Microsoft issues new patch for Windows XP to fight a dangerous 'wormable' vulnerability
Microsoft stopped supporting Windows XP back into 2014, but took the 'highly unusual' step of releasing a patch for the ancient OS two years ago in a bid to fightback against the WannaCry ransomware, and then included XP in that June’s Patch Tuesday updates.
You’d be forgiven for thinking that that would be the very last time Microsoft patched XP, but no. The software giant has included Windows XP and Windows Server 2003 (also no longer supported) in today’s Patch Tuesday fixes.
- Windows XP 2018 Edition is the operating system Microsoft should be making
- How to get regular free security updates for Windows XP and Vista
The reason Microsoft has once again included XP is to prevent a wormable vulnerability that could -- if unchecked -- wreak havoc in the same way that WannaCry did.
Announcing the move, the company explains:
Today Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services -- formerly known as Terminal Services -- that affects some older versions of Windows. The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is 'wormable', meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.
Now that I have your attention, it is important that affected systems are patched as quickly as possible to prevent such a scenario from happening. In response, we are taking the unusual step of providing a security update for all customers to protect Windows platforms, including some out-of-support versions of Windows.
Naturally, Microsoft would prefer you upgrade to a newer version of Windows -- i.e. Windows 10 -- as it isn’t affected by the vulnerability, but anyone who wants to continue to stick with XP or Windows Server 2003 can download the relevant security update from here.