Microsoft just released patches for a ‘wormable’ vulnerability, and took the unusual step of including XP and Server 2003. That’s prompted conversations and comments about legacy operating systems and ‘enabling’ tardy upgraders. While there are people who still have their head down in denial, there are other cases where it’s much more complicated.
Clearly end users shouldn’t be on XP these days (and soon shouldn’t be on Windows 7). But what happens when that endpoint is controlling a multi-million dollar piece of industrial equipment? Or when it’s embedded into devices like an ATM that require significant investment to replace across an environment In many cases the vendor doesn’t support an upgrade (or has gone out of business), and requires either a major overhaul or outright replacement of the entire system.
On the Server 2003 side, it can be similar – large scale applications have been built that cannot be upgraded easily (or at all), either because the vendor is out of business, or there isn’t sufficient capital available to replace the system. In some cases, it’s a critical line of business application and the source code isn’t even available.
Security folks tend to default to a ‘replace it’ approach, and that’s definitely reasonable given the legacy nature of those platforms, but it’s never that simple. Risk has to be balanced with cost, and often that results in lingering legacy environments. In most of those cases, companies have either firewalled or airgapped those endpoints, sometimes moving to a virtual environment as well. Unfortunately, some do require internet access for maintenance or functionality, so there may be ways in.
So when a vulnerability comes along that can be ‘wormable’ – autonomous spreading of malware without user intervention, there’s a small (but very important) set of infrastructure that’s at risk. These systems can’t just be unplugged or disabled easily, as it can have significant impact to the business – potentially to the ‘go out of’ level.
That’s why Microsoft’s decision to issue the patches is commendable. They’re protecting the ones that legitimately can’t upgrade from the tardy upgraders. In some cases folks won’t, so a worm may still hit, but if a significant portion do, the effects will be contained and isolated – and that’s where herd immunity comes it. If we can get most of the legacy systems patched, the risk to the entire environment drops.
If you have legacy systems, by all means, use this as a reason to have the conversation (again) with your stakeholders and vendors about upgrading. But first, find the machines, and get the patches applied, courtesy of Microsoft’s good will. Kudos to them for protecting the herd.