A serious flaw in older Windows systems now has Microsoft worried it'll only be a matter of time before it's abused to spread a computer worm.
"Microsoft is confident that an exploit exists for this vulnerability," the company said in a Thursday blog post that urges users to patch the flaw, which can allow a hacker to take over an affected system.
Redmond issued the blog post days after security researcher Robert Graham estimated that about 950,000 Windows computers remain vulnerable to the flaw, despite the availability of Microsoft's patch.
A security update addressing CVE-2019-0708 was released on May 14 2019, but recent public reports indicate nearly one million computers are still vulnerable.
Microsoft strongly advises that all affected systems should be updated as soon as possible. https://t.co/lRaCfWgivs — Security Response (@msftsecresponse) May 31, 2019
The vulnerability, dubbed CVE-2019-0708, affects Windows 7, Windows XP, and Windows Server 2003 and 2008 systems. A bug involving the remote desktop protocol feature can let an attacker control the Windows machine over the internet—potentially without the need to supply the right password.
The lack of authentication means a piece of malware could be created to infect one unpatched Windows system, and then another, resulting in a computer worm capable of ensnaring thousands of computers over the internet. In response, Microsoft went out of its way to quickly issues patches—even for Windows systems it no longer supports—to stamp out the threat.
"It's been only two weeks since the fix was released and there has been no sign of a worm yet. This does not mean that we're out of the woods," the company said in Thursday's blog post.
To underscore the threat, Microsoft is pointing to WannaCry; the notorious malware strain exploited another serious flaw in older Windows system back in 2017, and went on to infect hundreds of thousands of computers across the world. This happened even though Microsoft had released a patch to address the flaw two months prior to the attack.
"It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise," Microsoft said in the blog post.
Graham told PCMag he re-scanned the internet for vulnerable Windows systems, and said his 950,000 estimate still stands. Meanwhile, other security researchers at Check Point and McAfee say they've developed proof-of-concept experimental attacks that demonstrate the Microsoft flaw can, indeed, be exploited.
"We urge everyone to PATCH—it is really nasty," McAfee researcher Christiaan Beek said in his tweet.
The problem will affect older Windows systems with the Remote Desktop Services feature turned on. Download patches for the Windows 7 and Windows Server 2008 systems and Windows XP and Windows 2003.
"It is possible that we won't see this vulnerability incorporated into malware. But that's not the way to bet," Microsoft added in the blog post.