This week, Microsoft issued patches for 79 flaws across its platforms and products. One of them merits particular attention: a bug so bad that Microsoft released a fix for it on Windows XP, an operating system it officially abandoned five years ago.
There’s maybe no better sign of a vulnerability’s severity; the last time Microsoft bothered to make a Windows XP fix publicly available was a little over two years ago, in the months before the WannaCry ransomware attack swept the globe. This week’s vulnerability has similarly devastating implications. In fact, Microsoft itself has drawn a direct parallel.
“Any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,” Simon Pope, director of incident response for the Microsoft Security Response Center, wrote in a statement announcing the patch Tuesday. “It is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”
Microsoft is understandably withholding specifics about the bug, noting only that it hadn’t seen an attack in action yet, and that the flaw relates to Remote Desktop Services, a feature that lets administrators take control of another computer that’s on the same network.
That small parcel of information, though, still gives potential attackers plenty enough to go on. “Even mention that the area of interest is Remote Desktop Protocol is sufficient to uncover the vulnerability,” says Jean Taggart, senior security researcher at security firm Malwarebytes.