Reminder: Windows 7 really is the new XP

Back during the darkest days of Microsoft's GWX campaign, when they'd abandoned all pretense of believing in the quality of the product and offering Windows users a free upgrade, and instead started switching users' systems to Windows 10 no matter how many times they'd refused previously, it was already becoming clear that Microsoft had done lasting harm to their own brand, and to the relationship of trust and goodwill that they'd previously enjoyed with users of Windows 7.

I wasn't alone in referring to Microsoft's GWX fiasco as "upgrade-gate," or to point out the consequences with which Microsoft would have to deal for the next several years; pieces like this one, from Makeof.com, were pretty easily found at the time:

Steve Jobs famously said “people don’t know what they want until you show it to them.” Microsoft must think this is true for Windows 10. And so its developers keep finding new ways to trick Windows 7 and 8 users into upgrading because surely they will like Windows 10 once the see it. Or they’ll just surrender.

Personally, I do like Windows 10, but I also appreciate the reasons of those who oppose the upgrade. And I think what Microsoft has been doing is deeply disturbing and unethical. Microsoft acts as if its goal for 1 billion Windows 10 users supersedes the company’s responsibility for its existing Windows customers.

This reckless battle has unintended consequences, which not only hurt Microsoft’s customers, but also its business.

From loss of trust in the Windows; to users simply turning off Windows Update to avoid the hated GWX payloads; to actual monetary costs in the form of lost time, bandwidth, and productivity; reasons abounded why Microsoft's overly-aggressive GWX push was a bad idea. And while the worst of these for Microsoft, "Home Users Will Abandon Windows," hasn't yet come to pass, there's still no sign that consumers have forgiven Microsoft for the liberties, excesses, and borderline (or actual) abuses of GWX.

Microsoft's GWX push was of a piece with Terry Myerson's Windows-centric strategy, which Microsoft has since abandoned. Two years after GWX's failure, Myerson is no longer at Microsoft; his Windows and Devices Group no longer exists, its various teams having been redistributed across other business units which, according to Microsoft, are actually the future of the company. And Windows 10 is still not as popular as Windows 7... depending on who you ask, of course.

The fallout from GWX still hasn't stopped falling, either. Every month, Microsoft delivers updates for Windows 7, and every month, the description of those updates includes the same disclaimer: "does not include windows 10 upgrade functionality." That's still necessary, more than two years after GWX; that is truly epic levels of fail.

But it actually gets worse for Microsoft.

About Windows 10's superior security...

I first saw this story last week on BleepingComputer, but didn't really take the time to understand it properly until today. Honestly, BleepingComputer's coverage was a little dry, and anyone other than a security researcher or system administrator would be forgiven for thinking that it wasn't that big a deal, especially since BleepingComputers article includes a workaround for the problem.

Well, it turns out that this is a big deal. In fact, it's a really big deal, and it's been blowing up all day.

Por ejemplo, this story by ZDNet:

Key Windows 10 defense is 'worthless' and bug dates back to Windows 8

Microsoft has been telling users to upgrade to Windows 10 because of its superior in-built defenses against attacks, compared with Windows 7. That advice would be true if it properly implemented the defense known as Address Space Layout Randomization (ASLR).

ASLR is used by Android, Windows, Linux, iOS and macOS to prevent attacks that rely on code executing at predictable memory locations by loading programs at random addresses.

It's been used by Microsoft since Windows Vista to counter memory-based attacks. However, Microsoft introduced an error in Windows 8 when implementing a feature known as Force ASLR or system-wide mandatory ASLR.

[...]

"Starting with Windows 8.0, system-wide mandatory ASLR (enabled via EMET) has zero entropy, essentially making it worthless. Windows Defender Exploit Guard for Windows 10 is in the same boat," [Will Dormann of Carnegie Mellon University's CERT/CC] wrote on Twitter.

[...]

Not only is the feature "worthless" in Windows 10, but Windows 7 with EMET actually does a better job of enforcing ASLR than Windows 10, according to Dormann.

"Actually, with Windows 7 and EMET System-wide ASLR, the loaded address for eqnedt32.exe is different on every reboot. But with Windows 10 with either EMET or WDEG, the base for eqnedt32.exe is 0x10000 EVERY TIME. Conclusion: Win10 cannot enforce ASLR as well as Win7," he wrote.

"Windows 8 and newer systems that have system-wide ASLR enabled via EMET or Windows Defender Exploit Guard will have non-DYNAMICBASE applications relocated to a predictable location, thus voiding any benefit of mandatory ASLR. This can make exploitation of some classes of vulnerabilities easier," wrote Dormann in a CERT/CC advisory.

Dormann notes there is no solution to this problem, but has offered a workaround in the advisory that admins can follow.

So, not only is this a major bug that Windows 7 doesn't have, but it's been an undetected part of Windows since 2009, and isn't fixed yet in Windows 8 or 10. There's no telling how much damage may already have been done by hackers exploiting this weakness in later Windows versions, even as users of those Windows versions believed themselves to be safer than Windows 7 users... something which simply wasn't true. This comes after a year in which Microsoft has been telling people that Windows 10 was impervious to ransomware, apparently unaware that this vulnerability made it easier for bad actors to target valuable data.

Yikes.

The workaround incidentally, is a registry edit...  coincidentally, also the way you can turn off Cortana to safeguard your privacy, but still something which most users are simply not comfortable doing. Or, as ExtremeTech puts it:

As always, we do not recommend mucking about in the registry unless you are certain you know what you’re doing. US-CERT has some additional details on both the problem and this fix available on its website. And yes, Windows 7 users, you get to preen a bit — this problem does not affect your operating system.

If you're thinking that US-CERT sounds very governmental, it is: specifically, it's the U.S. Computer Emergency Readiness Team.

Microsoft are apparently aware of the issue... now... and they're working on a fix, although they're denying that this is a vulnerability according to ThreatPost:

Microsoft told Threatpost it acknowledges the issue.

“The issue described by the US-CERT is not a vulnerability. ASLR is functioning as designed and customers running default configurations of Windows are not at increased risk. The US-CERT discovered an issue with configuring non-default settings for ASLR using Windows Defender Exploit Guard and EMET, and provided workarounds. Microsoft is investigating and will address the configuration issue accordingly,” Microsoft said.

So, it's not a vulnerability... it just leaves your data more vulnerable to attack. Riiiiight.

It's at this point that I'll remind you that Windows 7 is still in its extended support period, which means that you can stay with its superior implementation of ASLR until at least 2020, if you're into that sort of thing. And while I don't expect that anyone will abandon Windows 10 for Windows 7 over this issue, I must say that this latest black eye for Microsoft, coming so soon after the scaremongering they and their apologists were doing over WannaCry and ransomware just a few months ago, is oddly satisfying. Or maybe not so oddly.

Better slowly. than not at all...

From the notes on Windows 7 update KB2952664 [emphasis added]:

This update performs diagnostics on the Windows systems that participate in the Windows Customer Experience Improvement Program. The diagnostics evaluate the compatibility status of the Windows ecosystem, and help Microsoft to ensure application and device compatibility for all updates to Windows. There is no GWX or upgrade functionality contained in this update.

Well, well, well. It seems that they do learn, after all. Slowly, to be sure, and at some great cost, but they do seem to be finally getting the message.

Other good news? This month's security updates also include further patches for the exploit employed by WannaCry, and were released to Windows XP concurrently with Windows 7, 8, and 8.1, and for free, rather than after several months' delay of trying to sell expensive extended support packages to XP customers. So I guess they learned that lesson, too.

It's nice to see tacit acknowledgement from Microsoft that they and their Windows 7 users don't still have the same relationship of trust and good will that existed just two years ago, but it's also a clear sign of how seriously that relationship has deteriorated. How badly must Microsoft have fucked this up, that a note promising a clean update, i.e. with no upgrade bullshit, is even necessary? How many Windows 7 users do you think will avoid installing these updates anyway, just to be "safe?" How many of them still have Windows Update turned off completely, thanks to Microsoft's GWX abuses?

Microsoft have a long, long way to go, yet, to get back into their customers' good graces. Considering that they haven't yet actually apologized for all the bullshit they've pulled in the last couple of years, it's fair to say that you haven't even really started to make their way back. They do seem to be thinking about it, though; I just hope they learn the real lesson of their XBO-X failure, though, and start working to earn redemption before it's too late, and not after.

"WannaCry" ported to Windows 10

Remember when WannaCry was making the rounds, and Microsoft's apologists were taking advantage of that to scare reluctant WinXP and Win7 users into switching to Windows 10? Well, it turns out that Windows 10 may not be as safe as all that, after all, because the same exploit that WannaCry... exploits also works on Windows 10. Oops!

From threat post:

The NSA’s EternalBlue exploit has been ported to Windows 10 by white hats, meaning that every unpatched version of the Microsoft operating system back to Windows XP—and likely earlier—can be affected by one of the most powerful attacks ever made public.

Researchers at RiskSense, among the first to analyze EternalBlue, its DoublePulsar backdoor payload, and the NSA’s Fuzzbunch platform (think: Metasploit), said they would not release the source code for the Windows 10 port for some time, if ever. The proof of concept has been in the works since the ShadowBrokers’ April leak of Equation Group offensive hacking tools targeting Windows XP and Windows 7, as well as the development of a Metasploit module based on EternalBlue released two days after the WannaCry attacks. The best defense against EternalBlue, researchers maintain, is to apply the MS17-010 update provided in March by Microsoft.

So, it seems that the only advantages that Windows 10 provided were: (a) that not enough users had switched to Windows 10 for black hat hackers to bother targeting it, and (b) Windows 10 users have no control over Windows Update, which means that they were updated in spite of themselves...which is something of a mixed blessing.

This is part of the problem that Microsoft have when pitching Windows 10's alleged security superiority over Windows 7. Redmond had spent years working to convince Windows users that their OS was every bit as safe as any other OS on the market; Linux and MacOS may have been targeted by fewer attacks and exploits, but that was just because Windows was so much more popular than they were. Well, guess what? That worked. And now Windows 7 users aren't buying it, when Microsoft try to convince them that safe-as-houses Windows 7 is full of fatal flaws.

That's the catch-22, the cleft stick in which Microsoft find themselves. If Microsoft were telling the truth before, then Windows 7 is basically as safe as any other OS, and users have no reason to believe Microsoft's recent scare-mongering. On the other hand, if Microsoft were lying before, then Windows has never been safe, and users would always have been better served by switching to Linux, because why would Microsoft be any more trustworthy on the subject now, when they have a vested material interest in lying to us? Having spent two years eroding users' trust with their abusing GWX shenanigans, intrusive "privacy" policies, and monopolistic bullshit, Microsoft's customers simply aren't willing to listen as they WannaCry wolf.

GG, Microsoft. Good job.

Windows XP not only didn't spread WannaCry - it couldn't

It turns out that most of the WannaCry story that everybody thought they knew is actually wrong, and Microsoft's motives for patching Windows XP to defend against the malware attack may be even murkier than was previously reported.

From Computerworld:

Rather than take aim at Windows XP, WannaCry targeted Windows 7 and Windows Server 2008, Kaspersky's data showed. [...]

The reason for XP's absence from the WannaCry count was simple. "WannaCry itself did not support Windows XP," [Costin Raiu, director of Kaspersky Lab's global research and analysis team] said, noting that the exploit neither focused on XP or reliably worked on the 2001 operating system. Individual machines could be infected -- the researchers and testers who put WannaCry on Windows XP systems likely ran it manually -- but the worm-like attack code would not spread from an XP PC, and in some cases, executing the exploit crashed the computer.

That put Microsoft's decision to issue a security patch for Windows XP in a different light. [...] Computerworld, like many other publications, assumed Microsoft released patches for Windows XP and Server 2003 because it believed older -- and unprotected -- systems were instrumental in spreading WannaCry.

Raiu thought different. "I think Microsoft was worried about the possibility of someone leveraging this exploit," Raiu argued. "Their fear was that it could be theoretically possible to repurpose the exploit to attack Windows XP."

It wasn't a surprise that WannaCry's backers had primarily pointed the attack at Windows 7. "They focused on the most-widespread platform," said Raiu.

According to analytics vendor Net Applications, approximately 53% of all Windows personal computer ran Windows 7 last month. That was nearly double the share of the newer Windows 10, which clocked in at 29%, and more than eight times that of Windows XP's 8%. Cyber criminals typically aim attacks at the most popular operating systems and versions within each OS, a logical practice when profit is paramount. That's especially true of extortion rackets like WannaCry's payload, which encrypts files and then demands a ransom payment to decrypt those hijacked files.

It's hard to say whether this makes Microsoft's decision to shake down Windows XP customers for more "custom" support contracts before finally patching the vulnerability for free look slightly less shitty, or even more so. After all, if WannaCry couldn't even affect machines running Windows XP in its extant form, then Microsoft were essentially shaking down customers like the UK hospital system for "protection" against a threat that actually posed more of a threat to their Windows 7/Server 2008 machines than it did to their Windows XP/Server 2003 PCs. The fact that less harm may have resulted from the delay than was previously believed mitigates the shittiness somewhat... but only somewhat.

Microsoft apologists used headlines that blamed Windows XP for the spread of the malware to blame the victims, telling them to just switch to Windows 10, already, and the same apologists are predictably using this latest news to argue that Windows 7 users should do the same. It's an argument that conveniently ignores the simple fact that Windows 10 was no more the target of WannaCry than Windows XP was, for the simple reason that big, rich corporations and other large institutions haven't yet adopted the latest iteration of Microsoft's OS. Whether the WannaCry outbreak will drive people towards Windows 10 or not, remains to be seen; with most of the early headlines blaming XP for the outbreak, many Windows 7 users may already have lost interest, especially since Windows 7 has already been patched to defend against the WannaCry exploit.

Can I call "backsies" on that?

A couple of days ago, I was praising Microsoft for patching Windows XP to protect users of that old OS against the WannaCry ransomware that was spreading like wildfire through organizations like the NHS. I even said that it was better that they did it late, than that they not do it at all, and praised them for not exploiting the situation to shake down WinXP users for more money, or to push them to switch to Windows 10, either of which would have been more in keeping with their pattern of behaviour over the last couple of years.

Today, however, I'm taking all of that back. Because it turns out that Microsoft had the XP WannaCry patch ready to go months ago, held it back while they shook down their customers for more money, and only finally released it for free once the unpatched vulnerability started taking down hospitals.

From Tech Times:

Microsoft, which called out the NSA and other government agencies for their role in the creation and launch of WannaCry, may itself have been part of why the ransomware was able to cause so much chaos.
As the world attempts to recover from the damage caused by WannaCry, a new report claims that Microsoft could have helped prevent its spread, but decided not to do so.

According to a report by the Financial Times, Microsoft held back a free update that would have patched up the vulnerability that WannaCry used to compromise computers running on the old Windows XP operating system.

The report claims that Microsoft delayed the rollout of the patch because it initially wanted payments of up to $1,000 per Windows XP computer for "custom" support.

Microsoft has struggled to push users and corporations to upgrade from older versions of the Windows operating system to the latest and secure Windows 10, even if the company had already stopped the support for versions such as Windows XP. The significant number of users who have not yet upgraded to Windows 10 were highly vulnerable to WannaCry when it started its worldwide rampage last week.

Microsoft still continues to provide support for governments and organizations, but in exchange for hefty payments. While the company offers special deals for the first year, the high costs have forced entities such as the National Health Service of the United Kingdom to discontinue receiving support.

The National Health Service turned out to be one of the biggest victims of WannaCry, as it spread across 150 countries and infecting about 200,000 computers.

That is so much bullshit, in one tidy package. The fact that Microsoft had the sheer gall to be complaining about spy agencies' stockpiling of these vulnerabilities, when they themselves were using the same vulnerabilities to shake the UK's hospital system down for an amount of cash that they damn well knew the NHS didn't have to spend, is reprehensible. Microsoft's blatant greed, and their wilful disregard for the consequences to innocent bystanders when their broken shit took down the UK's hospital system, all feels like something that should be actionable. If there isn't already a law against this, there should be.

Good job, Microsoft! You've managed to take the one halfway-decent thing you've done in the last two years, and turn it into bullshit. Of all the egregiously anti-consumer shit you've pulled in the last two years, this is literally the worst. Fuck you all.

And fuck the tech writers, too, who keep trying to blame the victims for having been victims here. And, yes, that includes Tech Times, who end their article with this chestnut:

However, the victims of WannaCry may also blame themselves for remaining unprotected against the ransomware attack. Many users and corporations could have prevented having their systems locked by the ransomware by upgrading their operating systems and installing the necessary updates, instead of subscribing to the theory of "if it's not broke, don't fix it."

According to Microsoft, it prefers for users and enterprise customers to upgrade to Windows 10 instead of having to pay for support for older versions of the operating system. It can be argued that Microsoft should have released the patch to fix the vulnerability that WannaCry exploited in Windows XP, but perhaps it would have been better off if customers were not on Windows XP in the first place.

There are reasons why the publicly-funded NHS hasn't replaced all of its fully-functional Windows XP machines with expensive new PCs, you dicks, and the hospital-specific software they're running may not even be compatible with newer versions of Windows. The fact that you'd even think to blame the victims for this, after it's been revealed that Microsoft actually tried to cash in on WannaCry by extorting money from the UK hospital system, is beyond the pale. 

The NHS's patients (also victims of WannaCry) are not at fault, here, and the NHS certainly doesn't bear any weight of culpability comparable to that of the actors who exploited this vulnerability for financial gain. That burden falls entirely on two sets of shoulders: those of the black hats who shipped this ransomware in the first place, and those of Microsoft, who tried to exploit the occasion to squeeze some extra money out of the UK's fucking hospital system. Fuck anyone who says otherwise, and fuck Microsoft, too.

Fuck.

Doing the right thing, because it's the right thing to do.

Microsoft has pulled a lot of anti-consumer bullshit over the last couple of years... like when they literally broke Windows Update for users of older versions of the OS that were running them on new PCs, and responded to the outcry by recommending that we just all just embrace Windows 10, already. The fact that users had to fix that for themselves, and did, does not in any way excuse that bit of bullshit, and that's really just the tip of the iceberg of bullshit that Microsoft's shovelled at consumers in the last couple of years. Suffice it to say that the bullshit is neither forgotten nor forgiven, and that occasions to actually praise the Redmond team have been pretty few and far between.

So when news broke earlier in the week about the massive "Wana Decrypt0r" ransomware attack, which was taking down hospitals in the UK and spreading like wildfire, I wasn't expecting Microsoft to offer much help to users of Windows XP. WinXP hasn't been supported by Microsoft for years, after all, and the fact that lots of hospitals still use it hadn't been enough to change Microsoft's mind about that before now; most articles that I read on the subject also took for granted that WinXP users were basically screwed, and needed to upgrade their PCs to something that could run Windows 10.

Microsoft, however, either decided that (a) the optics of of patching every other version of Windows against Wana Decrypt0r but leaving hospitals vulnerable were seriously sub-optimal, or (b) that the life-and-death realities of patching every other version of Windows against Wana Decrypt0r but leaving hospitals vulnerable were too awful to think about, or (c) both. Whatever the thinking was, though, they issued patch for Windows XP today that fixes the weakness that this ransomware was exploiting.

From bleepingcomputer:

Following the massive Wana Decrypt0r ransomware outbreak from yesterday afternoon, Microsoft has released an out-of-bound patch for older operating systems to protect them against Wana Decrypt0r's self-spreading mechanism.

The operating systems are Windows XP, Windows 8, and Windows Server 2003. These are old operating systems that Microsoft stopped supporting years before and did not receive a fix for the SMBv1 exploit that the Wana Decrypt0r ransomware used yesterday as a self-spreading mechanism.

[...]

Microsoft had released a fix for that exploit a month before, in March, in security bulletin MS17-010. That security bulletin only included fixes for Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016.

As the SMBv1 is a protocol that comes built-in with all Windows versions, the computers which did not receive MS17-010 remained vulnerable to exploitation via Wana Decrypt0r's self-spreading package.

"Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download," Microsoft said in a statement. "This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind."

Researchers believe that Wana Decrypt0r [...] infected over 141,000 computers [...] While unconfirmed, many believe older Windows XP and Windows Server versions were the bulk of the infections pool, as they had no way to protect themselves.

The customer ecosystem here, remember, disproportionately involves hospitals, and other essential institutions that are still using Windows XP because their publicly-funded budgets can't afford to upgrade all of their PCs. It would have been great if they'd patched those older OS versions last month, of course, or at least before so much damage was done, but better late than never. And I mean that sincerely, considering how many vulnerable PCs and servers are out there, it really is better that they did this now, than not at all.

Good job, Microsoft. You've done a good thing today, and one that nobody expected you to do. Now we just have to convince you to make this a habit...