Was Microsoft to blame? No - the NSA.

[Geek-9pm]

This story is still developing and is not yet hard  news.
Here is a today you tube interview based on a blog  by  Brad Smith  from  Microsoft.
https://www.youtube.com/watch?v=QUnSTnTxQJY
The man in the interview is Paul HURROTT.
Notre what he said about XP.

An interview with Brad Smith is found on CNN tech.

[BC_Programmer]

I do sort of wonder if they actually did fix it in March. Microsoft issued KB4013389 as part of Security Bulletin MS17-010, which fixes a critical security issue with SMB. Now, the claim is often that "Microsoft fixed this problem in March" based in this. That would seem completely reasonable. But I'm not entirely sure; Because after the ransomware attack they issued KB4019472 which lists "Security updates to Windows COM, Windows SMB Server, Windows server, Internet Explorer, and Microsoft Edge." if they already fixed it, what are these fixes for and why were they provided shortly after the ransomware appeared as a threat?

[patio]

I don't follow the logic that the NSA is at fault...all they did was discover the weak spot...

[Geek-9pm]

What is SMB?  There  are over 40 definitions.
Must be one of these:.
https://en.wikipedia.org/wiki/SMB

Very recent relaxant references:
http://www.zdnet.com/article/how-wannacrypt-attacks/#ftag=YHFb1d24ec

...  WannaCrypt, aka WannaCry. It starts by infecting you the old-fashioned way, but once it makes it on your network, it uses an out-of-date version of Windows' Server Message Block (SMB) networking protocol to spread like wildfire.

...
http://www.zdnet.com/article/windows-10-credential-theft-google-is-working-on-fix-for-chrome-flaw/#ftag=YHFb1d24ec

Attackers can use Google's Chrome browser to install and automatically run a malicious file on a Windows PC to steal passwords.

...
Interesting.

[Computer Hope Admin]

I'd think we'd all agree with what Paul said, it is really the users fault. If someone or a company is still running Windows XP, a 16-year old operating system that had its support ended over three years ago they are the ones that should be at fault. Updates should always be done as soon as possible.

[patio]

To add to my point...it ain't the NSA's software...

Unless they do that now and i hadn't heard of it...

[Geek-9pm]

For what it is worth...

A (very) brief history of Windows XP
To my knowledge, one can not be responsible for a product that is 16 years old. Perhaps some exceptions in rare cases. But I don't know of any.
Wait... Something just clicked in my old brain.
https://en.wikipedia.org/wiki/General_Aviation_Revitalization_Act

It was intended to counteract the effects of prolonged product liability on general aviation

...

protection from the original 15 years to the finally-successful 18 years.[8]

So is software like an airplane? 

[patio]

Now we're really spinning off on tangents...

[Geek-9pm]

Back to target,
Microsoft or NSA ?
Recent hits on Google:

https://www.bloomberg.com/news/articles/2017-05-16/microsoft-faulted-over-ransomware-while-shifting-blame-to-nsa
Microsoft Faulted Over Ransomware While Shifting Blame to NSA

There’s a blame game brewing over who’s responsible for the massive cyberattack that infected hundreds of thousands of computers. Microsoft Corp. is pointing its finger at the U.S. government, while some experts say the software giant is accountable too.

http://www.salon.com/2017/05/17/dont-blame-microsoft-or-the-nsa-if-youre-running-obsolete-software-you-helped-make-the-ransomware-attack-possible/
Don’t blame Microsoft or the NSA! If you’re running obsolete software, you helped make the “ransomware” attack possible

https://www.onmsft.com/news/cry-if-you-wannacry-but-dont-blame-microsoft-for-it
Cry if you WannaCry, but don’t blame Microsoft for it

[BC_Programmer]

Personally, I can see an argument for the NSA to "hoard" exploits to use for their intelligence purposes. However I think there can be agreement that once that if that information is leaked, there is a duty of care to responsibly disclose vulnerabilities to the affected software vendors. I think that is what they did here siince Microsoft patched the affected Operating Systems that were still supported in March.

Interestingly, a lot of information online regarding this issue is demonstrably inaccurate. I've seem posts saying it doesn't affect Windows 10, or only affected XP, for example.

Fact of the matter is that Windows 10 was vulnerable to the exploit, unless users had taken steps to remove SMBv1/CIFS support from the "Add/Remove Windows Features" control panel. The Security Bulletin released in March lists Windows 10 as an affected system and lists it as a Critical Remote Execution Exploit. Any Windows 10 system that does not have that patch or the May 9th Security Rollup (KB4019472)  is vulnerable to this exploit, and Windows Vista through 10 are all affected similarly.

The misconception that Windows 10 isn't affected can be blamed on Microsoft, since Microsoft said that the issue does not affect Windows 10, even though it does, which was a PR Spin because they consider Windows 10 a service.

In the case of businesses still using XP,  it's really a case of "Play stupid games, win stupid prizes".

[patio]

Interestingly, a lot of information online regarding this issue is demonstrably inaccurate.

This says it all...

[Geek-9pm]

...
The misconception that Windows 10 isn't affected can be blamed on Microsoft, since Microsoft said that the issue does not affect Windows 10 ...

Is Windows 10 a subscription service or a product you buy and never update?

If it is a service, did the Windows 10 service fail?

If you buy Windows 10 and never want to update it, never connect to anything. Don't even conned to a modern coffee maker.
https://www.cnet.com/news/internet-connected-coffee-maker-has-security-holes/

[BC_Programmer]

Those two options are not in any way jointly exhaustive.

Despite Microsoft's claims otherwise Windows does not operate as a service, it is a software product which runs on personal computers which can receive updates from their server which is not the same. And even if we could argue that it was a service, their blog post regarding this ransomware saying that "Windows 10 is not vulnerable" is misleading and even dangerous, and all because they want to push Windows 10 as more secure. Aside from the more obvious case where users may adjust Update functionality via things like Group Policy editor, it also misleads users who may have Windows 10 on systems that are isolated from the Internet, and thus unable to receive updates. If they have not updated since the patch was released than those systems are no less vulnerable than other affected versions of Windows and can be infected over the network. Basically, Systems running Windows 10 could be affected by the ransomware.

When they say "Windows 10 is not vulnerable" Microsoft is effectively pretending previous versions of Windows 10 don't exist and that every single version of Windows 10 is magically the latest version, as one would do in a "Software as a Service" environment, even though it's not true and is idiotic PR spin. They should keep their PR spin in their marketing, they shouldn't be putting it in posts that are effectively security advisories and are being used as a source of information regarding how Windows versions are affected.

There are plenty of users that could have been negatively affected by this use of a serious security issue as a chance to spin some positive Windows 10 PR. a concerned administrator might be looking into it to see if they should move their LAN-only file server and connect it to the Internet so it can update. But Microsoft says Windows 10 isn't vulnerable, so it doesn't need to update, so they don't. That system remains vulnerable.

[patio]

According to Kaspersky Labs 98% of infected PC's were runnin Win7...

[BC_Programmer]

I wonder how that information was gathered? I'd guess perhaps it's based on their own customer base?