Company warns of “destructive cyberattacks” as it tries to prevent another WCry.

On Tuesday, Microsoft took the highly unusual step of issuing security patches for XP and other unsupported versions of Windows. The company did this in a bid to protect the OSes against a series of "destructive" exploits developed by, and later stolen from, the National Security Agency.

By Ars' count, Tuesday is only the third time in Microsoft history that the company has issued free security updates for a decommissioned product. One of those came one day after last month's outbreak of the highly virulent "WCry" ransom worm, which repurposed NSA-developed exploits. The exploits were leaked by the Shadow Brokers, a mysterious group that somehow got hold of weaponized NSA hacking tools. (WCry is also known as "WannaCry" and "WannaCrypt.")
Tuesday's updates, this updated Microsoft post shows, include fixes for three other exploits that were also released by the Shadow Brokers. A Microsoft blog post announcing the move said the patches were prompted by an "elevated risk of destructive cyberattacks" by government organizations.

"In reviewing the updates for this month, some vulnerabilities were identified that pose elevated risk of cyberattacks by government organizations, sometimes referred to as nation-state actors, or other copycat organizations," Adrienne Hall, general manager of crisis management at Microsoft, wrote. "To address this risk, today we are providing additional security updates along with our regular Update Tuesday service. These security updates are being made available to all customers, including those using older versions of Windows."

The critical down-level patches, as Microsoft refers to the updates for Windows XP, Vista, and Server 2003, contain fixes or mitigations for three NSA-developed exploits. Those exploits are code-named "EsteemAudit," "ExplodingCan," and "EnglishmanDentist." EsteemAudit exploits vulnerabilities in Windows remote desktop protocol, ExplodingCan exploits flaws in IIS 6.0, and EnglishmanDentist exploits Microsoft Exchange servers. None of those exploits work on supported versions of Windows.
The down-level patches come in addition to the normal Patch Tuesday releases. Normal releases are delivered automatically through the Windows Update mechanism to devices running supported Windows versions, including 10, 8.1, 7, and post-2008 Windows Server releases. The down-level patches, by contrast, must be manually downloaded and installed. They are available in the Microsoft Download Center or, alternatively, in the Update Catalog and can be found here.

Preventing another WCry outbreak

In a separate blog post, Eric Doerr, general manager of the Microsoft Security Response Center, said the move was designed to fix "vulnerabilities that are at [heightened] risk of exploitation due to past nation-state activity and disclosures." He went on to urge users to adopt new Microsoft products, which are significantly more resistant to exploits, and not to expect regular security fixes in the future.

"Our decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies," he wrote. "Based on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly."

Tuesday's issuance of down-level patches is only the latest in a series of unusual events involving Microsoft's once-predictable security update regimen. In an unprecedented move in February, Microsoft abruptly canceled its Patch Tuesday, citing only a "last-minute issue." In April, the Shadow Brokers published a cache of weaponized attack code that included dozens of tools. A day after the release, Microsoft revealed that it had issued patches that protected supported versions of Windows against the attacks. Most of those fixes had come in an update delivered in March that took the unusual step of not naming the party who had reported the vulnerability.

In May, attackers repurposed one of the exploits with the code-name EternalBlue and used it to develop WCry, a self-replicating delivery vehicle that installed ransomware on more than 200,000 computers. Within 24 hours, Microsoft issued a free patch that protected unsupported versions of Windows against the EternalBlue vulnerabilities. Only weeks later would security researchers show that more than 90 percent of the computers that succumbed to WCry were supported versions of Windows that had yet to install a patch that had been publicly available for more than 60 days. Unsupported Windows versions played very little role.
The only other time in recent memory Microsoft has patched an unsupported version of Windows was in 2014, when it issued a critical update for Windows XP during the same week it decommissioned the version. Tuesday's move suggests Microsoft may have good reason to believe attackers are planning to use EsteemAudit, ExplodingCan, and EnglishmanDentist in attacks against older systems. Company officials are showing that, as much as they don't want to set a precedent for patching unsupported Windows versions, they vastly prefer that option to a potential replay of the WCry outbreak.