Microsoft reveals two big ways to stop ransomware attacks

Rob Pegoraro
Contributing Editor
Microsoft chief legal officer Brad Smith has two requests that could cut down on ransomware.

Microsoft (MSFT) has had quite enough of ransomware attacks like WannaCry and Petya. But if the company is going to get a handle on the problem, it needs the help of customers, businesses and governments around the globe.

When it comes to individuals and business, Microsoft has a simple request: Stop using Windows XP. As for the world’s governments, Microsoft’s ask is even easier, but may be a tougher sell: If you see something vulnerable in our software, tell us instead of using it to hack our customers.

Neither task will be easy, but the alternative will result in continued waves of malware attacks that steal or destroy data and leave millions of computers immobilized.

Don’t expect smarter users

You might not know this from coverage that treats each new malware attack as something that magically happens out of nowhere, but when a computer gets infected you can usually pin the problem on two preexisting conditions.

One is the person using the computer, who may be uninformed, gullible or distracted enough to open the wrong file or click on the wrong link. The other is the software running on the computer, which too often is obsolete and missing the latest security patches.

Microsoft and other companies can’t do much about the first problem beyond enhancing their systems to scan links and attachments in emails for signs of malicious content, something Microsoft recently did with its Office 365 software. But that sort of reactive defense can fall short when a previously unknown threat — usually called “zero-day” exploits, for the lack of warning experts have about them — starts to spread.

“Every company has at least one employee who will click on anything,” Microsoft president and chief legal officer Brad Smith said in a keynote Wednesday at the company’s Inspire conference in Washington. “That is pretty hard to protect against.”

Windows XP must die

But companies can and should switch to more secure software that can better resist malware that sneaks in through email. And from Microsoft’s perspective, that starts with retiring the ancient Windows XP. Despite Microsoft ending support for the operating system in 2014, the 2001-vintage OS still powered 4.86% of Windows PCs in June, according to StatCounter; another research firm, NetMarketShare, found it on 6.94% of PCs.

XP is an easy mark for malware because it allows even strange programs complete access to the system once installed.

“Windows XP is enormously vulnerable in ways that are impossible to change,” Smith said Wednesday. He noted that XP debuted two months before the Apple (AAPL) iPod, then asked “Is there anybody in this arena who is carrying around an iPod?”

But many companies will find that swapping out XP for the far-more-secure Windows 10 is a little more complicated than moving music from an MP3 player to a smartphone. They’ll first have to upgrade their own specialized internal software to run properly on Win 10 or replaced it with Win 10-compatible equivalents.

Companies and individual users also need to let go of the idea that they should be able to judge each security update on its merits. Doing so could mean important security gaps could go unplugged. So sorry, but you’re going to have to trust Microsoft — and Apple, Google (GOOG, GOOGL) and others — to download and install security fixes automatically.

A digital Geneva Convention

But Microsoft biggest challenge lies in trying to stop governments from uncovering and hoarding Windows vulnerabilities for offensive uses — a practice of the National Security Agency that went awry when attackers posted a set of the agency’s hacking tools online, which was then used to build the WannaCry ransomware.

In February, Smith told a security conference that nations should adopt a “Digital Geneva Convention” that would commit them to avoiding malware attacks on civilian targets and require the prompt disclosure of vulnerabilities to the companies that need to fix them.

Smith renewed his call on Wednesday, asking for collective action by nations to reduce the malware threat. He denounced hacking attempts that target political candidates and election systems — such as Russia’s extensive meddling in last year’s presidential election — as “attacking the fundamental infrastructures of our time.”

Smith pledged that Microsoft would have no part in any such aggressive conduct.

“We will not help any government attack any customer anywhere,” he said. “We will help defend any customer anywhere.”

That stance may not get Microsoft any more business out of the Kremlin, but the Redmond, Washington firm is right to put principles over profits here. Unfortunately, there are too many software firms without such hangups.

More from Rob:

Email Rob at rob@robpegoraro.com; follow him on Twitter at @robpegoraro.