Microsoft just patched a remote code execution hole in Windows
XP with a critical update—over five years after
it left mainstream support.
However, Windows Update won’t automatically install it. You’ll have to manually
download and install it from Microsoft’s website.
As Microsoft’s Security
Response Center explains, this patch fixes a “wormable”
vulnerability in Remote Desktop Service in Windows XP, Windows Server 2003,
Windows 7, and Windows Server 2008:
The Remote Desktop Protocol (RDP) itself is not
vulnerable. This vulnerability is pre-authentication and
requires no user interaction. In other words, the vulnerability is ‘wormable’,
meaning that any future malware that exploits this vulnerability could propagate
from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe
in 2017.
Microsoft
took the unexpected step of issuing a critical security patch for Windows XP
(and Windows Server 2003) more than five years after Microsoft ended mainstream
support. That’s how huge this bug is.
However,
there’s a big problem: Windows Update won’t automatically install it on Windows
XP. As Microsoft’s CVE-2019-0708 bulletin
explains:
These updates are available from the Microsoft Update Catalog
only. We recommend that customers running one of these operating systems
download and install the update as soon as possible.
These patches
are named KB4500331 and available
on Microsoft’s Update Catalog website. If you’re still using Windows
XP or Windows Server 2003, you should download and install these patches right
now.
This bug
doesn’t affect Windows 10 and Windows 8 systems. Windows 7 and Windows Server
2008 systems will receive a patch via Windows Update. You’ll only need to
manually install these patches if you’re running an out-of-support version of
Windows. If you are, Microsoft recommends you upgrade to a supported version of
Windows.
No comments:
Post a Comment