Microsoft on Wednesday resurrected Windows XP and Windows Server 2003 long enough to push patches to the long-dead products. It was the first time since 2017 that Microsoft deemed the situation serious enough to warrant a security fix for XP.

Windows XP fell off the public support list in April 2014, while Windows Server 2003 was removed in July 2015.

"If you are on an out-of-support version, the best way to address this vulnerability is to upgrade to the latest version of Windows," Simon Pope, director of incident response at the Microsoft Security Response Center, asserted in a post to a company blog. "Even so, we are making fixes available for these out-of-support versions of Windows."

Although Pope said the bug has yet to be publicly exploited, he made it sound like that was just a matter of time. "[The vulnerability] requires no user interaction. In other words, the vulnerability is 'wormable,' meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017," he wrote.

In fact, some IT administrators reported that a Windows Server-powered "honeypot" - a system purposefully designed to attract malicious attention - has been undergoing constant attacks from locations in Asia and elsewhere.

Pope's reference to WannaCry is notable because the last time Microsoft patched Windows XP was in May and June 2017, when it tried to stop the spread of the virulent ransomware. In that case, Microsoft supplied patches to Windows XP, Windows 8 and Windows Server 2003, all of which had already been retired.

The bug patched for Windows XP and Server 2003 is one of four disclosed Tuesday by a small host of security researchers. All resemble the Spectre and Meltdown flaws of early 2018 in that they were found within the firmware of microprocessors from Intel. In most cases, software updates - like those generated by Microsoft - will need to be combined with firmware updates from Intel and/or computer makers, called OEMs for "original equipment manufacturers."

Intel has issued firmware updates, as well as a security advisory of its own that addresses what it called "Microarchitectural Data Sampling," or MDS vulnerabilities. Other names applied to the vulnerabilities range from the comic book apocalyptic "Zombieload" to more mundane "RIDL" and "Fallout.

Computerworld