This week, Microsoft issued patches for 79 flaws across its platforms and products. One of them merits particular attention: a bug so bad that Microsoft released a fix for it on Windows XP, an operating system it officially abandoned five years ago.
There’s maybe no better sign of a vulnerability’s severity; the last time Microsoft bothered to make a Windows XP fix publicly available was a little over two years ago, in the months before the WannaCry ransomware attack swept the globe. This week’s vulnerability has similarly devastating implications. In fact, Microsoft itself has drawn a direct parallel.
“Any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,” Simon Pope, director of incident response for the Microsoft Security Response Center, wrote in a statement announcing the patch Tuesday. “It is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”
Microsoft is understandably withholding specifics about the bug, noting only that it hadn’t seen an attack in action yet, and that the flaw relates to Remote Desktop Services, a feature that lets administrators take control of another computer that’s on the same network.
That small parcel of information, though, still gives potential attackers plenty enough to go on. “Even mention that the area of interest is Remote Desktop Protocol is sufficient to uncover the vulnerability,” says Jean Taggart, senior security researcher at security firm Malwarebytes.
Expect that to happen quickly. “This will be fully automated in the next 24 to 48 hours and exploited by a worm,” says Pieter Danhieux, CEO of secure coding platform Secure Code Warrior, referring to the class of malware that can propagate across a network without any human interaction, such as clicking the wrong link or opening the wrong attachment. Like the Blob, it just spreads.
Once that worm gives hackers access to those devices, the possibilities are fairly limitless. Danhieux sees ransomware as a likely path; Taggart ticks off spam campaigns, DDoS, and data harvesting as possibilities. “Take your pick,” he adds. “Suffice to say, a lot.”
The saving grace for all of this is that computers running Windows 8 and up aren’t affected. But it’s important not to underestimate the danger that Windows XP computers can still pose. Estimates vary, but analytics company Net Marketshare says that 3.57 percent of all desktops and laptops still run Windows XP, which was first released in 2001. Conservatively, that's still tens of millions of devices on Windows XP—more than are running on the most recent version of MacOS. Moreover, you can assume with some confidence that almost none of those computers are ready for what’s coming.
Yes, plenty of Windows XP users are just folks who haven’t dusted off their Dell Dimension tower since the last Bush administration. It seems unlikely that they'll ever get around to installing this latest patch, especially given that you need to seek it out, and download and install it yourself. It’s hard enough to get people to update modern systems with their incessant nagging popups; one imagines that those still on Windows XP are in no rush to visit the Microsoft Update Catalog.
More troubling, though, are the countless businesses and infrastructure concerns that still rely on Windows XP. As recently as 2016, even nuclear submarines had it on board. For the most sensitive use cases—like, say, nukes—companies and governments pay Microsoft for continued security support. But the bulk of hospitals, businesses, and industrial plants that have Windows XP in their systems don’t. And for many of those, upgrading—or even installing a patch—is more difficult than it might seem.
“Patching computers in industrial control networks is challenging because they often operate 24/7, controlling large-scale physical processes like oil refining and electricity generation,” says Phil Neray, vice president of industrial cybersecurity at CyberX, an IoT and ICS-focused security firm. Recent CyberX research indicates that more than half of industrial sites run unsupported Windows machines, making them potentially vulnerable. There’s not much opportunity to test the impact of a patch on those types of systems, much less to interrupt operations to install them.
That applies to health care systems, too, where the process of updating critical software could interrupt patient care. Other businesses run specialized software that’s incompatible with more recent Windows releases; practically speaking, they’re trapped on XP. And while the best way to protect yourself from this latest vulnerability—and the countless others that now plague unsupported operating systems—is to upgrade to the latest version of Windows, cash-strapped businesses tend to prioritize other needs.
With any luck, Microsoft’s extraordinary step of pushing a patch will spur many of them to action. It’s hard to imagine a louder siren. “When you’re dealing with patching, it’s a balancing act between the costs of patching and the costs of leaving it alone, or just asking users to upgrade,” says Richard Ford, chief scientist at cybersecurity firm Forcepoint. “They would have a grasp of both the security risk—and the reputational risk—of not going after this vulnerability aggressively. Put those all together, and when the stars align it makes a lot of sense to provide the patch, quickly, safely, and even for operating systems that are out of support.”
The coming weeks and months should show, though, just how wide a gap exists between providing a patch and getting people to install it. An attack on Windows XP is at this point inevitable. And the fallout might be worse than you’d have guessed.