Microsoft released its monthly “Patch Tuesday” Windows updates yesterday for all supported machines. It also made the surprise move of creating updates for older versions, including Windows XP. In a blog post, the company confirmed it wants all Windows customers to have the patches installed.
The updates resolve issues in Windows that could enable similar attacks to the high-profile WannaCrypt ransomware campaign last month. Microsoft is pushing organisations worldwide to update their old computers to newer operating systems. However, the reality is there are still thousands of XP machines in use worldwide, including in sensitive environments. These include the UK’s NHS, one of the main victims of the WannaCrypt attack.
While it stopped short of stating that another campaign could be imminent, Microsoft said there is currently an “elevated risk” of a destructive incident. Its Security Response Center team made the call to release updates for older Windows versions after assessing the current threat landscape online. It implies that a WannaCrypt successor could emerge to wreak similar damage in the coming weeks.
This isn’t the first time Microsoft has released patches for Windows XP since the operating system left support in 2014. The company usually strictly limits updates to its supported operating systems, currently Windows 7, 8.1 and 10. The relatively high remaining install base of Windows XP machines, combined with the changing realities of cyberattacks, seem to be forcing it to back away from its regular policies.
In its announcement, Microsoft reiterated its previous statements that Windows XP users should not assume they’ll receive future updates too. The company renewed its calls for all consumers, governments and organisations using unsupported Windows versions to upgrade to a newer version as soon as possible. It stressed that older platforms lack the security features of their modern counterparts, even if they’re kept up-to-date.
“Our decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies,” Microsoft said. “Based on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly. As always, we recommend customers upgrade to the latest platforms.”
The patches are said to provide additional protection against cyberattacks with similar characteristics to WannaCrypt. Computers with the latest updates installed were protected against last month’s ransomware campaign as Microsoft patched the flaw that WannaCrypt exploited back in March. The software spread prolifically through organisations that rely on older machines.
The new updates will be installed automatically on supported Windows versions with Windows Update turned on. If you’re using Windows XP, Windows Vista, Windows 8 or older versions of Windows Server, you should refer to Microsoft’s Knowledge Base article to get instructions on downloading and installing the patches.
