Windows XP, Server 2003, Windows 8 RT: Emergency Security Updates & Fixes For Wannacry

Why is patching really important

There has been lot written about ransomware dubbed as wannacry (ransom:win32/wannacrypt) .

It comes down to the basic & important fundamental security best practice known as "patching".

As we can see many of enterprises / institutions / users worldwide have been badly impacted with wannacry/wannacrypt ransomware which means they are not serious around timely patching or don't have proper "vulnerability management framework" or lack of support for legacy systems.

Smb vulnerability (ms17-010) which is being exploited by wannycry/wannacrypt has a patch available since march 2017 :

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-0145

What next :

• Patching , patching, patching. Install all latest updates immediately, specially ms17-010
• Block smb incoming connections (port 445) from external - internal network on edge firewalls
• Upgrade legacy systems to latest os (windows 10 , better inbuilt protections - credential guard, device guard, memory protections, secure kernel, vbs, edge browser etc. Also users running windows 10 are not affected by this)
• Microsoft just released emergency security updates/fixes for legacy systems as well (windows xp , server 2003 etc). Download links are in this blog post.

Technical details

Check these article's from mmpc and fireeye:

https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm- targets-out-of-date-systems/

https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html

 

Malware info

From: Wannacrypt0r-FACTSHEET.md

• SECURITY BULLETIN AND UPDATES HERE: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
• Microsoft first patch for XP since 2014: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
• Killswitch source: https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/ https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

Customer guidance for wannacrypt attacks :

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt- attacks/

Emergency security updates / fixes for xp, server 2003, windows 8 rt:

Microsoft catalog link: kb4012598

http://www.catalog.update.microsoft.com/search.aspx?q=kb4012598

 

Windows xp sp2 x64

http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003- kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe

Windows xp sp3 x86

http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86- custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe

Windows 8 x64

http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/ windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu

Windows 8 x86

http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/ windows8-rt-kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu

Windows server 2003 sp2 x64

http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003- kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe

Windows server 2003 sp2 x86

http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003- kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe

Windows xp embedded sp3 x86

http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsxp-kb4012598-x86- embedded-custom-enu_8f2c266f83a7e1b100ddb9acd4a6a3ab5ecd4059.exe

References (Indicators Of Compromise)

• Malware Protection Center: https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt
• WannaCrypt ransomware worm targets out-of-date systems