Microsoft has just fixed a remote code execution vulnerability in Windows XP with a major update over five years after mainstream support ceased. However, Windows Update is not automatically installed. You must manually download and install it from the Microsoft website.
As stated in the Microsoft Security Response Center, this patch resolves a "wormable" vulnerability in the Remote Desktop service on Windows XP, Windows Server 2003, Windows 7, and Windows Server 2008:
The Remote Desktop Protocol (RDP) itself is not vulnerable , This vulnerability is a pre-authentication and does not require user interaction. In other words, the vulnerability is wormable. This means that any future malware that exploits this vulnerability can similarly spread from a vulnerable computer to a vulnerable computer, such as the WannaCry malware, which is spreading throughout the world in 2017. 19659005] Microsoft has taken the unexpected step of releasing an important security patch for Windows XP (and Windows Server 2003) more than five years after the discontinuation of mainstream support by Microsoft. So big is this mistake.
However, there is a big problem: Windows Update does not automatically install it on Windows XP. Microsoft Bulletin CVE-2019-0708 states:
These updates are only available in the Microsoft Update Catalog. We recommend that customers running any of these operating systems download and install the update as soon as possible.
These patches are named KB4500331 and are available on the Microsoft Update Catalog Web site. If you are still using Windows XP or Windows Server 2003, you should immediately download and install these patches.
This bug does not affect Windows 10 and Windows 8 systems. Windows 7 and Windows Server 2008 systems receive a patch through Windows Update. You only need to manually install these patches if you are running an unsupported version of Windows. If so, Microsoft recommends upgrading to a supported version of Windows.