Grammy Winners Hogwarts Legacy Review 'Last of Us' Episode 5 Coming Early Frozen Yogurt Day Freebies Super Bowl Ads Super Bowl: How to Watch Popular Tax Deduction Wordle Hints for Feb. 6
Want CNET to notify you of price drops and the latest stories?
No, thank you

5 ways Microsoft can prevent the next WannaCry

If PC users can't be convinced to upgrade operating systems and turn on automatic updates, more drastic measures may be called for.

Windows 10 S is a streamlined version of Microsoft's operating system specified for the classroom.
Sarah Tew/CNET

"PC" stands for personal computer. And that idea of personalization has only expanded as the definition of computer has morphed to include the mobile devices that we carry with us, such as the phones that most people now consider an extension of their body. I bet your phone is within your reach right now -- or at least in the same room.

As these devices become ever more critical to us, keeping your digital life safe -- your banking info, your personal photos and videos, your messages to friends and coworkers, your passwords -- has become paramount. But digital security is work: Downloading, verifying and installing new updates often sends your device into a long reboot and installation sequence. That's often up to 20 minutes without your PC or phone. (Yes, iPhone OS patch installs can be just as time-consuming as Windows PCs.)

It's a first-world problem, to be sure -- but for anyone who's finalizing a document for work or coordinating a pickup with the kids, it may be 20 minutes too long.


Are these laptops getting automatic updates?

Sarah Tew/CNET

Enter WannaCry. The worst malware attack in recent memory spread like wildfire across tens of thousands of unpatched or out-of-date Windows PCs throughout the world, locking computers until and unless a ransom was paid. Indeed, there's plenty of blame to go around -- from Microsoft, for creating such insecure software to begin with, to the NSA, whose leaked cyberspying tools were utilized in the attack. And yes, sites like ours have gotten our share of the blame, too.

And while it's easy -- and correct -- to say that everyone needs to suck it up and turn automatic updates on, that ignores a key problem: If users are bending over backwards to opt out and work around these security updates, it's because the system is broken. It's not unlike the automatic seatbelts in cars from the 1980s. They were so poorly designed and intrusive that many people just disconnected them -- even though doing so put their life in danger.

To that end, to make it easier for people to properly inoculate their systems, protecting both themselves and others, a better-optimized ecosystem is needed. But be warned: The final two cross over into draconian territory that you won't like.

1. Separate security updates

Windows Update frequently tries to download a large number of updates and then reboot my PC one or more times -- and I don't always want to let it. If there were a clearer way to say, "automatically install critical security updates and table everything else," this wouldn't be a problem. Meanwhile, simple feature updates that have nothing to do with security -- Paint 3D, more emojis, whatever -- could be installed at the user's leisure, or during overnight sessions if no apps are otherwise running.

It is possible to set up update preferences in some versions of Windows with a degree of granularity, but it's not as clear as it should be. And if you follow Microsoft's recommended settings, you'll constantly be on the update merry go round. The May 9, 2017 security update for Windows 10 included 18 security updates alone.

2. Updates should be quick and easy to install

When we asked Microsoft about its security in light of WannaCry, here's what a company spokesperson said:

Those who are running our free antivirus software or have Windows Update enabled are protected. Given the potential impact to customers and their businesses, we have also released updates for Windows XP, Windows 8, and Windows Server 2003. For more information see our Microsoft Security Response Center blog; 'Customer Guidance for WannaCrypt Attacks', and our Microsoft On The Issues blog; that calls for global collective action.

Fair enough. But let's be honest, a lot of people try to avoid Windows Update because its implementation in the initial version of Windows 10 was pretty awful. Plenty of us had the infuriating experience of Windows rebooting (apparently) spontaneously, resulting in lost or delayed mission-critical work. Microsoft went a long way to addressing that frustration with the Windows 10 Creators Update, which became available just a few weeks ago. It's on a rolling update schedule, so not everyone who's eligible has it yet.

But more needs to be done. Making updates less dependent on closing all your software and rebooting the entire system would mean fewer people (like myself) endlessly hitting the "snooze" button on reboots. This goes for macOS, iOS and Android as well -- all of which can sometimes require you to actively install an update even if it automatically downloads.

Yes, updating operating systems is a bit like brain surgery. But if Microsoft can get Windows to updates to be as modular as possible -- more like the way iOS apps or Google Chrome does -- it'll be all the better. The fact that the Edge browser can eventually be updated without a full OS-level overhaul, for instance, is a step on the right path.


The Windows 10 free upgrade was for a limited time and only included certain older systems.

3. Make OS upgrades free and available forever

The move from Windows 7 or 8 to Windows 10 was free and relatively painless, while previous Windows generational updates cost consumers money. But, that upgrade was only free for a limited time. A year may seem like a long window to upgrade, but the name of the game is getting everyone (with compatible hardware, at least) on the same platform and minimizing OS fragmentation.

Consider that 21% of iPhones are currently running older versions of that operating system as of February 2017, while by at least one reckoning (as of April 2017) about half of all desktops and laptops were still running Windows 7, 8 and 8.1 -- even though the latter were all eligible for free Windows 10 upgrades at some point.

And now, the two suggestions you'll probably hate:

4. Stop letting people sideload software

The idea of downloading and installing any software package from anywhere on the internet is becoming less of a norm than it used to be. "Locking down" an operating system to only allow pre-certified software is already how iOS works on iPhones and iPads. Chrome OS devices like Chromebooks also limit extra software to in-browser apps.


Computers that will run the new windows 10 S operating system.

Sarah Tew/CNET

And if you thought that idea would never come to mainstream laptops or desktops, think again. Microsoft's latest version of Windows, called Windows 10 S, is a harbinger of things to come. It restricts software to apps found in the official Windows app store and doesn't give users access to OS-level command and control. This isn't the first time we've seen Windows take a walled garden approach. It's just the previous version, called Windows RT, only appeared on a couple of systems before vanishing forever.

Is this idea going to work for everyone? Not a chance. No one likes giving up the freedom to install new software. And unless a lot of legacy Win32 apps make their way to the Windows Store (is that even possible for Steam?), it's a nonstarter for gamers.

The ideas behind iOS and Windows 10 S make your device a lot less flexible. But you have to admit that in the long run it's probably safer for everyday users who run nothing more than office productivity apps, web browsers and streaming media apps.

5. The nuclear option: Take older products offline

It's a drastic step, but something needs to be done with older PCs that are connected to the internet while running unpatched, out-of-date operating systems. If an owner insists on running "unsupported" legacy systems (I'm looking at you, Windows XP) that are effectively security nightmares waiting to happen, that machine may have be to be either decommissioned or else cut off from the internet. Samsung did a version of this with its fire-prone Galaxy Note 7: After the final die-hard holdouts ignored the recall notice, the company pushed a firmware update that effectively killed the remaining devices.

Obviously, such a bold step would change how we look at hardware ownership -- products would effectively have to come with an expiration date. But if Microsoft and other companies can't guarantee security updates "forever," the tradeoff may need to be that the device can't be allowed to go online anymore.

It's like banning an unvaccinated child from school: You may not want to immunize your kid against a childhood disease, but it's the responsible thing to do. And because you're not only putting your child at risk, you're risking the health of others.

In a post-WannaCry world, it may well be time to apply that model to vulnerable devices.