Microsoft has fixed a remote code execution hole in Windows XP with a critical update five years after the departure consumer support. However, Windows Update will not install it automatically. You will need to manually download and install it from the Microsoft website.
As Microsoft Security Response Center This hotfix corrects a worm-related vulnerability in the Remote Desktop Service of Windows XP, Windows Server 2003, Windows 7, and Windows Server 2008:
The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is a pre-authentication and does not require any interaction from the user. In other words, the vulnerability is "wormable", which means that any future malicious program that exploits it could spread from a vulnerable computer to a vulnerable computer in the same way as the WannaCry malware spread around the world. 2017.
Microsoft has made the unexpected decision to release a critical security patch for Windows XP (and Windows Server 2003) more than five years after Microsoft has completed support. That's how big this bug is.
However, there is a big problem: Windows Update will not install it automatically on Windows XP. Like Microsoft CVE-2019-0708 bulletin explains:
These updates are available from the Microsoft Update catalog only. We recommend that customers running one of these operating systems download and install the update as soon as possible.
These patches are named KB4500331 and available on the Microsoft Update Catalog Web site. If you are still using Windows XP or Windows Server 2003, you must download and install these patches now.
This bug does not affect Windows 10 and Windows 8 systems. Windows 7 and Windows Server 2008 systems will receive a patch through Windows Update. You only need to install these patches manually if you are using an unsupported version of Windows. If this is the case, Microsoft recommends that you upgrade to a supported version of Windows.