In an unusual move, Microsoft today issued a security patch for Windows XP, which hasn’t been officially supported since 2014.

“Today Microsoft released fixes for a critical Remote Code Execution vulnerability in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows,” a Microsoft support document notes. “The Remote Desktop Protocol (RDP) itself is not vulnerable … [Instead,] the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”

Vulnerable systems include Windows XP and Windows Server 2003, neither of which is supported by Microsoft, as well as Windows 7, Windows Server 2008, and Windows Server 2008 R2.

“Customers running Windows 8 and Windows 10 are not affected by this vulnerability, and it is no coincidence that later versions of Windows are unaffected,” the support note trumpets in a bit of marketing. “Microsoft invests heavily in strengthening the security of its products, often through major architectural improvements that are not possible to backport to earlier versions of Windows.”

While releasing an update for Windows XP is unusual, it’s not unprecedented. Microsoft infamously and secretly fixed a serious flaw in the platform past its support end date when WannaCry took down the National Health Service in the UK in 2017. (I was told by a person familiar with the matter that Microsoft had little choice in the matter, despite its desire to never update XP again.)

If you are running Windows XP for some reason, you can get the patch for this newest flaw from the Microsoft Support website.

Tagged with Windows XP