Well to some extent it was just rumour at the time – there’s now decent info on what actually was impacted. There has also been some dodgy use of statistics – apparently 90% of NHS trusts have some machines running XP and I’ve seen that figure totally misinterpreted by people who should know better.

I think if I had a W7 machine which wouldn’t install updates I’d be doing a clean install – it’s not just this vulnerability but other future ones (if it’s on a network, it’s not just the data on it you need to worry about).

^^ thanks. One of my French BILs has a number of XP machines connected to lab kit but none are on the internet. (Asked for help here when one died). Cost of software licence update is uneconomic vs kit which works perfectly well

There’s not much risk doing that – provided of course you are also careful about other infection vectors such as USB sticks. There’s nothing inherently wrong with XP and I’ve advised people to do similar (I also had a non connected XP machine here running after support ended, and we had XP running on VMs which were restored from snapshot every restart, though they’ve now been phased out).

Well to some extent it was just rumour at the time

I had it confirmed pretty quickly, an infosec took it to bits to find out. It was just reported by absolutely no-one, because who listens to experts when there’s newspapers to sell.

There’s not much risk doing that

“Not connected to the Internet” doesn’t necessarily mean “not on a network.” With unpatched machines it’s perfectly possible for an Internet-connected PC to become infected and then for that to spread to other machines not on the Internet but still networked up.

“Quick! Update the servers and infrastructure so our data is protected.”
tech:”But we’ve done no testing?”
“Just do it!”
*some time later*
tech:”We’ve done all the updates.”
“but no one can login”
tech:”yeah, that’s how secure it is!”
“and some of the data’s gone”
tech:”errrm, yeah.Still the server’s are all patched now which was what you said you wanted.”
“why didn’t you warn me?”

The computer failure — that Queensland Health Minister Cameron Dick will tell Parliament of today — is most likely as a result of his department’s efforts in fending off “a very serious ransomware attack”.
http://www.cairnspost.com.au/news/cairns-hospital-suffers-software-catastrophe-with-possible-loss-of-patient-data/news-story/c828de3f4a0f73132ec3d19284cbae88

Aye, compatibility testing of hotfixes is a given, but that _should_ have been done in the two months between the patches being released and the malware’s first hit.

People just do not like to patch if they know it is going to harm productivity.

The thing is most IT departments aren’t staffed to cope with the bursty nature of proper patch testing. Where I work we deploy to a few test environment PCs but they only run some of the core apps (we can’t afford to run every single prod app in the test environment, as I doubt many businesses can). Once the basic testing has been done it’s pushed into live to a select set of PCs, if no issues are reported it’s pushed to the remaining several thousand PCs, there’s only time to do this quarterly and allow for a sufficient amount of testing (along with all the other work going on). Even then it’s impossible to test everything (hundreds of apps and some functions are only run monthly or annually).

I’m not making excuses for the IT departments out there that still can’t be bothered to patch routinely but the general perception from the public of this being the case with anyone that suffers an outbreak from malware where a patch already exists isn’t correct.

.