Skip to main content

Ransomware Troubles? Blame Legacy Apps And Patch Problems

Plenty of things could explain why a ransomware attack that exploits a Windows vulnerability Microsoft patched in March spread across the globe late this week. IT staff refusing to install the patch, consumers failing to recognize its importance, and other things besides would help rationalize this problem. But in many cases, another problem might be to blame: software development. Or, to be more precise, how often critical apps stop receiving compatibility updates.

Ask someone who works in a hospital why they’re still running Windows XP or Windows 7. Many won’t know, but some are bound to explain that some critical software doesn’t work on newer versions of Windows. These apps simply don’t work on modern operating systems, and if an IT department breaks the software the first time it downloads a Windows update, chances are good that future updates are going to be passed over in favor of the status quo.

This problem extends beyond hospitals. Nonprofits, small businesses, and large enterprises all have software on which they rely. Sometimes this software is maintained, either in-house or by an outside developer, to at least keep pace with new operating systems. (This is to say nothing of keeping up with design trends; many of these apps look like they could’ve run on Windows ME.) Why spend the money to install an operating system only to spend even more money on new apps?

None of this is idle speculation. Citrix found in 2016 that many National Health Services (NHS) hospitals in the UK were still using Windows XP because they needed access to legacy apps. Avanade said in 2013 that 80% of businesses stuck with XP because they feared critical software would stop working if they used newer versions of Windows. Both sectors chose to help save lives or appease shareholders instead of upgrading their operating systems.

Patching an operating system can lead to unexpected problems even if organizations don’t rely on legacy software. Columbia University’s Steven Bellovin explained this problem recently:

Combine these two problems--relying on legacy software and fearing that patches will break stuff--and it’s easier to understand why so many organizations fell victim to a problem that Microsoft solved months ago. It would be easy to blame these groups anyway--their negligence threatened people’s lives and, at the very least, put countless devices at risk. Yet demonizing these hospitals and companies undermines their legitimate concerns about installing patches.

One potential solution would be to develop critical apps in-house. That raises its own problems, though, not the least of which is how these groups will pay for that development. Another would be to test patches on all possible configurations, but that would probably delay patches for critical vulnerabilities. There are no easy answers, at least for some of the organizations affected by this week’s ransomware attack.

You, as an individual, probably don’t have those excuses. You just need to update your operating system; otherwise, you put yourself at risk of falling victim to this attack, even though it appears to have been stopped for now. Just don’t mistake your ability to address this problem for (total) incompetence on the victims’ parts. Legacy software is critical to some people, and patches don’t always work as intended, so it’s not hard to see why some organizations were caught between a rock and a hard place.

  • nzalog
    Yeah I work for the server team at a hospital and our infosec department has a pretty aggressive patch schedule for all our servers. It still cracks me up when our application analysts give us shit for patching their servers because "it occasionally breaks things". I rather occasionally break things in a controlled fashion than occasionally have huge gaping security holes that occasionally brings entire organizations to their knees. It's like they think we get some pleasure out of patching servers... ffs... make me angry just thinking about it.
    Reply
  • brucek2
    It was not reasonable for Microsoft to withdraw security patch support for those older operating systems, despite their being customer willingness to pay to fund the effort.

    The costs of ongoing patch support are affordable to the economy as a whole, and the large organizations that are stuck on legacy software would pay for it.

    The costs of having to rewrite all the software that is essentially invisible 'appliance' infrastructure software that runs throughout manufacturing plants, retail points of purchase, control centers, hospitals, military, etc etc etc is not a realistic cost. It is no more realistic than say expecting homeowners to redo their home's plumbing or electrical wiring every few years.

    Lawsuits and/or legislation should be aimed at Microsoft until they rethink their calculus on withholding this support. We have liability laws in this US and this would seem a good use of them. I do not expect them to incur perpetual losses with this support - they should be able to charge for it and they would have no trouble doing so - but placing the global economy and infrastructure at risk in the false hopes that they could force upgrade the world's medical terminals to Windows 10 so as to display ads on them is not reasonable.
    Reply
  • alidan
    I have in the past had 6 windows updates bluescreen loop, I am VERY hesitant to update anything and with microsoft not allowing me to patch security only, or at the very least not reset to apply a patch, I usually only patch once. I found offline patching a while back, and am doing that for security but microsoft refuses to patch my os from the patcher because I have ryzen. I refuse to use windows 10 for many reasons, but number 1 is the very legitimate fear of getting windows to think some hardware has an update, the hardware breaking because of it, me reverting that update only to have windows rebreak the hardware again, 7 already does this with my tablet but once set up it won't re break it.

    Now you want to have a solution for this issue? Long term service branch for hardware. Get a board together, and life critical hardware+software and standardize them, and there you go, you got a testbed organization that will all use the same hardware and the same software that will be supported and patched indefinitely, or at least until the viability of the hardware its using is no longer supported.

    And how do you get hospitals to be on board? regulation, you make it a law that they are required to have these systems in place by X date, then subsidized to some extent if not fully the hardware upgrade. Then to top it off, allow for experimental/unsupported hardware to be allowed, but it can not be on the grid by law so you use thumb drives or something similar to take data from place to place, and there you go, a simple solution if you really want to fix the problem.
    Reply
  • therealduckofdeath
    Well, you get the right to sue Microsoft for not patching a 16 year old operating system the moment you buy the rights to that code, Brucek2. Your arguments that hospitals don't have the competent IT staff to disable the built in promotions for other Microsoft apps and therefore are in their rights to use outdated software is so uneducated it really doesn't deserve a response. I would be more successful winning a lawsuit against you for spreading backwards reasoning on the internet than anyone would be if they'd sue Microsoft for not supporting software they sold when a smartphone was a phone capable of reading email headers. :)
    Reply
  • therealduckofdeath
    I definitely agree with the writeup that bad procedures are the cause of the success of this ransomware. The fact that it seems like it was more successful in organisations sticking to the de facto security guidelines set up by amongst others the HSE in the UK should be an alarm clock. I'm not sure that it would be a smart idea to start developing custom applications on every level. Remember, it was after all custom applications that got most organisations, like the HSE, stuck on Windows XP to begin with. I think, the solution would have to be more in the line of having a more skilled people in charge of investments, to ensure the organisation will have a minimal risk of steering their applications platforms down an unsupported cul de sac. I've worked for several large corporations and some of them has really terrible IT structures, with several layers of applications to make sure the new hardware works with the old core applications they don't have any available software support for. Those applications were once custom built for core businesses and are considered too critical to tamper with. It was inevitable that this would happen, as this is a pretty common scenario for large organisations that's had wide infrastructures running for decades.
    The "pecking order" within corporations probably had its responsibility when they decide to stick with old operating systems on computers all over their networks. Hardware and operating systems are often considered components that will just have to be kept in a state that supports old applications.
    I don't know if Windows 10 will fix this but, I do think it's at least the smartest solution to make those organisations rethink their security procedures.
    I guess they can consider themselves lucky that this was "only" ransomware, to extort bitcoins in return for an encryption key. It could just as easily have been the largest data theft crisis since the internet was founded.
    Reply
  • brucek2
    19687498 said:
    Well, you get the right to sue Microsoft for not patching a 16 year old operating system the moment you buy the rights to that code, Brucek2. Your arguments that hospitals don't have the competent IT staff to disable the built in promotions for other Microsoft apps and therefore are in their rights to use outdated software is so uneducated it really doesn't deserve a response. I would be more successful winning a lawsuit against you for spreading backwards reasoning on the internet than anyone would be if they'd sue Microsoft for not supporting software they sold when a smartphone was a phone capable of reading email headers. :)
    You are entitled to your opinion. However I'd note 1) you did respond and 2) Microsoft did issue a patch. You and I are not going to be the only two members of civilization having this discussion and whatever pressures led to Microsoft's policy reversal in this instance may be just beginning.

    The legal, moral, and political issues at play here are complex. On top of that all 3 may have to give way to practical issues as the global economy is not going to accept constant shutdowns, yet rewriting all of the world's legacy software that is not compatible with the currently supported versions of Windows in one week, month, or year is not possible.

    I agree that plenty of hospital IT staffs can "disable the built in promotions" but that's not what is required. Being able to rewrite decades worth of legacy software baked into every nook and cranny of a large complex enterprise is what is required, and it is a different skill set, a different amount of labor required, and it assumes they have the source code or the original vendor is still in business, yet neither may be true.

    Your assertion that a society will forego all legal and political remedies against a product that is dangerous just because it is old are also incorrect - research for example asbestos, tobacco, and thalidomide.
    Reply
  • nukemaster
    All I can say is backup backup backup.

    Lets face it. These users would not be pushing this ransomware without people paying the fee. These same backups also make rolling back from a bad update fairly painless.

    I personally can not expect MS to patch Windows XP forever. Windows 10's update policy may suck, but the forced updates should actually reduce these issues. Home users will not longer be able to leave updates queued for months on end(Even I have a bad habit of doing this on my Media Center system).
    Reply
  • alextheblue
    19687339 said:
    I have in the past had 6 windows updates bluescreen loop, I am VERY hesitant to update anything and with microsoft not allowing me to patch security only, or at the very least not reset to apply a patch, I usually only patch once. I found offline patching a while back, and am doing that for security but microsoft refuses to patch my os from the patcher because I have ryzen. I refuse to use windows 10 for many reasons, but number 1 is the very legitimate fear of getting windows to think some hardware has an update, the hardware breaking because of it, me reverting that update only to have windows rebreak the hardware again, 7 already does this with my tablet but once set up it won't re break it.
    Hi my name is Alidan and I'm having problems with Windows 7 on Ryzen even though I know that's not a supported combination - and I don't care because I refuse to use Windows 10 for some stupid reason even though Ryzen systems run it no problem. Also I run Windows 7 on a tablet which is hilarious. Now if you'll excuse me, even though I'm using a bad combination of old software and new hardware and/or a tablet, I need to whine about it in every single Microsoft-related article even though it's really tiring to read. It's all Microsoft's fault!
    Reply
  • Altherix
    19687789 said:
    You are entitled to your opinion. However I'd note 1) you did respond and 2) Microsoft did issue a patch. You and I are not going to be the only two members of civilization having this discussion and whatever pressures led to Microsoft's policy reversal in this instance may be just beginning.

    The legal, moral, and political issues at play here are complex. On top of that all 3 may have to give way to practical issues as the global economy is not going to accept constant shutdowns, yet rewriting all of the world's legacy software that is not compatible with the currently supported versions of Windows in one week, month, or year is not possible.

    I agree that plenty of hospital IT staffs can "disable the built in promotions" but that's not what is required. Being able to rewrite decades worth of legacy software baked into every nook and cranny of a large complex enterprise is what is required, and it is a different skill set, a different amount of labor required, and it assumes they have the source code or the original vendor is still in business, yet neither may be true.

    Your assertion that a society will forego all legal and political remedies against a product that is dangerous just because it is old are also incorrect - research for example asbestos, tobacco, and thalidomide.
    You're entitled to support stupid people and continue the reason this mess happened in the first place.
    When the first businesses that got ransomware and instead of listening to law enforcement that told them, "Don't pay the ransom." and they paid anyway because the upfront cost seemed cheaper than a long term solution.

    Now today, we're at that can these companies kicked down the road, it became profitable for ransomware writers, so surprise, they launched a bigger attack to get more money. Why wouldn't they, businesses have proven they're more than willing to throw money for a short term solution instead of fixing the issue.

    Your reasoning is the same, "These are all critical systems, it would be too costly, too hard, too difficult to replace all these systems!" So you continue the problem for a short term solution which in the long term will cost you more, look at the bigger picture.

    Microsoft's patch release for dead OSes is just a product of our society that I'll point out you're enabling. Our legal system needs an overhaul because, "Well, I'm an idiot." is an accepted legal defense.

    Also, as far as I know asbestos, tobacco, and thalidomide were always bad for you, so your comparison makes no sense. Not like 98, ME, Vista and XP were always insecure, they became insecure because Microsoft stopped supporting them, which they were very vocal and clear to customers that they should stop using them after a certain date.
    Reply
  • JQB45
    how did we get stuck on ME, XP, Vista, 7 - this was a known problem for ALL versions of MS Windows since XP up until March.
    Reply