Microsoft has taken the rare step of releasing a patch for a handful of legacy operating systems it no longer services after finding a critical vulnerability. The company is warning users to patch their systems quickly to avoid another WannaCry ransomware attack.
It is "highly likely" that malicious actors will write an exploit for this vulnerability, Simon Pope, director of incident response at the Microsoft Security Response Center (MSRC), said in a blog post Tuesday announcing the vulnerability.
Vulnerable in-support systems include Windows 7, Windows Server 2008 R2 and Windows Server 2008, Microsoft said.
Downloads for in-support versions of Windows can be found in the Microsoft Security Update Guide. Customers who use an in-support version of Windows and have automatic updates enabled are automatically protected, the company said.
Microsoft also is making fixes for out-of-support systems including Windows 2003 and Windows XP. While Windows 2003 and XP are no longer maintained by the tech giant and no longer receive patches to fix security flaws, much of the healthcare sector, particularly medical devices, still use those platforms.
Customers running Windows 8 and Windows 10 are not affected by this vulnerability, the company said.
Microsoft's move to issue patches for unsupported operating systems is unprecedented and is a major red flag for the healthcare industry, David Finn, executive vice president of strategic innovation at cybersecurity firm CynergisTek, told FierceHealthcare.
"They recognize there is a significant risk here and a threat. For them to go back and write patches for operating systems like XP that they don’t support or Windows Server 2003, there’s a message there, and everyone who has those operating systems really needs to be paying attention to that message," Finn said.
In the blog post, Microsoft said it released fixes for a critical remote code execution vulnerability, CVE-2019-0708, in remote desktop services—formerly known as terminal services—that affects some older versions of Windows.
Microsoft said the vulnerability is "wormable," meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.
"While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware," Pope said in the blog post.
"Now that I have your attention, it is important that affected systems are patched as quickly as possible to prevent such a scenario from happening. In response, we are taking the unusual step of providing a security update for all customers to protect Windows platforms, including some out-of-support versions of Windows," Pope said.
For organizations on an out-of-support version of Windows software, the best way to address this vulnerability is to upgrade to the latest version of Windows, Pope said.
The WannaCry ransomware attack back in May 2017, which hit more than 300,000 machines in 150 countries, targeted Windows operating systems and succeeded where those operating systems lacked security updates. According to data from Kaspersky Lab, roughly 98% of computers affected by the ransomware were running some version of Windows 7. A major concern for hospitals around the world is the use of old operating systems that are no longer upgraded or supported.
"If patching is something that typically falls to the bottom of the list, which it often does in healthcare, this is one time when it needs to go to the top of the list. When you look at WannaCry and what the potential here is, the risk is way too big to delay patching or updating your operating system," Finn said.
In addition to the Microsoft security flaw, there are a number of cybersecurity issues that have come to light in the past week. Intel announced it was addressing new issues in its microprocessors that could allow hackers to gain unauthorized access to data, and a group of Russian hackers claimed to have infiltrated the networks of three U.S. antivirus makers and stolen the source code for their software.
"If that is true and they have the source code for that anti-virus ware coupled with what we're seeing with Microsoft, it could be a devastating attack," Finn said.
Healthcare riddled with legacy operating systems
In the blog post, Pope said it is no coincidence that later versions of Windows are unaffected. "Microsoft invests heavily in strengthening the security of its products, often through major architectural improvements that are not possible to backport to earlier versions of Windows," he said.
The tech giant announced back in March that it will no longer support Windows 7 by Jan. 14, which means it will no longer issue security updates. In September, Microsoft announced enterprise customers could pay for extended support on Windows 7. The company has supported Windows 7 for 10 years.
Data from Netmarketshare indicate Windows 7 still has a 42% market share among operating systems while Windows 10 has a 34% market share. Windows XP's market share stands at 5%.
A recent survey of IT professionals across multiple industries from Adaptiva found that 4 in 10 expect to have less than half their systems moved to Windows 10 within a year. The implications of this for corporate security are worrisome at best, Adaptiva said.
What's more, 22% of IT professionals expect to still run Windows 7 past the end of the support date next January.
The lack of swift progress is due to many factors, including the time migration takes, staff size and cost, according to the survey.
"I think it’s more severe than that in healthcare," Finn said in reference to the Adaptiva survey results. "Many people in healthcare are on Windows 7 or older. Our firm already is seeing healthcare providers considering whether they are going to try to maintain (Windows 7) beyond 2020."
He added, "It’s likely there will be attacks after Microsoft is no longer supporting that."
Healthcare organizations already are in the crosshairs of hackers and malicious actors due to the value of patient data and the ability of hackers to attack and cripple hospital systems and demand a ransom in order to restore the systems.
The security risks for healthcare are potentially huge as the industry is still reliant on legacy operating systems, particularly for medical devices, according to cybersecurity experts. A recent study found that a staggering 70% of devices in healthcare organizations will be running unsupported Windows operating systems by January.
"We see legacy systems across many industries, but it does tend to be exacerbated and more prevalent in healthcare," Finn said. One major reason is that hospitals and healthcare providers can't have significant downtime. "Upgrading those operating systems, it takes systems down. It takes a lot of time and effort to upgrade your 8,000 PCs and thousands of servers."
Healthcare organizations also face other barriers such as lack of resources, both financial and human. "The investment to buy those software upgrades is significant. And, healthcare is not staffed to the level of most industries in terms of IT and security," Finn said.
Medical devices and specialty clinical IT software are particularly problematic because many of them were designed to run on older operating systems such as Windows XP, which is no longer supported. "Until the software maker upgrades their software so it can be run on Windows 7 or Windows 10, you can’t make that migration. Driving those vendors, and some of those very small vendors, to make those upgrades is very difficult," Finn said.
Adding to the complexity, many medical devices and specialty clinical systems didn't connect to the IT network when they were originally installed. "As the healthcare industry wanted that data integrated to the whole healthcare continuum, wanted it to speak to electronic health records, they started connecting to the network. But we didn’t fundamentally change the way these devices were engineered and designed from a security perspective," Finn said.
"With medical devices, we’re going to have to change fundamentally how we design them so that security gets built in up front. The same with our operating systems and functional operational software, we’re going to have to address security and privacy more as a core function and not something that we add on after the fact," Finn said.
Top priorities for healthcare security leaders
Healthcare security leaders need to look at their unsupported systems, such as Windows XP and Windows Server 2003, and consider whether they can be taken offline or replaced with newer systems, Finn said. "We had the wake-up call with WannaCry.
"If there’s no way around it and that legacy system can’t be replaced, then they need to look at segmenting their network and keeping those systems as segmented as possible from the production network. And, they should patch immediately. They should be looking at systems that are running Windows in particular, just the size of the market, that's the biggest threat vector," he said.
He added, "We live in a world where you have to keep your operating system and your software up to date."
Vectra Networks is a threat detection and response cybersecurity firm that works with healthcare organizations. Chris Morales, head of security analytics at Vectra Networks, told FierceHealthcare that healthcare security leaders need to do a thorough inventory of their medical devices to more effectively manage those devices. "Many medical devices aren’t acquired by IT and security but by physicians," he said, and this makes it difficult for IT and security leaders to know what is on their network.
"I asked one healthcare provider how many IoT (Internet of Things) devices they had. They said about 100,000. We found 300,000. The problem goes deeper as some of these devices can't be patched," he said.
Healthcare organizations need to work with their vendors to inventory their devices and develop a plan to manage them.
"I think everyone knows they need to do something; it’s finding the time, money and resources and then building a plan within the organization. That is bogging things down," Finn said.
One possible silver lining is that hospitals and health systems are becoming more proactive about cybersecurity, Morales said. "There is one hospital that caught four ransomware attacks in one year; they managed to detect the attacks and contain them," he said.