Microsoft just patched a remote code execution hole in Windows XP with a critical update—over five years after it left mainstream support. However, Windows Update won’t automatically install it. You’ll have to manually download and install it from Microsoft’s website.
As Microsoft’s Security Response Center explains, this patch fixes a “wormable” vulnerability in Remote Desktop Service in Windows XP, Windows Server 2003, Windows 7, and Windows Server 2008:
Microsoft took the unexpected step of issuing a critical security patch for Windows XP (and Windows Server 2003) more than five years after Microsoft ended mainstream support. That’s how huge this bug is.
However, there’s a big problem: Windows Update won’t automatically install it on Windows XP. As Microsoft’s CVE-2019-0708 bulletin explains:
These patches are named KB4500331 and available on Microsoft’s Update Catalog website. If you’re still using Windows XP or Windows Server 2003, you should download and install these patches right now.
This bug doesn’t affect Windows 10 and Windows 8 systems. Windows 7 and Windows Server 2008 systems will receive a patch via Windows Update. You’ll only need to manually install these patches if you’re running an out-of-support version of Windows. If you are, Microsoft recommends you upgrade to a supported version of Windows.