Thursday, October 08, 2020

A Blast From The Past Can Come Back And Bite You It Seems.

This appeared last week.

Are old operating systems putting the NHS at risk in 2020?

With reports suggesting that Microsoft source code relating to Windows XP has been shared online, our cyber security columnist, Davey Winder looks into whether old operating systems are putting the NHS at risk in 2020.

Davey Winder 30 September 2020

The news that Microsoft source code relating to Windows XP had apparently been leaked to a number of file-sharing sites online may well have passed you by. After all, who uses Windows XP these days and what difference does it make if the source code is out there?

Although it has yet to be confirmed by Microsoft, which is investigating, if this is the actual source code to Windows XP Service Pack 1, there are potential security risks.

It would appear that the source code leak is actually a combination of various files, which would impact Windows Server 2003 and even Windows CE and MS-DOS. Most of these files had been floating around the dark web for some time, but this marks the first public distribution.

Windows XP itself was released way back in October 2001, with the final release in 2008. It reached end of life status on April 8, 2014, when general support, including security updates ceased. A security patch was later released by Microsoft in May 2017, in response to the WannaCry ransomware attack that hit the NHS so hard.

Exploiting vulnerabilities

The general availability of source code to an operating system will make the life of those wishing to exploit vulnerabilities much easier and it does highlight the risk posed by older Windows systems such as Windows 7 for example.

The NHS has been migrating devices, where possible, from both XP and Windows 7 to Windows 10 for some months now. However in some cases, such migration does attract compatibility challenges. There is also financial considerations when talking about replacing machines where software cannot be updated.

“Legacy systems running out of date operating systems continue to be a huge problem for the NHS,” Bharat Mistry, principal security strategist at Trend Micro, told me.

“In some cases, these systems are used for critical processing of data and, because of the risk of significant disruption, these systems never get updated,” he added.

Lots more here:

https://www.digitalhealth.net/2020/09/are-old-operating-systems-putting-the-nhs-at-risk-in-2020/

With the recent leak of the source code this is clearly a timely warning. I wonder how many legacy XP systems are still running in the Australian health system. I would be sure the number is not zero!

David.

2 comments:

  1. Bernard Robertson-DunnOctober 08, 2020 11:15 AM

    A bigger risk is Internet of Things systems. They often have rubbish security and do not get updates.

    ReplyDelete
  2. Don't forget the application software.

    In the UK "Coronavirus: Missing tests blunder caused by software ‘13 years out of date’"
    https://www.independent.co.uk/news/uk/politics/coronavirus-missing-tests-microsoft-excel-matt-hancock-b859322.html

    The blunder that saw 16,000 positive Covid-19 tests go missing was caused by failing to replace software an astonishing 13 years out of date, experts believe.

    The version of Microsoft Excel used – known as XLS – was superseded back in 2007, but was still being deployed by Public Health England’s systems.

    It could handle only about 65,000 rows of data, rather than the million-plus that the newer software XLSX is capable of – which meant any additional test results were lopped off.

    ReplyDelete