This update provides support for Wireless Protected Access, a new standards-based wireless security solution developed by the Wi-Fi Alliance. WPA is intended to replace the existing Wired. The update to address the file-sharing bug that Wanna is using to spread is now available for Windows XP, Windows 8, and Windows Server 2003 via the links at the bottom of this advisory. Here is how to apply the Windows update you need to patch the EternalBlue exploit used by WannaCry and Uiwix ransomware. How to Apply the Windows Update that Patches the EternalBlue SMB Exploit. Such as Windows XP or Windows Vista.
A simple hack of Windows XP tricks Microsoft's update service into delivering patches intended for a close cousin of the aged OS, potentially extending support for some components until 2019, a security researcher confirmed today.
What's unclear is whether those patches actually protect a Windows XP PC against cyber criminals' exploits.
The hack, which has circulated since last week -- first on a German-language discussion forum, then elsewhere as word spread -- fools Microsoft's Windows Update service into believing that the PC is actually running a close relation of XP, called 'Windows Embedded POSReady 2009.'
Unlike Windows XP, which was retired from security support April 8 and no longer receives patches, Embedded POSReady 2009 is due patches until April 9, 2019.
As its name implies, POSReady 2009 is used as the OS for devices such as cash registers -- aka point-of-sale systems -- and ATMs. Because it's based on Windows XP Service Pack 3 (SP3), the last supported version of the 13-year-old OS, its security patches are a superset of those that would have been shipped to XP users if support was still in place. Many of POSReady 2009's patches are similar, if not identical, to those still offered to enterprises and governments that have paid Microsoft for post-retirement XP support.
Jerome Segura, a senior security researcher at Malwarebytes, an anti-malware software vendor, tried out the hack and came away impressed.
'The system is stable, no crashes, no blue screens,' Segura said in an interview, talking about the Windows XP virtual machine whose updates he resurrected with the hack. 'I saw no warnings or error messages when I applied patches for .Net and Internet Explorer 8.'
The Internet Explorer 8 (IE8) update Segura applied appeared to be the same one Microsoft released May 13 for other versions of Windows, including POSReady 2009, but did not deliver to Windows XP.
But although he has run the hacked XP for several days now without any noticeable problems, he wasn't willing to give the trick a passing grade.
'[POSReady 2009] is not Windows XP, so we don't know if its patches fully protect XP customers,' Segura said. 'From an exploit point of view, when those vulnerabilities are exploited in the wild, will this patch protect PCs or will they be infected? That would be the ultimate proof.'
Microsoft, not surprisingly, took a dim view of the hack.
'We recently became aware of a hack that purportedly aims to provide security updates to Windows XP customers,' a company spokesperson said in an email. 'The security updates that could be installed are intended for Windows Embedded and Windows Server 2003 customers and do not fully protect Windows XP customers. Windows XP customers also run a significant risk of functionality issues with their machines if they install these updates, as they are not tested against Windows XP.'
That last sentence was puzzling. While Microsoft would almost certainly not test POSReady 2009's patches on a Windows XP system, it would have tested the XP patches it crafted for its post-retirement support clients. And from all the evidence, POSReady 2009 is, at its heart, Windows XP SP3.
'The core of [Embedded POSReady 2009] is pretty much the same as Windows XP,' said Segura.
Microsoft itself makes that plain on its own website. In one document, Microsoft stated that POSReady 2009 offers 'full Win32 compatibility' with Windows applications.
While Microsoft urged XP users to steer clear of the hack and instead ditch the old OS for 'a more modern operating system, like Windows 7 or Windows 8.1' -- Segura pointed out that wasn't always possible, often for financial reasons. 'If someone is going to stick with XP [the hack] is better than doing nothing, better than not having any patches,' Segura said.
'But there are better alternatives,' he continued. 'Don't use IE for one thing. Use an alternate browser -- Chrome are Firefox are going to still support XP -- and there are security products, including our anti-exploit products, that still run on XP. Those would be much better than the hack.'
The POSReady 2009 hack wasn't the first end-around Windows XP users have found for patching their PCs. In August 2010, after Microsoft required customers to upgrade from XP SP2 to SP3 to continue to receive security updates, a security adviser with antivirus vendor F-Secure revealed a Windows registry hack that tricked Windows Update into 'seeing' an XP SP2 PC as an XP SP3 system.
Segura was curious how Microsoft would deal with the hack. 'It's so easy to get the patches,' he said. 'Did Microsoft miss something? Will they do additional validation [to block the hack]? Can they?'
Instructions on how to apply the hack can be found on the Web, including this piece by Martin Brinkman on his Ghacks blog last Saturday.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com.
See more by Gregg Keizer on Computerworld.com.
reader comments
244 with 131 posters participating, including story authorA day after a ransomware worm infected 75,000 machines in 100 countries, Microsoft is taking the highly unusual step of issuing patches that immunize Windows XP, 8, and Server 2003, operating systems the company stopped supporting as many as three years ago.
Microsoft also rolled out a signature that allows its Windows Defender antivirus engine to provide 'defense-in-depth' protection. The moves came after attackers on Friday used a recently leaked attack tool developed by the National Security Agency to virally spread ransomware known as 'WCry' or 'WannaCrypt.' Within hours, computer systems around the world were crippled, prompting hospitals to turn away patients while telecoms, banks, and companies such as FedEx were forced to turn off computers for the weekend.The chaos surprised many security watchers because Microsoft issued an update in March that patched the underlying vulnerability in Windows 7 and most other supported versions of Windows. (Windows 10 was never vulnerable.) Friday's events made it clear that enough unpatched systems exist to cause significant outbreaks that could happen again in the coming days or months. In a blog post published late Friday night, Microsoft officials wrote:
We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download here.
This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.
This is possibly the first time ever that Microsoft has issued a patch for a product decommissioned so long ago. While the company issued an emergency patch for Windows XP in 2014, it came the same week support for that version ended, making the exception seem less unusual. This time around, the emergency patches are being applied to OS versions that Microsoft stopped supporting as many as three years ago.Crucial entry point still missing
Microsoft announced the patches around the same time it said it still doesn't know what the precise starting point was for Friday's WCry outbreak. One of the key questions circulating once Friday's viral outbreak appeared to be contained was how did the self-replicating worm first gain entry so it could go on to spread from vulnerable machine to vulnerable machine.
Windows Xp Security Patch Download
At least two security firms—FOX-IT here and CrowdStrike here—said spam that sent fake invoices to end users provided the crucial initial vector to seed the self-replicating attack, but none of the three companies have produced copies. Some researchers doubted a generic e-mail campaign could have been the sole initial vector without leaving a mountain of evidence that would have surfaced by now. In a blog post published Friday night, Microsoft officials wrote:
We haven't found evidence of the exact initial entry vector used by this threat, but there are two scenarios we believe are highly possible for this ransomware family:
- Arrival through social engineering emails designed to trick users to run the malware and activate the worm-spreading functionality with the SMB exploit
- Infection through SMB exploit when an unpatched computer can be addressed in other infected machines
The blog post went on to say that the worm 'executes massive scanning on Internet IP addresses to find and infect other vulnerable computers.'
Windows Xp Patch Download June 2017
FOX-IT also said in its blog post that 'there appear to be multiple infection vectors,' but the post didn't elaborate. Maarten van Dantzig, a researcher with FOX-IT, said on Twitter here and here that he suspects e-mail was the initial vector for some, but not all, of the outbreaks. Researchers from Cisco Systems Talos group went even further, writing: 'Our research does not yet support that e-mail was the initial infection vector. Analysis is ongoing.'
The possibility that ransomware can spread virally across the Internet without any form of end-user interaction is a chilling prospect. Internet-wide scans performed in recent weeks show that as many as 2.3 million computers have the necessary port 445 exposed to the Internet. Those scans also reveal that 1.3 million Windows machines haven't been patched.
People who are running unpatched machines should take action immediately. The best measure is to patch the vulnerability using this link for supported versions or this one for XP, 8, and Server 2003. Those who can't patch should ensure their computers are locked down by, among other things, blocking outside access to ports 138, 139, and 445. They should also disable version 1 of the Server Message Block protocol.
Friday's attack could have been much worse, had the perpetrators not slipped up by failing to register an Internet domain that was hardcoded into their exploit as a sort of 'kill switch' they could activate if they wanted to shut down the worm. That made it possible for a quick-acting researcher to register the domain and stop much of the attack just as it was gaining momentum.
Windows Xp Service Pack 3 Download
A new attack could come at any time. Next time, defenders may not be so lucky. As Microsoft's blog posts makes clear, vulnerable machines aren't only a danger to themselves, but to the entire world at large.