
) Did Microsoft forget to patch it, is it being swept under the rug - or is it immune? An anonymous poster on AskWoody says that it has to be affected because Server 2008 is affected - certainly logical - but it’s an open question if the Server 2008 patch will work on Vista. Win XP and Win7 are patched, but what happened to Vista? (Thx.I think it’s fair to say that we don’t know much at all about the "wormable" RDS vulnerability or the fix.

For the Windows 7 and Windows Server patches, you can’t fix the immediate problem - this wormable RDS security hole - without also installing a fix for a problem that won’t appear any time soon and, indeed, may not even exist in the real world (see Andy Greenberg’s article in Wired ). With Microsoft’s patch-bundling propensities, you can’t fix one without dragging in the other. (Catalin Cimpanu has the details on ZDNet with a good short synopsis by on AskWoody.) You may recall that patching Meltdown and Spectre has provided much wailing and gnashing of teeth for thousands of would-be patchers, yet there’s never been an infection spotted in the wild. That’s particularly remarkable because in the case of the Win7 cluster patches, they include a fix for a completely different security hole, the so-called “Microarchitectural Data Sampling (MDS)” vulnerability, which has much in common with Meltdown and Spectre. As of this moment, it looks like the patches aren’t causing more problems than they fix. The devil lies in the implementation details. The problem, as always, doesn’t lie with the good intentions of the patchers. ” Shades of WannaCry, which originated with the NSA. Most of the reports online rehash the same story, but it’s worth noting that Microsoft credits discovery of the vulnerability to the National Cyber Security Center, which is the “ public-facing arm of the UK’s spy agency, GCHQ. There’s a detailed analysis about what little we know from Dan Goodin at Ars Technica.

You can read about the nature of the security hole in the original announcement from Simon Pope, the Microsoft Security Response Center director of incident response.
