PINDROP BLOG

Microsoft Releases Patches for Older Versions of Windows, Warns of Nation-State Attacks

Microsoft has taken the unusual step of issuing patches for a number of security vulnerabilities in older versions of Windows that the company says are “at heightened risk of exploitation” from nation-state attackers.

As part of its normal Patch Tuesday update release, Microsoft released fixes for 16 vulnerabilities that affect several versions of Windows, including some that are no longer supported. Most of the vulnerabilities are rated critical and nearly all of them can lead to remote code execution. Some of the bugs are several years old, and Microsoft officials said they’re issuing the patches for them because of information suggesting they’re at risk for exploitation by high-level attackers.

“Today, as part of our regular Update Tuesday schedule, we have taken action to provide additional critical security updates to address vulnerabilities that are at heighted risk of exploitation due to past nation-state activity and disclosures. Some of the releases today are new, and some are for older platforms under custom support agreements, that we are making publicly available today,” Eric Doerr, general manager of the Microsoft Security Response Center, said in a post.

Among the flaws for which Microsoft released patches for older platforms is the MS17-010 vulnerability that has been used by attackers spreading the WannaCry ransomware. That patch originally was released in March, but only for modern Windows versions. The other bugs included in this extended patch release include some new vulnerabilities and some that are nearly 10 years old.

This move is a rare one from Microsoft and is a clear sign that the company has information that attackers are currently targeting these flaws.

“Our decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies. Based on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly. As always, we recommend customers upgrade to the latest platforms,” Doerr said.

“The best protection is to be on a modern, up-to-date system that incorporates the latest defense-in-depth innovations. Older systems, even if fully up-to-date, lack the latest security features and advancements.”

Webinar: Call Center Fraud Vectors & Fraudsters Analyzed