Microsoft withheld update that could have slowed WannaCry: Report
LONDON — American software giant Microsoft held back from distributing a free security update that could have protected computers from the WannaCry global cyber attack, the Financial Times reported Thursday (May 18).
In mid-march, Microsoft distributed a security update after it detected the security flaw in its XP operating system that enabled the so-called WannaCry ransomware to infiltrate and freeze computers last week.
But the software giant only sent the free security update — or patch — to users of the most recent version of the Windows 10 operating system, the report said.
Users of older software, such as Windows XP, had to pay hefty fees for technical support, it added.
“The high price highlights the quandary the world’s biggest software company faces as it tries to force customers to move to newer and more secure software,” it said.
A Microsoft spokesperson based in the United States told AFP: “Microsoft offers custom support agreements as a stopgap measure” for companies that choose not to upgrade their systems.
“To be clear, Microsoft would prefer that companies upgrade and realise the full benefits of the latest version rather than choose custom support.”
According to the FT, the cost of updating older Windows versions “went from US$200 per device in 2014, when regular support for XP ended, to US$400 the following year”, while some clients were asked to pay heftier fees.
The newspaper argued the high costs led Britain’s National Health Service — one of the first victims of the WannaCry attack — to not proceed with updates.
Microsoft ended up distributing the free patch for the older versions on Friday — the day the ransomware was detected.
Although the announcement was “too late to contain the WannaCry outbreak”, the report said.
Microsoft did not confirm to AFP when it made the patch free.
A hacking group called Shadow Brokers released the malware in April claiming to have discovered the flaw from the NSA, according to Kaspersky Lab, a Russian cybersecurity provider. AFP