The WannaCry ransomware attack earlier this month proved to be a disaster for Windows XP users. In response, Microsoft patched its vulnerable operating systems – including XP, Windows 8 RT, and Windows Server 2003 – last week, outside of the official support window. But did Microsoft write the fixes months before WannaCry went public?
Clues in the Metadata
According to The Register, Microsoft may have written the recently-released XP updates as early as February.
The Register’s Iain Thomson reports:
“Our analysis of the metadata within these patches shows these files were built and digitally signed by Microsoft on February 11, 13 and 17, the same week it had prepared updates for its supported versions of Windows. In other words, Microsoft had fixes ready to go for its legacy systems in mid-February but only released them to the public last Friday after the world was engulfed in WannaCrypt.”
The Metadata scraped by The Register shows the following dates
- Windows XP: Feb 11, 2017
- Windows XP Embedded: Feb 17, 2017
Why Would Microsoft Not Release an Update It Has Already Written?
Well, it seems as though Microsoft did release the update, only not to the general public. While official support for Windows XP ended three years ago, a privileged few can still get updates from Microsoft. If you have the money, you can pay Microsoft for custom support for an outdated operating system. Microsoft appears to have sent the patch to its custom support customers earlier this year. After last week’s WannaCry disaster, Microsoft released the update publicly.
And the point is?
Microsoft officially ended its support for those system, anyone who pays for them can subscribe to the extended support model. yes, microsoft writes patches for those systems, however you need to pay to get them. All they did was make one of those patches available to the world, No mystery, no hidden agenda. do some research before writing pap.
But they are charging top dollar for fixes to mistakes they made themselves. So the more mistakes they make, the more fixes they can sell. There is something very wrong with such a business model.
So they shoudl support archaic operating system ad infinitum. in the year 2070 when quantum computers are in vogue and artificial intelligence can crack 256 cipher blocks, shoudl they still be offering patches for XP ? the thing is dead. get off it, move on.
No, they should either *really* stop support, or give it to all customers.
What they are doing now is they still write the patch, but only give it to you if you pay through the nose for it. They are making more costs by having to differentiate between customers with and without support contract. They make these costs so they can create a ‘market’ for security patches.
I would support a law that puts a mandatory support term on consumer targeted software and that explicitly forbids charging money for security fixes.
But they arnt, they are giving these away for free now. how many Server 2003 and Xp, Vista and Win 8 patches have they given away for free because there is a serious issue in the wild ? 8, 9 in the last 30 days ? TBH I’d be pissed if Id paid MS $120k US for support only to find them handing out this to everyoen afterwards.
Yeah but they waited long enough for the WannCry ransomware to be released first, creating millions of dollars of damage. MS actually had to spend money to prevent the patch just being released to everyone the first time round.
“I’d be pissed if Id paid MS $120k US for support only to find them handing out this to everyoen afterwards.”
Jalousy? Why would you care?
Personally, I am pissed that the biggest customers for this ‘service’ by Microsoft are governments, hospitals etc. So public organisations spending public funds.