How to make sure your Windows PC won't get hit by ransomware like WannaCry

Microsoft has released MS17-010 and other patches to block worms like WannaCry. Here are the key details

You need to get your Windows computer protected against WannaCry and its ilk. Here are detailed instructions on how to see if you need patching and, if you do, how to get patched.

By far the easiest method is to simply run Windows Update and install all important patches. You may not be able to do that—or may not want to do that—for several important reasons:

  • You may not want all of the latest patches, whether for compatibility reasons or because you don’t trust Microsoft’s additional snooping in Windows 7 and 8.1 Monthly Rollups
  • If you’re using Windows XP or Windows 8, Windows Update doesn’t work
  • If you’re running Windows 7 or 8.1 on a newer computer (Kaby Lake and Ryzen processors, as well as several others), Microsoft may have gratuitously blocked Windows Update
  • You may have problems running Windows Update for myriad reasons, and you don’t want to futz around with figuring out the reason or resetting while the threat lingers

Your approach to checking if you need the patches, and then installing them, will vary depending on your operating system.

Windows XP, Windows 8

You don’t have the WannaCry patch, unless you downloaded and installed it already. Follow the links under “Further Resources” at the bottom of the Technet page to download and run the installer. Michael Horowitz on Computerworld has detailed instructions for XP.

(Note: I had a question in an earlier post about installing this patch on pirate copies of Windows XP. I’ve seen a lot of pirate copies of WinXP, and I don’t trust any of them. If you install Microsoft’s patch on a pirate XP machine, you may well brick it. On the other hand, if you don’t install the patch, somebody else may come in and brick it for you. If I had to do it, I’d back up everything and roll the dice. But be ready to install Win7 from scratch if the XP pirate doesn’t come back up for air.)

Vista

To see if the patch is already installed, click Start > Control Panel > System and Security. Under Windows Update click the View installed updates link. Look for one marked “Security Update for Windows Vista (KB4012598).” If you don’t have it, download it from the Microsoft Update Catalog, and install it.

Windows 7

If you can’t get Windows Update to work because Microsoft is punishing you for running Win7 on a newer computer, be of good cheer. The fact that you can’t run Windows Update means that you’ve already installed the fix.

For everybody else, if you don’t want to install all of the current patches, you can see if the patch is already installed. Click Start > Control Panel > System and Security. Under Windows Update click the View installed updates link. Scan the list (which can be alphabetized by clicking the box marked Name, or sorted by date) to see if you have any of these patches:

  • 2017-05 Security Monthly Quality Rollup for Windows 7 (KB4019264)
  • April, 2017 Preview of Monthly Quality Rollup for Windows 7 (KB4015552)
  • April, 2017 Security Monthly Quality Rollup for Windows 7 (KB4015549)
  • March, 2017 Security Monthly Quality Rollup for Windows 7 (KB4012215)
  • March, 2017 Security Only Quality Update for Windows 7 (KB4012212)

If you have any of those patches already installed, then you are good to go and you can sleep well at night. There’s no reason to download or install anything, unless you have absolutely none of those patches. I’m not recommending that you install something--just look at the list and see if you have any of these patches.

If you have none of the patches, download and install the March 2017 Security Only Quality Update for Windows 7 (KB4012212) for 32-bit or 64-bit.

(Note that the list is quite deliberate and, I think, exact—except for two earlier Rollup Previews, which are unlikely to appear on your computer. In particular, if you’re manually installing security-only patches in the “Group B” style, you must have the March 2017 Security Only Quality Update for Windows 7 (KB4012212). Other security-only patches don’t include the MS17-010 fix.)

Windows 8.1

Again, if Microsoft is blocking Windows Update because your computer is running on a Kaby Lake, Rizen, Carrizo DDR4, AMD RX-480, or any of a handful of similar newer processors, you’re fine. The fix has already been installed.

Otherwise, to see if the patch is already installed, click Start > Control Panel > System and Security. Under Windows Update click the View installed updates link. Scan the list (which can be alphabetized by clicking the box marked Name, or sorted by date) to see if you have ANY of these patches:

  • 2017-05 Security Monthly Quality Rollup for Windows 8.1 (KB4019215)
  • April, 2017 Preview of Monthly Quality Rollup for Windows 8.1 (KB4015553)
  • April, 2017 Security Monthly Quality Rollup for Windows 8.1 (KB4015550)
  • March, 2017 Security Monthly Quality Rollup for Windows 8.1 (KB4012216)
  • March, 2017 Security Only Quality Update for Windows 7 (KB4012213)

If you have any of those patches, you’re fine. Again, I’m not suggesting that you install anything unless none of those patches are installed. If you have none of those patches, download and install the March 2017 Security Only Quality Update for Windows 8.1 (KB4012213) for 32-bit or 64-bit.

See the note above about security-only patches. Again, I believe this list is complete and accurate.

Windows 10

While it’s true that WannaCry doesn’t attack Win10 computers, that shouldn’t make you complacent. The faulty SMBv1 driver is alive and well on Win10 machines, and it could be used in the future to take over your PC. You need to make sure you’re patched.

Creators Update (version 1703) is fine.

Anniversary Update (version 1607) – Check your build number. If you have Build 14393.953 or later, you’re fine. If you don’t, use Windows Update to install the latest build 14393.1198. Yes, I know that violates the current MS-DEFCON 2 setting, but you need to get up to or beyond 14393.953.

Fall Update (version 1511) – Use the steps above to check your build number. You have to be at build 10586.839 or later. Abandon the MS-DEFCON rating system if you must to get up to or beyond that build number.

RTM (“version 1507”) – Follow the same procedure to make sure you’re up to or beyond build 10240.17319. And remember that your system’s toast soon.

======================================

Nice and easy, huh?

Everybody needs to get their systems updated, at least to the point mentioned here. Yes, that includes your sainted Aunt Martha.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon