Chris Kenney 14 May 2017
This is the Wikipedia entry for the attack software. You will see that a patch for XP was made available this year by Microsoft. Obviously the trusts IT departments never implemented it in time.
EternalBlue is an exploit developed by the U.S. National Security Agency (NSA). It was released by the Shadow Brokers hacker group on April 14, 2017.
EternalBlue exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. Despite the fact that the vulnerability was resolved by security update (MS17-010) provided by Microsoft on March 14, 2017, many Windows users had still not installed this security patch when, on 12 May, the WannaCry ransomware attack used the vulnerability to spread itself.
Due to the seriousness of the WannaCry attack, on May 13, 2017 Microsoft took the highly unusual step of also providing a security update for Windows XP, Windows 8, and Windows Server 2003, despite these versions being past their support cycles. Windows XP, Windows 8, and Windows Server 2003 users can download the patch from the Microsoft Update Catalog. The extended support for Windows Server 2003 had ended on July 14, 2015, almost two years earlier, and the extended support for XP ended on April 8, 2014. Windows Vista, Windows 7 and Windows 8.1 were included in the normal security update in March.
Mike Jackson 14 May 2017
With respect to all you guys we are still missing the elephant (or more likely elephants) in the room.
First elephant: what is any major organisation doing using an OS that was superseded eight years ago and for which the developer withdrew support — with more than adequate notice — three years ago?
Second elephant: what is any organisation of the size and complexity if the NHS doing using Windows in the first place?
I have used it in its various incarnations since 3.11 (cleverly avoiding 2000, Vista, and 8!) and it works for me. But I don’t open emails that purport to come from people I know but obviously don’t and I follow the usual checks — hover over the sender’s address, look for idiot typos, believe my bank when it says it won’ t email me, and so on — and I keep my updates up to date.
And … I am not running a billion pound and multi-thousand employee organisation using an OS which is known to be the target for every hacker and malware designer on earth!
What the hell are they thinking?