Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • How to make sure you won’t get hit by WannaCry/WannaCrypt

    Posted on May 13th, 2017 at 15:36 woody Comment on the AskWoody Lounge

    UPDATES: You might imagine this is a hot topic. Here’s what I discovered on Sunday morning:

    • WannaCrypt does not infect XP machines – the problem appears entirely (or almost entirely) on unpatched Win7 machines. Kevin Beaumont reports that folks inside the UK NHS tell him their machines haven’t been patched since December.
    • The people behind WannaCrypt have collected a total of about $30,000.
    • People at Microsoft claim that “nobody running Windows 10 was infected.” I can’t confirm that. Clearly, those who have installed MS07-010 through Win10 cumulative updates are OK (see the list below). But if all Win10 machines are immune, I’d sure like to see an explanation.
    • There are lots of explanations about the inner workings of the worm. This one from Malwarebytes is particularly thorough. But I haven’t yet seen a definitive description of how the payload first gets into a network. Many believe that the first point of infection is via a rigged email — but I haven’t yet seen a copy of a bad email. If you have definitive evidence, I’d sure like to hear about it in the comments.
    • Last night (which is to say very early Sunday morning my time), @MalwareTechBlog put it best: “Version 1 of WannaCrypt was stoppable but version 2.0 will likely remove the flaw. You’re only safe if you patch ASAP.”
    • There are new variants, both with and without killswitches. I haven’t seen any widespread problems yet, but folks YOU HAVE TO GET PATCHED. Creating a new variant is easy.

    Back to Saturday’s advice…

    I’ll have a more detailed and up-to-date post on InfoWorld on Monday, but for now, here’s what you need to know if you’re concerned about the WannaCry/WannaCrypt worm and its enablers.

    We’re at MS-DEFCON 2, and that’s as it should be: you should not install any of this month’s patches. It’s still too early to tell if anything this month will cause problems — and there’s so much dust floating around it’s hard to see anything. But if you missed the March or April patches, if you’re running Windows XP, 8 or Server 2003, or  you aren’t sure if you got March and April patches installed, here’s what you need to do.

    IMPORTANT details about WannaCrypt:

    • It clobbered lots of sites and many computers, but it’s no longer a threat. The folks at Malwaretech.com enabled a sinkhole that’s blocking WannaCrypt. No more infections.
    • Rather than specifically rooting out WannaCrypt, you need to focus immediately on plugging the hole(s) that made WannaCrypt possible. The WannaCrypt code’s out in the wild, and a simple change would make it work again. More than that, other pieces of the Shadow Brokers trove can be used to make new, innovative malware. Get patched now.
    • As of this writing, nobody has any idea who made WannaCrypt, why they released a weapons-grade exploit to beg for chump change ($300 per infection), and how the first infection(s) appeared.
    • Microsoft released patches for Windows 10, 8.1 and 7 back in March (that’s MS17-010). Yesterday, they released patches for Windows XP, Win 8, and Server 2003 SP2.

    There’s an excellent overview by Elizabeth Dwoskin and Karla Adam published in the Washington Post on Saturday evening.

    Here’s how to see if you need patching, and how to get patched if need be.

    Windows XP, Windows 8

    You don’t have the patch, unless you downloaded and installed it already. Follow the links under “Further Resources” at the bottom of the Technet page to download and run the installer.

    (NOTE: I had a question in the earlier post about installing this patch on pirate copies of Windows XP. I’ve seen a lot of pirate copies of WinXP – living in Thailand for 13 years will do that to you – and I don’t trust any of them. If you install Microsoft’s patch on a pirate XP machine, you may well brick it. On the other hand, if you don’t install the patch, somebody else may come in and brick it for you. Wish I had a better response, but that’s the way the SMB crumbles. If I had to do it, I’d back up everything and roll the dice, but be ready to install Win7 from scratch if the XP pirate doesn’t come back up for air.)

    Vista

    See if the patch is already installed. Click Start > Control Panel > System and Security. Under Windows Update click the View installed updates link. Look for one marked “Security Update for Windows Vista (KB4012598).” If you don’t have it, download it from the Microsoft Update Catalog, and install it.

    Windows 7

    See if the patch is already installed. Click Start > Control Panel > System and Security. Under Windows Update click the View installed updates link. Scan the list (which can be alphabetized by clicking the box marked Name, or sorted by date) to see if you have ANY of these patches:

    2017-05 Security Monthly Quality Rollup for Windows 7 (KB4019264)
    April, 2017 Preview of Monthly Quality Rollup for Windows 7 (KB4015552)
    April, 2017 Security Monthly Quality Rollup for Windows 7 (KB4015549)
    March, 2017 Security Monthly Quality Rollup for Windows 7 (KB4012215)
    March, 2017 Security Only Quality Update for Windows 7 (KB4012212)

    If you have any of those patches already installed, then you are good to go and you can sleep well at night. Don’t be confused. There’s no reason to download or install anything, unless you have absolutely none of those patches. No, I’m not recommending that you install something. Just look at the list and see if you have any of the patches.

    (Thx, Chris M)

    If you have none of those patches, download and install the March, 2017 Security Only Quality Update for Windows 7 (KB4012212) for 32-bit or 64-bit.

    (Note that the list is quite deliberate and, I think, exact. In particular, if you’re manually installing Security-only patches in the “Group B” style, you MUST have the March, 2017 Security Only Quality Update for Windows 7 (KB4012212). Other Security-only patches don’t include the MS17-010 fix.)

    Windows 8.1

    See if the patch is already installed. Click Start > Control Panel > System and Security. Under Windows Update click the View installed updates link. Scan the list (which can be alphabetized by clicking the box marked Name, or sorted by date) to see if you have ANY of these patches:

    2017-05 Security Monthly Quality Rollup for Windows 8.1 (KB4019215)
    April, 2017 Preview of Monthly Quality Rollup for Windows 8.1 (KB4015553)
    April, 2017 Security Monthly Quality Rollup for Windows 8.1 (KB4015550)
    March, 2017 Security Monthly Quality Rollup for Windows 8.1 (KB4012216)
    March, 2017 Security Only Quality Update for Windows 7 (KB4012213)

    If you have any of those patches, you’re fine. Again, I’m not suggesting that you install anything unless all of those patches are missing.

    If you have none of those patches, download and install the March, 2017 Security Only Quality Update for Windows 8.1 (KB4012213) for 32-bit or 64-bit.

    See note above about Security-only patches. Again, this list is complete, I believe, and accurate.

    Windows 10

    Creators Update (version 1703) is OK.

    Anniversary Update (version 1607) – Check your build number. If you have Build 14393.953 or later, you’re fine. If you don’t, use Windows Update to install the latest build 14393.1198. Yes, I know that violates the current MS-DEFCON 2 setting, but you need to get up to or beyond 14393.953.

    Fall (er, November) Update (version 1511) – use the steps above to check your build number. You have to be at build 10586.839 or later. Abandon the MS-DEFCON rating system (and all hope — “Lasciate ogne speranza, voi ch’intrate”) if you must to get up to or beyond that build number.

    RTM (“version 1507”) – same procedure, make sure you’re up to or beyond build 10240.17319. And remember that your system’s toast soon.

    ======================================

    Nice and easy, huh?

    Everybody needs to get their systems updated, at least to the point mentioned here. Yes, that includes your sainted Aunt Martha.

    If that helped, take a second to support AskWoody on Patreon