Microsoft to remove SMB1 protocol - used by Wannacry - from Windows 10
Microsoft to remove SMB1 protocol - used by Wannacry - from Windows 10

In the latest Windows 10 Build 16226 for Home and Professional editions, the client side of SMB1 remains to enable users to connect to devices still using the decades-old protocol. All Enterprise and Education editions have SMB1 totally uninstalled by default.

The firm said that the change only affects clean installations of Windows, not upgrades.

“We are making this change to reduce the attack surface of the OS,” it said in a blog post.

While some Windows 10 can still use the protocol in a limited set of cases, the firm did recommend the uninstallation of the protocol if it is not being used.

“The removal of SMB1 means the removal of the legacy Computer Browser service. The Computer Browser depends exclusively on SMB1 and cannot function without it,” it said.

The blog referred to a previous blog posting from last September. Ned Pyle, program manager in the Microsoft Windows Server high availability and storage group, said that the original SMB1 protocol is nearly 30 years old, and like “much of the software made in the 80's, it was designed for a world that no longer exists”.

“A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naiveté is staggering when viewed though modern eyes. I blame the West Coast hippy lifestyle,” he said.

He added that there are very few cases left in any modern enterprise where SMB1 is the only option.

Javvad Malik, security advocate at AlienVault, told SC Media UK that SMB1 has been deprecated for years.

“It's over 30 years old, and much like many protocols that were designed at that time, security was not factored into it. Also, compared to newer protocols it is neither efficient, nor has any other upsides,” he said. “So, yes, removal of SMB1 will reduce the attack surface, and improve overall security.”

“But this isn't just restricted to the SMB1 protocol. Enterprises should look at all the protocols in use, and where possible, ensure they have moved away from the ones that are no longer supported or deprecated,” he added.

“Although, this is easier said than done. Because so many of these protocols are inherently part of the fabric of the internet, upgrading all, while removing backward compatibility will take time.”

Artem Shishkin, senior development specialist at Positive Technologies, told SC Media that SMBv1 is “vulnerable in its core”.

“It's not even about implementation errors, which led to WannaCry. Even if it's implemented without errors, it still has logical flaws that put security out of the question. As far as I know, you can get admin access to files without an admin account via SMBv1. Indeed, Windows security increases when such a vulnerable component is not supported,” he said.

Shishkin added that there is another vulnerable component, a graphical subsystem called win32k.sys.

“But how can you remove it? Usually, old components (about 20 years) are vulnerable. Vulnerabilities in graphical subsystems are found about once a month. New flaws in font and printer drivers are also detected every now and then. But you can't just remove these components, because it can be difficult to write a new one and backward compatibility can be lost. The problem also occurs in Windows 10, and attempts to block obsolete components are being made in order to mitigate it,” he said.