Microsoft warns of 'destructive cyberattacks,' issues new Windows XP patches
Last month's devastating WannaCry ransomware outbreak was just a warning shot. In an unprecedented move, Microsoft today released critical security updates to block another wave of similar attacks, making those patches available on unsupported versions like Windows XP and Server 2003.
In a blog post shared with ZDNet in advance of today's release, Microsoft's Adrienne Hall, general manager of the Cyber Defense Operations Center, cited an "elevated risk of cyberattacks by government organizations, sometimes referred to as nation-state actors, or other copycat organizations."
The announcement noted that the updates were designed to provide "further protection against potential attacks with characteristics similar to WannaCrypt."
A Microsoft spokesperson declined to comment when asked whether the company had received warnings of an imminent attack, either from security researchers or government agencies. However, the tone and timing of today's announcement suggests that today's critical updates are much more than a routine precaution.
As is company policy, details of the vulnerabilities addressed were not made available until the updates themselves were released.
Last month's fixes were related to flaws in older versions of the Server Message Block (SMB) protocol. Those vulnerabilities affect all versions of Windows and are also targeting Linux servers with a new active exploit.
In a separate blog post, Eric Doerr, general manager of the Microsoft Security Response Center, noted that these additional critical security updates "address vulnerabilities that are at [heightened] risk of exploitation due to past nation-state activity and disclosures."
Doerr cautioned customers running unsupported platforms not to expect similar patches in the future:
Our decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies. Based on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly. As always, we recommend customers upgrade to the latest platforms. The best protection is to be on a modern, up-to-date system that incorporates the latest defense-in-depth innovations. Older systems, even if fully up-to-date, lack the latest security features and advancements.
This is just the latest in a series of unprecedented developments for Windows Update. In February, for the first time ever, the company skipped its normal Patch Tuesday deliveries, delaying them until the following month. In hindsight, it's now apparent that Microsoft was scrambling to deliver patches that would repair the vulnerabilities that resulted in the global WannaCry ransomware outbreak.