Bad sign? Five years after support for XP ended, Microsoft issues patch for Windows XP and Windows 2003
Microsoft has taken the unusual step of issuing a security update for an operating system that it ceased supporting over five years ago.
The operating system in question is of course Windows XP, which was launched way back in 2001. Microsoft had ended its official support for XP back in April 2014.
But Redmond has now warned that there was a bug so bad that it cloud lead to massive global computer virus outbreak like the WannaCry malware, so it has issued a rare patch for both XP and Windows 2003.
The news that Microsoft was issuing the XP update was made in a blog posting by Simon Pope, Director of Incident Response at the Microsoft Security Response Centre.
The software giant withheld exact details of the flaw, only that it relates to Remote Desktop Services, a feature that lets administrators take control of another computer that’s on the same network.
“Today Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows,” wrote Pope. “The Remote Desktop Protocol (RDP) itself is not vulnerable.”
“This vulnerability is pre-authentication and requires no user interaction,” he wrote “In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”
Pope said that Microsoft has not observed no exploitation of this vulnerability, but that “it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”
“Now that I have your attention, it is important that affected systems are patched as quickly as possible to prevent such a scenario from happening,” he warned. “In response, we are taking the unusual step of providing a security update for all customers to protect Windows platforms, including some out-of-support versions of Windows.”
Vulnerable in-support systems include Windows 7, Windows Server 2008 R2, and Windows Server 2008. Windows 2003 and Windows XP are also vulnerable, but there was no word on whether the issue also affects Windows Vista.
Windows 8 and Windows 10 are not vulnerable.
Microsoft last issued a security patch for Windows XP just over two years ago, and security experts were quick to point out the importance of this patch.
“Two years after the WannaCry ransomware attack plagued hundreds of thousands of computers across the globe, organisations have been warned of a security flaw that could be exploited to create a WannaCry-like worm,” said Matt Ellard, MD EMEA at Tanium. “Although no exploitation has been spotted for the latest vulnerability, hackers are likely to create one and incorporate it into their malware.”
“Given that global cyber-attacks such as WannaCry were catalysed by poor patching hygiene, organisations need to ensure that they can confidently protect critical assets, monitor impact, and recover from the unexpected,” said Ellard. “However, our latest research shows that 94 percent of CIOs and CISOs are having to make trade-offs in how well they can protect their organisations from cyber threats, outages and other forms of disruption.”
Another expert said the Microsoft XP patch last happened just before the WannaCry outbreak.
“This announcement is against Microsoft’s DNA,” explained Migo Kadem, senior director at SentinelOne. “Microsoft has long had a schedule for ridding itself of legacy OS versions: end-of-life for Windows 7 is scheduled for January 14, 2020, and Windows 7 will become entirely unsupported as of March 14, 2020. At that time, it will no longer receive software updates, even though it currently represents 33.38 percent of the Windows market.
“Although patching is not a cybersecurity silver bullet, it doesn’t mean it is not helpful,” said Kadem. “Our advice is: install these updates to as many devices as possible on your network. We know there will be more, so make sure your security procedures are in place.”
Do you know all about security? Try our quiz!