’t understand that the nature of updating a computer is something that needs to be constant in the background,” she said.

Wheeler said organisations sometimes deliberately choose not to update their computers specifically because they may be running things like critical infrastructure. “This is a terrifying conversation to have,” she said. 

According to Wheeler, many of these machines cannot simply be rebooted because organisations rely on the services they provide. “You can’t afford the time to repair it, which is why we end up with these kinds of cyber attacks,” she said.

Embedded older versions of Windows

Roel Decneut, chief marketing officer at Lansweeper, said: “Companies run legacy devices and systems that are maybe not supported any longer, but are still absolutely necessary for the business because purchasing new models just isn’t feasible for some reason. It might be that they can’t easily upgrade the operating system because it could potentially mess with the software. This is seen as a cost saving due to the effort involved in not just migrating the OS, but the entire application it supports.”

Decneut said operational technology and other environments tend to be isolated from both the internal IT network and the internet, which can potentially reduce the risk of an operating system exploit getting into the system. “The security aspect is deemed mitigated,” he said. “It’s all reinforced by the fact that these kinds of environments are subject to high uptime as they are vital to the output of a business.”

Beyond operational systems running older versions of Windows, IT departments in large businesses can often struggle to keep track of all the versions of an operating system they have running, which can lead to cyber attacks.

Looking back at what Microsoft president Brad Smith wrote about WannaCry in a blog post, the attackers were able to find an attack vector by exploiting a vulnerability that Microsoft had patched a month earlier.

In the post, published on 14 May 2017, Smith discussed why Microsoft had released the patch: “On 14 March, Microsoft released a security update to patch this vulnerability and protect our customers. While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally. As a result, hospitals, businesses, governments and computers at homes were affected.”

Risk of critical vulnerability and exposure alerts

From a security perspective, Smith’s statement shows that vulnerabilities in newer versions of Windows may also exist in previous and unsupported versions of the operating system. This is the vector the attackers behind WannaCry used. Publishing details of the patch gave the attackers the information they needed to target unpatched older versions of Windows. 

Given the nature of Windows software, and Microsoft’s commitment to backwards compatibility, unless a patch fixes functionality that is only present in Windows 10, the vulnerability the patch plugs is highly likely to exist in older versions of Windows desktop and server operating system software.

The risk posed by legacy or unsupported operating does not go away with continuous updates, as in Windows 10, which receives a major update every six months. Windows 10, version 1909, which was issued in 2019, reaches end of service on 11 May 2021. Microsoft said that after that date, devices running the Home, Pro, Pro for Workstation and Server SAC (semi annual channel) editions of this operating system build will no longer receive monthly security and quality updates that contain protection from the latest security threats.

However the company said it would continue to provide patches and updates for the Enterprise, Education, IoT Enterprise and Nano Container image versions of Windows 10, version 1909.

Read more about patching vulnerabilities

  • With an increasing reliance on subscription models alongside the regular patching of software, updates have become an essential part of modern business practices.
  • Compare the features and functionality of five prominent patch management tools for Microsoft and third-party applications to find the right option for your organisation.

Read more on Microsoft Windows software

Data Center
Data Management