Cry if you WannaCry, but don’t blame Microsoft for it

Abhishek Baxi

While you may have already read about WannaCrypt, popularly dubbed as WannaCry, ransomware, and Microsoft’s response to the same, here’s the story in short before we get to identifying who’s at fault.

An exploit was stolen from the National Security Agency (NSA) of the USA two months ago, and soon after Microsoft patched all supported versions of Windows. All supported versions of Windows with Windows Update and Windows Defender running are not impacted by this vulnerability – including Windows 7, Windows 8.1, and Windows 10.

Then who is, you may ask? The ransomware affected organizations using Windows XP, an unsupported, outdated operating system. Once the issue became widespread and the news and views cycle went on an overdrive, it was surprising to see Microsoft getting the heat for not supporting Windows XP.

A New York Times opinion piece expected Microsoft to provide security updates to dated software forever. The editorial also defends reluctance to upgrade with a nightmarish line – “Further, upgrades almost always bring unwanted features.” Ugh!

If there’s anything, Microsoft should indeed be appreciated for their response on the entire issue. The company released an emergency patch for Windows XP (and Windows 8 and Windows Server 2003) last week to stop the ransomware from spreading. Microsoft was under no legal obligation to do this, mind you, since it no longer supports Windows XP – after having extended its product lifecycle several times in the past.

Also, a gentle reminder that Microsoft is a business, not a charitable entity. There is a cost attached to supporting a product, and it is unfair to expect an organization to support a 16-year old product without paying for extended support. Moreover, an operating system built over a decade and a half is not designed for modern hardware or sophisticated attacks that are expected in 2017.

Apart from releasing a patch for Windows XP, Microsoft’s President & Chief Legal Officer, Brad Smith shared in a blog post that the latest cyberattack should be a wake-up call for governments, organizations, and consumers. In the past, Microsoft has taken every opportunity to push Windows 10 but at the moment, it chose to do the right thing and patch outdated operating system without averring the fact (correct, as it is) that Windows 10 is unaffected by this vulnerability.

One can argue that the blame could also be put on NSA for getting a ‘weapon’ stolen, but shit happens. For once, let’s do the right thing and blame the technology executives and decision makers at enterprises for running unsupported and outdated IT infrastructure. If an organization is unwilling to support an IT infrastructure to counter modern threats, then it has only themselves to blame for an incident like this.