Is Microsoft to blame for the largest ransomware attacks in internet history?

Friday saw the largest global ransomware attack in internet history, and the world did not handle it well. We’re only beginning to calculate the damage inflicted by the WannaCry program — in both dollars and lives lost from hospital downtime — but at the same time, we’re also calculating blame.

There’s a long list of parties responsible, including the criminals, the NSA, and the victims themselves — but the most controversial has been Microsoft itself. The attack exploited a Windows networking protocol to spread within networks, and while Microsoft released a patch nearly two months ago, it’s become painfully clear that patch didn’t reach all users. Microsoft was following the best practices for security and still left hundreds of thousands of computers vulnerable, with dire consequences. Was it good enough?

For some, the answer is an obvious no. Writing in The New York Times over the weekend, sociologist Zeynep Tufekci placed the blame squarely on Microsoft for its decision to stop supporting older Windows versions. “Companies like Microsoft should discard the idea that they can abandon people using older software,” Tufekci wrote. “Industry norms are lousy to horrible, and it is reasonable to expect a company with a dominant market position, that made so much money selling software that runs critical infrastructure, to do more.”

ZDNet was even harsher. “The real problem here is that for decades the IT industry as a whole has been selling rubbish products,” a post argued. “It’s become fabulously wealthy by making products that are broken to begin with, and often, directly or indirectly, charging customers to fix them.”

The core of the issue is Microsoft’s tiered support system. The vulnerability targeted last week doesn’t exist in systems released since Windows 8 (which introduced SMBv3), so the main targets were Windows 7 and Windows XP. Windows 7 users are still receiving patches, but XP has been unsupported since April 2014. Users can still pay for updates through Microsoft’s Custom Support service, but the company isn’t deploying patches publicly, even though the system is still widely used in Africa and Asia. The company published an emergency XP patch over the weekend to protect against the ransomware, but it was too late for NHS and countless other victims.

That may sound technical, but the upshot is simple: there are still millions of computers using Windows XP, and without custom support, they’re all vulnerable — not just to this latest ransomware, but to dozens of other vulnerabilities unearthed in the last three years. They’re easy prey for botnets, spyware, and dozens of other criminal schemes, a persistent problem for anyone trying to secure the web.

Microsoft’s best defense is that XP is very, very old. Released in 2001, XP stopped appearing on most new computers in 2008, and large clients like the NHS had ample warning to switch over before the sunset in 2014. Windows 10 was free, making it as easy as possible for users to switch over. Most of the networks hit on Friday had good reasons for not upgrading — often complex embedded systems that could barely survive a patch, let alone a new operating system — but as long as software has bugs, systems like that will be vulnerable.

The broader problem is software upgrades outrunning their hardware, and it’s a problem that’s much bigger than Microsoft. A computer sold in 2007 likely isn’t equipped to run Windows 10 and millions of those old machines are still in use, which is why XP has remained neck and neck with Windows 8.1 in market share, despite Microsoft’s best efforts to dislodge it.

Android is already facing a similar problem at higher velocity. Google puts out a new version of the operating system roughly every 10 months, but hardware makers can’t keep up, leading to a now-infamous fragmentation problem. Only 7 percent of Android users are on the latest version, and more than one in 10 are using an unsupported version from more than four releases ago. Part of the blame goes to carriers and OEMs for not updating software — but part of it has to do with the hardware itself. A two-year-old phone often doesn’t have the processor power to keep up with the latest features, which too often means falling behind on security updates. That became particularly urgent in 2015, when a particularly bad string of bugs in Android’s Webview system required rebuilding the process from the ground up, leaving anything older than KitKat effectively unprotected.

The underlying problem is a weakness in the patching process itself. Some bugs are more patchable than others, and often a quick patch will only paper over a more profound weakness in how a system is built. The result is a profound tension between robust patching and building systems that are secure in the first place. A major bug like Stagefright or Heartbleed can be exploited dozens of different ways, making it nearly impossible to block all of them at once. You can protect against one exploit, but it’s only a matter of time before someone finds another one — and they may not tell you when they do. From a coder’s perspective, the best fix is to tear the whole system down and build it back stronger, letting everyone know to stop doing things the old way as soon as possible.

That kind of ground-up rebuilding is what Google did after its Webview problems, and it’s what Microsoft did with SMBv3. If you have the newest hardware, it’s unquestionably the best protection — but if you’re stuck on Windows XP or Android Jelly Bean, it can look an awful lot like you’re being hung out to dry. Still, it can be hard to tell exactly who’s at fault. Was it Microsoft’s fault for ceasing support? Or the NSA’s fault for finding the bug in the first place? Was it a kind of software entropy, revealing bugs and shredding programs as fast as we can code them? When the problem is a larger disconnect between software upgrades and hardware release cycles, it’s often too big for any single actor to fix — a prospect that’s even scarier than ransomware.