Microsoft has labelled a continuing wave of global cyber-attack, the largest in history, as a ‘wake-up call’ to governments after hackers operating ‘ransomware software successfully seized control of at least 200,000 computers running an outdated version of the Windows operating system.
Infected terminals seized up, displaying only a terse one-page ransom demand which users must pay to have access restored to their machine.
While admitting his company held ‘first responsibility’ to clean up the mess Microsoft’s chief legal officer Brad Smith warned that customers and governments must also shoulder a share of the blame.
Hackers were able to exploit a flaw in Microsoft’s code from information stolen from the US National Security Agency and subsequently made public – ironically as part of a programme to beef up security by identifying flaws and building solutions.
Unfortunately, having identified the flaw, the agency lost the information before it could devise any counter measures, prompting calls from Smith for ‘a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.’
In his blog post Smith continued: “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.
“As cyber-criminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems," he wrote. "Otherwise they're literally fighting the problems of the present with tools from the past.”
The NSA belatedly informed Microsoft of the weakness just three months ago, allowing Microsoft to build a patch but, evidently, not giving it sufficient time to fully mitigate the flaws security impact.
Only yesterday YouTube was forced to pull a range of channels and tutorials offering people step-by-step instructions on how to create and distribute ransomware.