Microsoft on Wednesday resurrected Windows XP and Windows Server 2003 long enough to push patches to the long-dead products. It was the first time since 2017 that Microsoft deemed the situation serious enough to warrant a security fix for XP.
Windows XP fell off the public support list in April 2014, while Windows Server 2003 was removed in July 2015.
“If you are on an out-of-support version, the best way to address this vulnerability is to upgrade to the latest version of Windows,” Simon Pope, director of incident response at the Microsoft Security Response Center, asserted in a post to a company blog. “Even so, we are making fixes available for these out-of-support versions of Windows.”
Although Pope said the bug has yet to be publicly exploited, he made it sound like that was just a matter of time. “[The vulnerability] requires no user interaction. In other words, the vulnerability is ‘wormable,’ meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,” he wrote.
In fact, some IT administrators reported that a Windows Server-powered “honeypot” – a system purposefully designed to attract malicious attention – has been undergoing constant attacks from locations in Asia and elsewhere.
Pope’s reference to WannaCry is notable because the last time Microsoft patched Windows XP was in May and June 2017, when it tried to stop the spread of the virulent ransomware. In that case, Microsoft supplied patches to Windows XP, Windows 8 and Windows Server 2003, all of which had already been retired.
The bug patched for Windows XP and Server 2003 is one of four disclosed Tuesday by a small host of security researchers. All resemble the Spectre and Meltdown flaws of early 2018 in that they were found within the firmware of microprocessors from Intel. In most cases, software updates – like those generated by Microsoft – will need to be combined with firmware updates from Intel and/or computer makers, called OEMs for “original equipment manufacturers.”
Intel has issued firmware updates, as well as a security advisory of its own that addresses what it called “Microarchitectural Data Sampling,” or MDS vulnerabilities. Other names applied to the vulnerabilities range from the comic book apocalyptic “Zombieload” to more mundane “RIDL” and “Fallout.”
According to analytics vendor Net Applications, Windows XP accounted for 2.8% of all Windows PC browser activity in April, a number that represented approximately 42 million systems worldwide. (Net Applications does not track server systems.)
Windows Vista, XP’s successor – it launched in 2006, five years after XP – was not patched, perhaps because its April user share was a puny two-tenths of one percentage point, or about one-thirteenth that of XP’s. The estimated 3.2 million PCs still running Vista are on their own; users were told to contact Microsoft support for assistance.
Fixes for other editions – Windows 7, Server 2008 R2 – were offered through the usual automated update channels, including Windows Update and WSUS (Windows Server Update Services). But those for the outdated Windows XP and Server 2003 were not. Instead, users had to manually download the outdated-product updates from the Microsoft Update Catalog.
Windows 8 and later – including Windows 10 and several Server editions – are not affected by the vulnerabilities.
This week’s policy departure bodes well for users of Windows 7, the edition slated to slip off support on Jan. 14, 2020, but which is expected to remain in use by millions for years after that deadline.
Microsoft effectively extended the boundaries of post-retirement patching yet again, from the previous record of three years to today’s five years. If a critical vulnerability that threatens a large part of the Windows ecosystem appears in, say, early 2025, that era’s Windows 7 users should expect Microsoft to patch it on their creaky PCs. If the Redmond, Wash. developer declined, those users would have good reason to not only complain but ask “why not?” as they cite this XP case as precedent.