Microsoft holding EternalBlue patches for 3 months

So it’s a week later and I’m still talking about the ridiculous saga that is EternalBlue/WannaCry/Spy vs. Spy. I told myself to discuss something (literally anything) else today, but I continue to be fascinated by the questions that this issue has opened up.  The issue of the day is the question about whether or not Microsoft did the wrong thing by “hoarding” patches for EternalBlue on legacy operating systems like XP.

The background on EternalBlue is this: the NSA got a lot of heat (including some proposed legislation) about the fact that it looks like they were hoarding knowledge about a vulnerability (EternalBlue) in SMB (file sharing).  Since sharing it would negate much of the offensive capability of the issue, they stayed mum about it.  Then, through a patently strange series of events, it came to public knowledge and subsequently was used as one of the key factors that made the WannaCry malware operate so successfully.  In an uncharacteristic move, Microsoft released emergency patches for unsupported legacy versions of their OS to help mitigate the threat  against older versions of their OS software.  There is now evidence though that they’ve had those patches available for several months and only released them once WannaCry was out in force.  So the question of the day is: should they have released them earlier?

The answer is complicated because there are a few different factors at work here.  First, these products are deprecated.  Ideally, organizations would upgrade the software to something that is supported, but sometimes you just can’t.  Like, say you have some business-critical software that absolutely will not run (even under emulation) on anything newer than Windows XP (heaven help you).  If you’re in this position, you can either elect to “wing it” (never a good idea) or you can purchase paid legacy support from Microsoft, under which they continue to support it at a (ahem) “modest” fee.  On the one hand, it seems to me that Microsoft is under no obligation to support (for free) versions of the operating system that were sunsetted almost a decade ago.  On the other, it doesn’t take a rocket scientist to argue that they should have seen the issue coming withe EternalBlue a mile away and done their part to help offset the issue ahead of time.

To unpack this, it is absolutely the case that once the WannaCry storm had started, releasing the patches for free to the world (since, as a function of paid legacy support, Microsoft already had them) seems like the right thing to do.  But the question of should they have done it beforehand is a little more complicated.  Arguably, they could noticed the 9.3 CVSS, remotely-exploitable vulnerability in one of the most commonly-occurring implementations of one of the most-frequently-used protocols on the planet and proactively released the patches to mitigate the issue.  But hindsight is 20/20… so take off the table for a moment whether or not they saw it coming and assume they didn’t. I’d argue they should have, but people make mistakes so let’s defuse that.  If they didn’t see it, does the vulnerability (on its own merits) rate an emergency patch given that a) the OS versions are deprecated, and b) that there is absolutely a support path available to users of it (though not free)?

Here’s the deal…  My opinion is that we’ve already lost once the question is even on the table.  Meaning, it’s not the patch/no-patch part that’s at issue but it’s the legacy support option itself that’s problematic.  Yes, Microsoft makes some money on legacy support.  And it’s tempting to think that maybe it’s lucrative.  But a) I don’t think it’s as lucrative as it appears on the surface and b) even if it is, it’s a short term proposition only.  Consider: they need to maintain an developer base for legacy code, they need to test patches the same way that they do for other platforms, they need to package and maintain legacy patch distribution channels, etc.  This can’t be cheap, and the operational overhead is probably a good subset (25-50% maybe?) of what it costs for an actively-supported OS.  There’s also the fact that any platform running some legacy version is a sale they don’t make for a newer OS upgrade.  It’s a model whereby the customer base will always decrease over time while overhead best case stays roughly the same over the same time period (more likely it increases as the code base drifts farther and farther from the legacy base).   Put simply, as business models go, it’s not one I’d voluntarily sign up for.

But even excepting the financials for Microsoft (and the fact that it’s an arguably unwise financial proposition long term), I’m not sure it’s a good idea (speaking from the point of view of Internet health generally) for Microsoft to release “emergency patches” – even for serious issues like EternalBlue – as a matter of course.  Why not?  Two reasons.  First, it seems to me that the ultimate goal is to get people to upgrade to a newer platform. It’s bad for us all when they’re not doing so.  Maintaining legacy support gives vendors an excuse to not upgrade special-purpose apps and tools (like those used by hospitals and such) and it gives organizations an “out” for not addressing the root problem.  That’s really not good.  Second, only a small population of the people running the deprecated platforms are going to patch in a timely manner anyway.  Why?  Some are negligent, some are hamstrung, some are extinct, and some are up the proverbial creek.  There is certainly a percentage that are actively not supporting an app they wrote on XP or whatever because it’s legacy; i.e. they’ve sunsetted the thing that needs to run on the legacy platform.  If so, they’re not driving patches for it.  Another percentage is probably running something so touchy that installing the patches is problematic the same way that upgrading is – they may or may not have compensating controls in place (e.g. disabling SMB) but either way, not likely to rapidly install even emergency patches.  There’s also of course systems that are no longer actively maintained.  The utility of the emergency patch therefore only applies to a subset of the install base of the legacy platform.  How much good is it really doing even when the patches are available?  Maybe not as much as you think.

Point being, I think the better question to ask is whether maintaining a legacy support option places people at risk.  I’m not saying it necessarily does… To conclude one way or the other, I’d need data I don’t have (notably financial data from MSFT and analytics about legacy systems impacted by EternalBlue) but I certainly think it’s possible.