Microsoft releases unexpected patch for Windows 7, Windows XP and Windows 2003 to fix 'wormable' flaw

Surprise patch for Windows XP among 16 Microsoft updates to address 79 CVE-listed vulnerabilities in latest Patch Tuesday

Microsoft has issued a surprise patch for Windows XP, Windows 7 and Windows Server 2003 to address a security flaw that could be exploited to create a WannaCry-like worm.

The vulnerability, CVE-2019-0708, lies within remote desktop services (formerly terminal services), the company said, which attackers can exploit by sending a specially created request to the target systems ' remote desktop service via Remote Desktop Protocol (RDP).

AI & Machine Learning Live is returning to London on 3rd July 2019. Hear from the Met Office's Charles Ewen, AutoTrader lead data scientist Dr David Hoyle and the BBC's Noriko Matsuoka, among many others. Attendance is free to qualifying IT leaders and senior IT pros, but places are limited, so reserve yours now.

The flaw is pre-authentication and requires no user interaction. It is wormable, meaning that it can make any malware exploiting the flaw to be able to spread from one vulnerable system to another vulnerable system, without user interaction.

No exploitation of the vulnerability has been noticed so far, Microsoft claimed, although hackers are likely to create an exploit for it and include it into their malicious programmes in near future.

The flaw doesn ' t affect Microsoft ' s more recent operating systems, such as Windows 8, Windows 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, or Windows Server 2019.

But, it does affect Windows XP, Windows 7, Windows Server 2003, Windows Server 2008 and 2008 R2. While support for Windows XP has been discontinued - including the cessation of security patches - the company has taken the unusual step of issuing a patch to prevent it from becoming an attack vector and, thereby, embarrassing the company. Likewise, Microsoft ceased extended support for Windows Server 2003 in 2015.

The new patch offered by Microsoft fixes the way how Remote Desktop Services handle connection requests.

In addition to the patch for the wormable flaw, Microsoft also released 16 software updates to address 78 other CVE-listed vulnerabilities in its products, including its various Windows operating systems, Microsoft Office, Internet Explorer and Edge web browsers, the . NET Framework, ChakraCore, ASP.NET, and Azure DevOps Server.

Of all those vulnerabilities, 18 are rated as ' critical ' in severity.

Critical flaws are those that can be exploited by malicious programmes to steal sensitive data from vulnerable systems by attacking them remotely.

Among the patches is a fix for a zero-day vulnerability in the Windows Error Reporting Service. Called CVE-2019-0863, this flaw has already been exploited by malicious actors to carry out targeted attacks.

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.