Please run windows update now

Jonathan Roach jonathan.roach at oracle.com
Mon May 15 21:31:46 UTC 2017


Microsoft aren't stupid. They have learned lessons from the days in the
90s and early 2000s when they were a laughing stock in terms of
security, and since then Windows security has improved enormously. OK,
so it's not perfect, but what software is? Dirty Cow, Shellshock and
Heartbleed for example weren't exactly minor flaws, but the world moved on.

What's key is that administrators need to know how to secure their
estates. If they've failed to apply the patch, that's their failure, not
Microsoft's, but patching was not the only way to have curtailed this
weekend's outbreak. Admins may have had their reasons for not patching -
maybe to do so would have invalidated some kind of certification on an
embedded system for example - but there should have been other controls
in place to limit the spread of this outbreak or others like it.

Something that's puzzled me about events this weekend is that hardly
anyone is mentioning firewalling. Servers generally need ports
135-139/445 to be accessible in order to act as, well, servers - but
workstations don't. Why aren't people - even cash-starved organisations
like the NHS - using the Windows firewall to protect at least their
workstations on an ongoing basis? How did this infection spread between
organisations without being stopped by a border firewall at any point?
Was nothing learned from the Blaster days? (I don't have the answer.)

Although the malware was probably injected into multiple organisations
in numerous countries via multiple phishing attacks, the spread as
reported seemed too fast between organisations and countries for it to
have been driven by phishing attacks alone, and I haven't seen any
reports showing people how to spot the phishing attempts. So I'm
guessing a lot of the propagation even between orgs was by MS17-010.

It would be interesting to find out if anyone saw unusual spikes in SMB
traffic over the weekend? Or if there are insights into any of the
semi-rhetorical questions I posed above?

Cheers,
Jon


More information about the NANOG mailing list