This week, Microsoft issued patches for 79 flaws across its platforms and products. One of them merits particular attention: a bug so bad that Microsoft released a fix to stop it for Windows XP, an operating system it officially abandoned five years ago.
Thereâ€™s maybe no better sign of a vulnerabilityâ€™s severity; the last time Microsoft bothered to make a Windows XP fix publicly available was a little over two years ago, in the months before the WannaCry ransomware attack swept the globe. This weekâ€™s vulnerability has similarly devastating implications. In fact, Microsoft itself has drawn a direct parallel.
â€œAny future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,â€� Simon Pope, director of incident response for the Microsoft Security Response Center, wrote in a statement announcing the patch Tuesday. â€œIt is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.â€�
Microsoft is understandably withholding specifics about the bug, noting only that it hadnâ€™t seen an attack in action yet, and that the flaw relates to Remote Desktop Services, a feature that lets administrators take control of another computer thatâ€™s on the same network.
That small parcel of information, though, still gives potential attackers plenty enough to go on. â€œEven mention that the area of interest is Remote Desktop Protocol is sufficient to uncover the vulnerability,â€� says Jean Taggart, senior security researcher at security firm Malwarebytes.
Expect that to happen quickly. â€œThis will be fully automated in the next 24 to 48 hours and exploited by a worm,â€� says Pieter Danhieux, CEO of secure coding platform Secure Code Warrior, referring to the class of malware that can propagate across a network without any human interaction, such as clicking the wrong link or opening the wrong attachment. Like The Blob, it just spreads.
Once that worm gives hackers access to those devices, the possibilities are fairly limitless. Danhieux sees ransomware as a likely path; Taggart ticks off spam campaigns, DDOS, and data harvesting as possibilities. â€œTake your pick,â€� he adds. â€œSuffice to say, a lot.â€�
The saving grace to all of this is that computers running Windows 8 on up arenâ€™t affected. But itâ€™s important not to underestimate the danger that Windows XP computers can still pose. Estimates vary, but analytics company Net Marketshare says that 3.57 percent of all desktops and laptops still run Windows XP, which was first released in 2001. Conservatively, that’s still tens of millions of devices on Windows XPâ€”more than are running on the most recent version of MacOS. Moreover, you can assume with some confidence that almost none of those computers are ready for whatâ€™s coming.
Yes, plenty of Windows XP users are just folks who havenâ€™t dusted off their Dell Dimension tower since the last Bush administration. It seems unlikely that they’ll ever get around to installing this latest patch, especially given that you need to seek it out, and download and install it yourself. Itâ€™s hard enough to get people to update modern systems with their incessant nagging popups; one imagines that those still on Windows XP are in no rush to visit the Microsoft Update Catalog.
More troubling, though, are the countless businesses and infrastructure concerns that rely still on Windows XP. As recently as 2016, even nuclear submarines had it on board. For the most sensitive use casesâ€”like, say, nukesâ€”companies and governments pay Microsoft for continued security support. But the bulk of hospitals, businesses, and industrial plants that have Windows XP in their systems donâ€™t. And for many of those, upgradingâ€”or even installing a patchâ€”is more difficult than it might seem.
â€œPatching computers in industrial control networks is challenging because they often operate 24/7 controlling large-scale physical processes like oil refining and electricity generation,â€� says Phil Neray, vice president of industrial cybersecurity at CyberX, an IoT and ICS-focused security firm. Recent CyberX research indicates that more than half of industrial sites run unsupported Windows machines, making them potentially vulnerable. Thereâ€™s not much opportunity to test the impact of a patch on those types of systems, much less to interrupt operations to install them.
That applies to health care systems, too, where the process of updating critical software could interrupt patient care. Other businesses run specialized software thatâ€™s incompatible with more recent Windows releases; practically speaking, theyâ€™re trapped on XP. And while the best way to protect yourself from this latest vulnerabilityâ€”and the countless others that at this point plague unsupported operating systemsâ€”is to upgrade to the latest version of Windows, cash-strapped businesses tend to prioritize other needs.
With any luck, Microsoftâ€™s extraordinary step of pushing a patch will spur many of them to action. Itâ€™s hard to imagine a louder siren. â€œWhen youâ€™re dealing with patching, itâ€™s a balancing act between the costs of patching and the costs of leaving it alone, or just asking users to upgrade,â€� says Richard Ford, chief scientist at cybersecurity firm Forcepoint. â€œThey would have a grasp of both the security riskâ€”and the reputational riskâ€”of not going after this vulnerability aggressively. Put those all together, and when the stars align it makes a lot of sense to provide the patch, quickly, safely, and even for operating systems that are out of support.â€�
The coming weeks and months should show, though, just how wide a gap exists between providing a patch and getting people to install it. An attack on Windows XP is at this point inevitable. And the fallout might be worse than youâ€™d have guessed.
More Great WIRED Stories