It was first reported as a hack but first reports are usually inaccurate.

That's moot.

Hackers used cyberweapons stolen from the US National Security Agency to strike organisations across the globe on Friday, from the UK’s National Health Service to European telecoms company Telefónica and FedEx of the US, the Financial Times has learnt.
A tool known as Eternal Blue developed by US spies was used by the hackers to supercharge an existing form of criminal malware, three senior cyber security analysts said, leading to one of the fastest-spreading and potentially damaging cyber attacks seen to date.
Their analysis was confirmed by western security officials who were scrambling to contain an attack that initially hit hospitals and doctors’ practices across the UK. The same or similar virus was used in a large-scale attack in Spain that hit Telefónica, the country’s main telecoms provider.
As the attack spread, FedEx, the US delivery services company, said it was “experiencing interference with some of our Windows-based systems caused by malware.” The Russian interior ministry confirmed that 1,000 of its computers had been affected, about 0.1 per cent of the total, but said its servers were not harmed.
The People’s Daily in China tweeted that similar attacks may have hit China and there were reports of similar attacks in dozens of other countries, including Russia, Portugal, Taiwan, Germany and Vietnam. MegaFon, one of Russia’s largest telecoms operators, confirmed it had been hacked.
The attack is a modified version of a virus known as WannaCry, a piece of ransomware first used by criminal networks online earlier this year. Ransomware encrypts data on computers and demands a fee typically payable in untraceable digital currency to unlock them.
Infection is almost always made by email but the latest version of WannaCry spread laterally through the computer networks of infected organisations.
The NSA’s Eternal Blue allows the malware to spread through file-sharing protocols set up across the internal networks of organisations, many of which criss-cross the globe.
Security officials in the UK, which has been among the countries worst hit, currently believe that the attacks are the work of a criminal group, though they are still working to assess the full nature of the attack.
“Whoever it is it looks very much like they are taking advantage of the NSA’s tools,” said Becky Pinkard, vice-president at Digital Shadows, a cyber intelligence firm. Ms Pinkard pointed to a highly classified NSA arsenal of digital weapons leaked online last year by a group called the Shadowbrokers as the likely source. “They seem to have adapted one particular tool, Eternal Blue, and that would explain why this is spreading so very fast.”
The UK’s National Cyber Security Centre, an arm of GCHQ, has been put on a state of high alert. The speed of the spread of the virus has caught many by surprise.
“We are still trying to find patient zero,” said John Bambenek, manager of threat systems at cyber security company Fidelis. “Everybody is scrambling right now. If I were a betting man I would say this has to be a criminal group — given the targets that have been hit, if this was a nation state, this would be active war material.”
In the UK, more than a third of the 260 hospital trusts across the country have been hit.
Hospitals in cities and towns such as London, Liverpool, York, Leicester, Derby and Glasgow were forced to close services, including cancelling operations and diverting ambulances to other hospitals. Staff were forced to use pen and paper.
The NHS said that there was no evidence that patient data had been accessed but was continuing to assess the damage done by the hack.
https://www.ft.com/content/e96924f0-3722-11e7-99bd-13beb0903fa3

If it's open source software isn't easier to corrupt and write malware?

On 13-May-17 9:46 AM, Fredxxx wrote:
...
According to postings on another group, MS still update it for large
corporate users, just not for Joe Public.

...
It appears that some of the Microsoft communications code (their SMB
code) was poorly written so this was a Microsoft-specific vulnerability.

Linux is not fault-free. But the open-source nature of it means that
many people get to see the code. That, in turn, generally means that
faults get detected much more quickly.

Remind me when "Linux" issued operating system maintenance bulletins.

"Linux" is a blanket term for countless distros, all "kinda" organised
by enthusiastic geeks. You can sue Microsoft, but how can you sue
"Linux"?

MM

---
This email has been checked for viruses by AVG.
http://www.avg.com

Good Heavens! the Tay Bridge is blown down.

But not Wales. Perhaps they don't have a computer system?

I believe its more down to the cost of an upgrade and XP functions
efficiently.
I suspect most instruments are sold on the basis they are 'network
ready' and can integrate into the NHS or hospital system.

On Sat, 13 May 2017 09:52:48 +0100, Martin Brown
That's not just a problem in the health service, many pos systems
are still xp based primarily because they need to seamlessly
interface with existing kit , even for smaller operations the cost to
upgrade to a later operating system is so disruptive to business and
costly to implement its avoided as long as possible

Why are these externally accessible?

I have three computers, one that I use on the net and a private computer. The third is used as an intermediate for both in which files can only be saved via a flash drive. At each stage a virus check is performed.

Rubbish.

That's as I understand it, too. The patch was available to those who
paid but Microsoft decided not to make it available for free.
Well, the government decided not to keep spending the money but told NHS
trusts that they had to upgrade or pay for their own IT patches.

On reflection, you could say that the government should have kept paying
Microsoft and/or the trusts should have paid for patches or upgrades.
But that's with hindsight.
Well, the original Microsoft code had a bug in it. They wrote the code.
They sold it. Neither their programmers, their code review team, nor
their system testing procedures picked up the fault.

How would mandatory super-Draconian snooping software (MSDSS)
help to reduce cyber attacks, malware, etc.? Surely it would
just provide another route in for clever hackers?