Microsoft reports ‘critical’ flaw in Windows 7 and older

A critical flaw has been discovered in Windows 7 and older versions, Microsoft warned on Tuesday, urging customers to install a patch as soon as possible to avoid an incident similar to the WannaCry ransomware attack, which infected computers around the world.

The vulnerability in Remote Desktop Services is pre-authentication and requires no user interaction, which means that any malware using this flaw could propagate from computer to computer like the WannaCry ransomware attack in 2017.

“It is important that affected systems are patched as quickly as possible to prevent such a scenario from happening,” said Simon Pope, director of incident response at Microsoft. “In response, we are taking the unusual step of providing a security update for all customers to protect Windows platforms, including some out-of-support versions of Windows.”

The flaw, which Microsoft described as “critical,” enables an attacker to execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

If you have Windows 7, Windows Server 2008 R2, or Windows Server 2008, go to the Microsoft website (click here) or use Windows Update. If you have Windows XP or Windows Server 2003, click here to download the patch from the Microsoft website.

There is currently no indication that the flaw is already being exploited, but Microsoft said it is “highly likely” that malicious actors will soon write an exploit to incorporate it into malware. Systems running Windows 8 and Windows 10 are not affected.

Computers which use Network Level Authentication (NLA) are partially protected, Microsoft said, but an attacker with valid credentials could still exploit the vulnerability. “It is for these reasons that we strongly advise that all affected systems – irrespective of whether NLA is enabled or not – should be updated as soon as possible,” Pope said.

About 34 percent of Windows desktop computers are running Windows 7, which was released in 2009, according to StatCounter. Only 1.6% of desktop computers are still using Windows XP, but some other systems – including many ATM machines – still rely on it. The WannaCry attack also revealed that parts of the UK’s National Health Service are still using Windows XP.