Sponsored by: Netsparker - Scan your websites & detect SQL Injection, XSS and other vulnerabilities with the dead accurate Netsparker web security scanner

You know what really surprised me about this whole WannaCry ransomware problem? No, not how quickly it spread. Not the breadth of organisations it took offline either and no, not even that so many of them hadn't applied a critical patch that landed a couple of months earlier. It was the reactions to this tweet that really surprised me:

Why is malware effective? Because of idiotic advice like this: "Stop Windows 10 from automatically updating your PC" https://t.co/cRygHYMPNh

— Troy Hunt (@troyhunt) May 13, 2017

When you position this article from a year ago next to the hundreds of thousands of machines that have just had their files encrypted, it's hard to conclude that it in any way constitutes good advice. I had the author of this post ping me and suggest that people should just manually update their things if they disabled Windows Update. That's fine in, say, a managed desktop environment such as many organisations run and let's be clear - disabling Windows Update isn't the issue in that situation because there are professionals managing the rollout of patches (with the obvious exception of the organisations that just got hit by WannaCry). But your average person is simply not going to keep on top of these things which is why auto-updaters are built into so many software products these days. Obviously they're in Windows, same with Mac OS and iOS, same with browsers like Chrome and Firefox and same again with the apps themselves on a device like your iPhone by virtue of the App Store automatically keeping them current.

Often, the updates these products deliver patch some pretty nasty security flaws. If you had any version of Windows since Vista running the default Windows Update, you would have had the critical Microsoft Security Bulletin known as "MS17-010" pushed down to your PC and automatically installed. Without doing a thing, when WannaCry came along almost 2 months later, the machine was protected because the exploit it targeted had already been patched. It's because of this essential protection provided by automatic updates that those advocating for disabling the process are being labelled the IT equivalents of anti-vaxxers and whilst I don't fully agree with real world analogies like this, you can certainly see where they're coming from. As with vaccinations, patches protect the host from nasty things that the vast majority of people simply don't understand.

This is how consumer software these days should be: self-updating with zero input required from the user. As soon as they're required to do something, it'll be neglected which is why Windows Update is so critical. Let's start there:

Leave your automatic updates on

The frustrating part of the debate that ensued after that tweet is

I woke up to a flood of news about ransomware today. By virtue of being down here in Australia, a lot happens in business hours around the world while we're sleeping but conversely, that's given me some time to collate information whilst everyone else is taking a break. The WannaCry incident is both new and scary in some ways and more of the same old stuff in others. Here's what I know and what the masses out there need to understand about this and indeed about ransomware in general.