back to article Microsoft emits free remote-desktop security patches for WinXP to Server 2008 to avoid another WannaCry

It’s that time of the month again, and Microsoft has released a bumper bundle of security fixes for Patch Tuesday, including one for out-of-support operating systems Windows XP and Server 2003. Usually support for such aging operating systems costs an arm and a leg, though Redmond has released a freebie because of the serious …

  1. redpawn Silver badge

    Avoiding worse PR

    I guess someone read the coffee grounds and saw the Ghost of PR Past. Fear of bad press makes for good corporate decisions. Patch it if you can.

    1. Roland6 Silver badge

      Re: Avoiding worse PR

      Alternaitvely, given all versions of XP are now EoL, perhaps this is the XP support team either signing off or raising a flag to say they are still around and doing good work...

      1. TheVogon Silver badge

        Re: Avoiding worse PR

        "These updates are available from the Microsoft Update Catalog only. "

        So no automatic Windows Updates. About 1% of users are going to install this before it's too late...

  2. ITS Retired
    Alert

    Why would anyone trust Microsoft to properly patch XP? Their record of proper, working patches the last few years is atrocious. Then there is their Windows 10 forced "upgrade".

    I still have one XP machine and never had a reason to have Remote Desktop active.

    1. Anonymous Coward
      Anonymous Coward

      But how else are the TLA going to retrofit a backdoor into your ageing system?

    2. Roland6 Silver badge

      >Why would anyone trust Microsoft to properly patch XP?

      Suspect the XP support team is full of people who cut their teeth on and got burnt and thus made XP what it became. In comparison the 8 & 10 teams are just a bunch of wet behind the ears wannabes.

  3. david 12 Bronze badge

    XP What? Where?

    Last update listed for XP in the Microsoft Update Catalog is dated 2014. Security advisory ADV990001 doesn't list any patches for 2003 or XP.

    1. Sandtitz Silver badge
      Holmes

      Re: XP What? Where?

      I followed the Reg link to MS advisory and there it is, KB4500331.

      1. Anonymous Coward
        Anonymous Coward

        Re: XP What? Where?

        I've unfortunately got a couple of XP boxes kicking about (attached to very expensive machine tools that can't be economically replaced) and for whatever reason, this patch is not showing up in WSUS for me. Looks like it'll be a manual process.

        1. Anonymous Coward
          Anonymous Coward

          Re: XP What? Where?

          Ignore that; WSUS is looking to install updates only to XP SP3 and it turns out that the lazy f**kers who've worked here over the last 11 years haven't even bothered installing that. Ah well, at least it downloads a lot quicker these days...

          1. Anonymous Coward
            Anonymous Coward

            Re: XP What? Where?

            Yay; installing XP SP3 has completely knackered the PC's ability to support a USB keyboard or mouse. It now fails to boot to Windows (not even safe mode!) with either in place or reboots spontaneously if in XP and either is plugged in. Luckily this is a copy of the production one but FFS, it's really making my day. Thankfully I still have a PS2 keyboard in the cupboard (unused, box-fresh, Microsoft branded and in beige; hello 1998!) and can boot into it but what a PITA. Looks like the production version is getting the Terminal Services service disabled and SP3 ignored. Apologies to my forebears for being so rude about them. Try explaining to manufacturing why you're risking their infrastructure for a security update :-(

            1. bluesxman
              Trollface

              Re: XP What? Where?

              It now fails to boot to Windows (not even safe mode!)

              So what I'm getting from this is that it can now be considered secure. So problem solved then, right?

            2. Boris the Cockroach Silver badge
              Windows

              Re: XP What? Where?

              I'd be very leery of installing SP3 on a working machine tool coupled to a Win XP box.

              All the windows powered machine tools we use have a warning on the manual saying

              "Do not upgrade or install updates as your machine will not be covered by our warrenty/insurance." *

              Plus we keep them on the machining network thats air gapped to the internet... so hopefully nowt nasty can get through

              * Luckily , those last 2 win machines are going soon and will be replaced with spiffy linux powered ones to match the 14 we already have

            3. CountCadaver

              Re: XP What? Where?

              I'm guessing that when Microsoft tightened up the security procedures in XP via SP3 that it broke something that worked insecurely....I do vaguely recall a scramble by various vendors to patch various stuff at the time....though my memory might be deviating?

              Might just need the motherboard BIOS patched? (I recall a machine that had similar issues, a patch from the motherboard vendor resolved the issue)

              Albeit the machinetool software likely isn't SP3 compliant for similar "creative programming" reasons

            4. Roland6 Silver badge

              Re: XP What? Where?

              >It now fails to boot to Windows (not even safe mode!)

              You did take a full disk image (eg. clonezilla) efore you started.

              Suspect if only running SP2 then BIOS, chipset drivers and OS drivers needed updating before you attempted the update. Plus probably worth ensuring the system has 4GB of RAM.

          2. Fury556

            Re: XP What? Where?

            I think you found out why it didn't have SP3 installed!

        2. phuzz Silver badge

          Re: XP What? Where?

          If you still have XP machines that you can't get rid of, ideally you should just keep them off the network. Failing that, lock them down behind the tightest possible firewall (and I mean a separate firewall, don't rely on the XP one), only allowing traffic on the bare minimum of ports. Perhaps investigate if they can live on their own separate network, only connected to a second NIC on a more secure computer which is in turn connected to the wider network.

          1. Anonymous Coward
            Anonymous Coward

            Re: XP What? Where?

            Indeed, but when the manufacturer has to dial in at a time when no IT is likely to be around to fix or reconfigure their piece of kit and they insist on using a hokey copy of TeamViewer...

            1. It's just me

              Re: XP What? Where?

              I believe the TeamViewer host maintains an outgoing connection to the TeamViewer servers to facilitate connections from behind a NAT router. So, unless there are additional considerations, you should be able to use a strict firewall that denies all connections coming from the internet and just allow connections initiated by the XP machine.

  4. J J Carter Silver badge
    Windows

    All good here

    Just added a few seconds to reboot time to apply the update. Well done MSFT!

    1. Dan 55 Silver badge

      Re: All good here

      Nobody really pro-MS would be extolling the virtues of having to reboot after an update in 2019, they'd just keep a dignified silence.

      1. Doctor Syntax Silver badge

        Re: All good here

        Some of them just don't know any better.

      2. Anonymous Coward
        Anonymous Coward

        Re: All good here

        Feel free to check your /var/run/reboot-required file, sometimes... you may found your system is not safe until you reboot...

    2. Maventi

      Re: All good here

      Does it still reboot twice to apply an update?

  5. chivo243 Silver badge

    3 countem' only 3

    Still have an XP install with some reporting software that's used only once a year (will they ever update that software?) And 2 2008r2 installs left, one runs VCenter which is on the chopping block next month!

    1. J. Cook Silver badge

      Re: 3 countem' only 3

      I *highly* recommend the Appliance iteration of vCenter, especially 6.5 and newer- as long as you have a functional DNS running in your network, it's easy enough to set up, and it has Update Manager baked into it, so you don't have to deploy a half-dozen machines to have a functional environment.

  6. arctic_haze Silver badge

    Applying manually the May Windows 7 "Security only" update

    This seemed so serious I used the "may security only" may patch on my Windows 7. The fist in several months as I stopped at one of the previous patching debacles.

    Before that I changed the registry settings not to get the new Intel patches (I do not deem them worth the expected hit on CPU speed). I also applied the "pciclearstalechache" file provided as a download next to the actual May patch. It is necessary if someone (wisely) skipped March and April.

    1. robidy

      Re: Applying manually the May Windows 7 "Security only" update

      Make sure you apply the servicing stack update...it brings support for sha2 patch signing...which is mandatory from July 2019 to EOL in Jan 2020 for Win 7.

  7. mark l 2 Silver badge

    I noticed that the article doesn't mention Vista, is that because Vista is immune or just because even Microsoft don't want to admit they even made that OS any more?

    1. Sandtitz Silver badge
      Thumb Up

      @mark

      "I noticed that the article doesn't mention Vista, is that because Vista is immune or just because even Microsoft don't want to admit they even made that OS any more?"

      ...Vista who?

      Vista certainly isn't immune as everything from XP to 7 is vulnerable, including 2008 Server which uses the same codebase as Vista. From another website:

      'Users of Windows Vista can download the updates (Monthly Rollup or Security Online) of Windows Server 2008 from the Update Catalog and install them manually.'

      I'd just turn off the Remote Desktop in public networks if I was caught using Vista...

  8. Ken Hagan Gold badge

    I wonder how many XP boxes will get updated

    It would be interesting to know how many of the XP or Server 2003 boxes that are exposed to the internet are actually still configured for automatic updates. I suspect that those that aren't are "managed" by the sort of person who won't be manually updating them.

    1. Roland6 Silver badge

      Re: I wonder how many XP boxes will get updated

      Agree, however, all the various XP boxes I encounter I have left set to check and download updates and inform user if they want them installed. This way XP security checker is happy and doesn't show red in the status bar - hence users don't have to ignore a red warning and thus get into the habit of ignoring warnings...

  9. Anonymous South African Coward Silver badge

    Who in their right mind still have raw RDP open to the Internet, and not behind a VPN?

    1. LDS Silver badge

      Those who have no other choice.

    2. Anonymous Coward
      Anonymous Coward

      Most universities...

    3. Adam 1 Silver badge

      In the days of credential stuffing, byod, and every man and dog being allocated email irrespective of their actual role in the business, I don't think that merely having a VPN layer at the edge solves the problems. Even an internal only terminal services machine is at risk from a wormable exploit.

    4. robidy

      Can also be compromised when on a LAN a compromised device is attached to...

  10. MJI Silver badge

    Better update then.

    Got an old PC somewhere for spare use.

    Main PC (triple boot) has an XP boot I rarely use.

  11. elvisimprsntr

    I have noticed an uptick in WAN side port 3389 scanning out of Russia and China.

    You lost me at "Adobe"

  12. adam payne Silver badge

    Wannacry 2.0!?!?

  13. Anonymous Coward
    Anonymous Coward

    Enabling NLA on RDP can mitigate against this exploit. If you're not ready to patch, just ticking that box would be a quick fix until you can patch.

  14. Boohoo4u

    Not dead yet

    There are probably quite a few ATMs, POS systems, etc. that run XP still around. The Admin’s might think they’re “safe” because they’re locked down, so they don’t need to pay for updates... oops.

    + 1 to Microsoft on this one

    1. Borg.King

      Re: Not dead yet

      Lift info screens, Lift control systems, train/airport/bus shelter arrival/departure boards, scoreboards at sports ground, taxi meters, parking meters, bus info screens.

      I bet there's a lot of XP out there still.

  15. Anonymous Coward
    Anonymous Coward

    Not just XP/2003 but also W7/2008 that are affected

    Seems to be a big focus on this vulnerability for XP/2003, it is also exploitable on W7/2008

    Luckily there are still patching in place for W7/2008 so that can be easily deployed via WSUS / SCCM, it is nice of Microsoft to provide the patches for older OS as guaranteed some companies will still be using XP/2003 and RDP is usually enabled to allow remote management of the servers.

    Along with the ZombieLoad issues this month, probably one of the worst months in recent memory for security issues.

    1. Roland6 Silver badge

      Re: Not just XP/2003 but also W7/2008 that are affected

      >Seems to be a big focus on this vulnerability for XP/2003

      Thats because all versions of XP are now EoL - unless you are paying MS for extended extended support.

      Win7/2008 go end of life in January 2020, so will receive this patch via the normal security patch channel.

      But you are right, in that the NHS demonstrated that WannaCry on Win7 was a bigger issue than WannaCry on XP.

  16. adam 40

    So this was broken since 2001?

    So - assuming Win XP SP1 and the original release also have the same security hole...

    Windows has been wide open to remote exploits for, let me see, 18 years?

    I wonder how many security agencies have been using this one too.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019