News

Microsoft Unveils New Removal Plans for SMB1 in Windows Systems

• By Kurt Mackie
• 04/20/2022

Microsoft is ramping up its long-term plans to eventually remove Server Message Block 1 (SMB1) from future Windows operating system releases, according to a Tuesday announcement.

SMB1 is a Windows operating system messaging component that got widely exploited five years ago by malware called "NotPetya," also known as "WannaCry" or "WannaCrypt." This "wormable" malware affected multiple organizations around the globe, including hospitals, pharmaceutical companies, telecom companies and overseas shipping organizations.

Microsoft's latest phase-out plans for SMB1 were described by Ned Pyle, a principal program manager on the Windows Server engineering team, and a leader at Microsoft on the SMB component. First, SMB will stop getting installed by default for users of Windows Home editions. Microsoft is currently previewing that change in builds available via its Windows Insider Program Dev Channel releases.

Next, a total removal of SMB1 binaries will be coming with a future Windows release. At that point, it'll only be possible to install SMB1 using an unsupported install package, Pyle noted.

There's currently one exception on SMB1 installations. If SMB1 had been installed on a Windows system, it'll remain after a so-called "in-place upgrade" of the OS gets performed, according to Pyle.

Microsoft had kept SMB1 for Windows Home edition users so that they would still be able to connect with, and use, their older devices, such as network attached storage devices, Pyle explained. Microsoft had a scheme in place, though, to turn SMB1 off if wasn't being used.

When Microsoft does eventually yank SMB1 in a future Windows release, it'll likely cause some consumer pain, Pyle suggested.

Efforts To Remove SMB1
It may be surprising that SMB1 is still available and being used, given its widespread exploit history.

Microsoft had plans to remove SMB1 back in 2017, but it later explained in 2020 that it was still around in some Windows systems, with mitigations in place. Pyle clarified that SMB1 was not installed by default starting with a 2017 Windows feature update, except for Home and Pro editions. In a 2018 Windows feature update release, SMB1 was not installed in Pro editions.

The current Microsoft plan is now to remove SMB1 as a default installation in Windows Home editions, and then next remove the binaries altogether. Exact timing for these two changes wasn't indicated.

WannaCry the Wiper
The WannaCry perpetrators had exploited the vulnerability in SMB1 by leveraging a U.S. National Security Agency hacking tool, called "EternalBlue," for the malware. A group calling itself "the Shadow Brokers" had posted some of those hacking tools online, including EternalBlue.

WannaCry has been described as destructive wiper malware that was disguised as ransomware. It actually fails to encrypt data when tested, according to a Wednesday Twitter post by Kevin Beaumont, formerly of Microsoft. He added that the SMB1 vulnerability remains a threat, since a "large unpatched attack surface" still exists.

In 2019, security solutions provider Sophos had described a "broken" version of WannaCry being circulated that lacked the ability to encrypt data, but still had the ability to rapidly proliferate across systems. The initial WannaCry release, though, had gotten disabled via a so-called "kill switch" that stopped it from infecting other computers, Sophos had explained.