Despite all the attention currently focused on Windows computers being infected with WannaCry ransomware, a defensive strategy has been overlooked. This being a Defensive Computing blog, I feel the need to point it out.
The story being told everywhere else is simplistic and incomplete. Basically, the story is that Windows computers without the appropriate bug fix are getting infected over the network by WannaCry ransomware and the Adylkuzz cryptocurrency miner.
We are accustomed to this story. Bugs in software need patches. WannaCry exploits a bug in Windows, so we need to install the patch. For a couple days, I too, ascribed to this knee-jerk theme. But there is a gap in this simplistic take on the issue. Let me explain.
The bug has to do with input data being processed incorrectly.
If a Windows computer, that supports version 1 of the Server Message Block (SMB) file sharing protocol, is listening on the network, bad guys can send it specially crafted malicious data packets that an un-patched copy of Windows does not handle correctly. This mistake allows bad guys to run a program of their choosing on the computer.
As security flaws go, this is as bad as it gets. If one computer in an organization gets infected, the malware can propagate itself to vulnerable computers on the same network.
Overlooked is that every Windows computer that uses version 1 of the SMB protocol does not have to accept unsolicited incoming packets of data.
And those that don’t, are safe from network based infection. Not only are they protected from WannaCry and Adylkuzz, but also from any other malicious software looking to exploit the same flaw.
If unsolicited incoming SMB v1 data packets are not processed, the Windows computer is safe from network based attack – patch or no patch. The patch is a good thing, but it’s not the only defense.
To make an analogy, consider a castle. The bug is that the wooden front door of the castle is weak and easily broken down with a battering ram. The…