Microsoft is the one to blame for the WannaCry ransomware infection, says former head of GCHQ Sir David Ormand, as the software giant pulled Windows XP too soon and left companies and organizations with no protection against this kind of threats.

In a letter to The Times, Ormand explains how Microsoft created an unnecessary risk for its customers, including here the British National Health Service (NHS) whose computers were compromised by WannaCry as well.

“Should Microsoft have stopped supporting Windows XP so soon, knowing that institutions had invested heavily in it (at the urging of the company at the time)?” he said.

WannaCry and Windows risks

WannaCry is a new type of ransomware based on a Windows vulnerability that was discovered and kept secret by the United States National Security Agency (NSA). Hacking group Shadow Brokers managed to steal the security flaw and decided to make it public earlier this year.

Microsoft patched the vulnerability with Windows security updates that were released according to its monthly update rollout called Patch Tuesday, so once the WannaCry outburst started, systems running full up-to-date Windows were completely secure.

On the other hand, systems that are no longer receiving support, as is the case of Windows XP, were left vulnerable to attacks, with Microsoft deciding to publish a dedicated patch for these versions when reports of the ransomware quickly spreading across the world were received.

Microsoft itself blamed the NSA for holding Windows vulnerabilities and not reporting them to the company, but UK’s Ormand says the Redmond-based software giant is at fault for putting everyone at risks.

And it’s all because it decided to pull support for Windows XP in April 2014. Launched in 2001, Windows XP no longer receives support since 2014, with the company offering custom support to companies that are yet to upgrade, including to the NHS, which, however, decided not to renew the contract last year.

Windows XP was originally projected to reach end of support in 2009, two years after the launch of Windows Vista, but Microsoft pushed it to extended support and provided security patches for an extra 5 years because it was still widely used at that time. In the last 12 months of support, however, the software giant repeatedly warned organizations and users of the incoming end of life, providing solutions, documentation, and support for migrating to newer Windows.

NSA and companies at fault

This is why Misha Govshteyn, founder and SVP at Alert Logic, thinks that Microsoft is not at fault for WannaCry, but only the NSA for not reporting the bug and companies for running old software.

“This is a classic game of news spin from all parties involved, but the GCHQ position is especially rich in alternative facts,” he said.

“If the NSA really wanted to be responsible, they would have contacted technology vendors shortly after they realised their toolkits were stolen. Doing so would have given technology companies more time to respond and consumers more time to patch. Instead, NSA chose to play the game of chicken with Shadow Brokers and allowed, of all people, Julian Assange to be the disclosing party. This is the least defensible decision in this whole saga.”

Despite end of support being reached more than 3 years ago, Windows XP remains the third most popular desktop OS worldwide with a share of nearly 7 percent.