In a somewhat out-of-character move, Microsoft has released a security update for Windows XP, an OS that's officially out of support. The tech giant released a statement on Tuesday about a Remote Code Execution (RCE) vulnerability in older versions of Windows.
The flaw is present in Remote Desktop Services and affects Windows Server 2008 and 2003, Windows 7, and Windows XP. Frighteningly, the vulnerability requires no user interaction and is pre-authentication. This means attackers could craft ‘wormable' malware that spreads across devices.
“Any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,” explained Microsoft in a support article. “While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”
WannaCry spread quickly across the globe last year after starting in the United Kingdom and Spain. At its peak, it had infection over 230,000 computers, locking down computers unless users paid a ransom. It affected a swathe of important originations from Britain's National Health Service to FedEx and Telefonica.
There's no indication that malware targeting the new vulnerability is currently spreading, but Microsoft warns that it could if users don't act. In support customers with automatic updates will be safe already, and those with it turned off can get updates via the normal route.
Out of Support Mitigations
Microsoft was previously accused of withholding Windows XP patches for WannaCry for too long. Some argued that the company has a responsibility to stop the spread of such malware. This time, it appears the company agrees. Not patching Windows XP would make it easier for malware to spread to in-support customers who haven't had the chance to update.
It's also worth noting that while systems with Network Level Authentication (NLA) are mitigated somewhat, they aren't invulnerable. The feature simply removes the pre-authentication aspect of the vulnerability, and attackers that gained credentials via other means can still execute code.
As well as the emergency release, Microsoft's recent Patch Tuesday fixes issues across SQL Server, Office 365, Adobe Flash, and many other programs. Users should make sure they have both to be fully safe.