To protect customers against the fast-spreading WannaCry contagion in May, Microsoft broke tradition and released express security patches for unsupported versions of its Windows operating system. This month, Microsoft repeats the move amid increasing fears of government-sponsored attacks.
Bad actors could remotely exploit 27 of the 94 individual vulnerabilities patched in this week’s update in a similar manner to the WannaCrypt/WannaCry contagion. Microsoft was quick to clarify in an FAQ that the WannaCry malware is now fully addressed on machines patched with last month’s security update.
“To address this [new] risk, today we are providing additional security updates along with our regular Update Tuesday service,” said Adrienne Hall, General Manager at Microsoft’s Cyber Defense Operations Center, on the official blog for all matters Windows.
“These security updates are being made available to all customers, including those using older versions of Windows,” Hall said. “Due to the elevated risk for destructive cyber attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt.”
Hall clearly suggests that these two months have been major exceptions to Microsoft’s internal rules, and urges users to upgrade to the newest Windows versions, noting that “the best protection is to be on a modern, up-to-date system that incorporates the latest innovations.”
The Redmond, Washington-based software maker expressly states in security advisory 4025685 that the decision to release security updates for these outdated platforms “should not be interpreted as a change in policy.”
“Customers are encouraged to upgrade to a supported platform,” it adds.
Windows XP and Windows 8 users must manually fetch their patches from Microsoft’s website. In the security bulletin, customers with outdated OSes are offered instructions to manually download applicable security updates.
A noteworthy flaw patched in this week’s update is CVE-2017-8543, which resides in the Server Message Block (SMB) service. Left unpatched, SMB vulnerabilities are hazardous to both end users and corporate networks, as they can allow the spread of “wormable” malware like the WannaCrypt ransomware. This wormlike behavior last month infected more than 300,000 endpoints worldwide and, most notably, temporarily shut down more than a dozen UK hospitals.
Microsoft’s telemetry indicates that the newer SMB flaw is already being exploited in the wild on Windows versions 7, 8.1, and 10, as well as Server editions 2008, 2012 and 2016. Which makes it all the more imperative to apply this week’s patches.