Microsoft: Patch old Windows systems or risk computer worm

Microsoft is trying to prevent the outbreak of a computer worm by urging those running older Windows systems to patch their machines.

Redmond has discovered a serious flaw in Windows 7, Windows XP, and Windows Server 2003 and 2008 systems, which can be exploited to create malware capable of automatically spreading from one vulnerable machine to another.

"While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware," Microsoft said.

The vulnerability deals with the Remote Desktop Services function in Windows, which can allow a user to take control of the machine over a network. Enterprises often choose to activate the feature on PCs and servers as a way to control them remotely.

Normally, the access requires a correct username and password. However, Microsoft discovered that an "unauthenticated attacker" can install malware on a Windows machine through the Remote Desktop Services function by sending specially crafted data packets.

"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft said in its vulnerability advisory.

The bug also requires no interaction from the owner of the affected Windows machine. So theoretically, an attacker could scan the internet to find additional machines to target. An estimated 3 million Remote Desktop Protocol endpoints are currently exposed to the internet, according to security researcher Kevin Beaumont, who cites data from device search engine Shodan.

Fortunately, Windows 10 and Windows 8 are immune from the threat. The attack also won't work on machines with Remote Desktop Services disabled, according to Microsoft. So the problem is probably less of a threat to consumers than to corporations, which tend to manage large fleets of older Windows machines.

However, the newly discovered vulnerability is so serious that Microsoft is warning it could pave the way for another attack similar to WannaCry, which took over hundreds of thousands of Windows PCs across the world in 2017. As a result, the company has issued patches for Windows Server 2003 and XP, which it no longer supports.

Microsoft is also applying the patches to Windows 7 and Windows Server 2008 systems that have automatic updates switched on.

Editor's Note: This story has been updated with comment from Microsoft about how disabling the Remote Desktop Protocol will prevent the threat.