Microsoft just patched a remote code execution hole in Windows XP with a critical update---over five years after it left mainstream support. However, Windows Update won't automatically install it. You'll have to manually download and install it from Microsoft's website.

As Microsoft's Security Response Center explains, this patch fixes a "wormable" vulnerability in Remote Desktop Service in Windows XP, Windows Server 2003, Windows 7, and Windows Server 2008:

The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.

Microsoft took the unexpected step of issuing a critical security patch for Windows XP (and Windows Server 2003) more than five years after Microsoft ended mainstream support. That's how huge this bug is.

However, there's a big problem: Windows Update won't automatically install it on Windows XP. As Microsoft's CVE-2019-0708 bulletin explains:

These updates are available from the Microsoft Update Catalog only. We recommend that customers running one of these operating systems download and install the update as soon as possible.

These patches are named KB4500331 and available on Microsoft's Update Catalog website. If you're still using Windows XP or Windows Server 2003, you should download and install these patches right now.

This bug doesn't affect Windows 10 and Windows 8 systems. Windows 7 and Windows Server 2008 systems will receive a patch via Windows Update. You'll only need to manually install these patches if you're running an out-of-support version of Windows. If you are, Microsoft recommends you upgrade to a supported version of Windows.