As the saga surrounding WannaCry continues to unfold, many people have begun pinning the blame on Microsoft since all of the computers affected were Windows PCs.
The recent news that Microsoft delayed the release of a security patch designed to counter WannaCry did little to help the company's poor press, but is Microsoft really in the wrong here?
Security Vulnerabilities In Older Windows Systems
Many of the PCs affected by WannaCry were running Windows XP, an operating system that was released in 2001, the support for which ended in April 2014. Since XP was released, Microsoft has launched five subsequent versions of Windows, each one with increased security features. With each new version of Windows, Microsoft warned that older operating systems would have security vulnerabilities that are not found on newer systems.
Pinning The Blame On Microsoft
Eventually, Microsoft did release a patch for older systems that fixed the WannaCry vulnerability, but it took some time and many people were angry over the delay. The New York Times, for example, went so far as to call Microsoft's initial service charge an act of ransomware.
"At a minimum, Microsoft clearly should have provided the critical update in March to all its users, not just those paying extra. Indeed, 'pay extra money to us or we will withhold critical security updates' can be seen as its own form of ransomware," wrote the Times' Zeynep Tufekci.
While the Times is, in our opinion, correct to argue that Microsoft should have acted sooner, it is a mistake to pin the sole blame on the company. Expecting Microsoft to support a 16-year old product is unreasonable when you consider the expense, both in time and money, that goes into writing code for various operating systems.
At the very least, customers should ensure that they have an operating system that is still covered under Microsoft's general support policies. Relying on old operating systems engenders a false sense of security that can leave users vulnerable to attacks.
"As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems," wrote Microsoft's Brad Smith. "Otherwise they're literally fighting the problems of the present with tools from the past. This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it's something every top executive should support."
Update Your PC
In reality, the best way to protect yourself and your company from ransomware and other cyber attacks is to keep your PC as up-to-date as possible. In 2017, it is as important to your personal and company's security as keeping your bank information safe.
Obviously, Microsoft could do more to help customers upgrade. In the case of hospitals and other emergency services, we would argue that the company should, in fact, do more to help those organizations keep their systems up-to-date. However, it is simply unreasonable to expect Microsoft to continue to support products indefinitely.