To Prevent Another WannaCry, Microsoft Patches Old OSsVulnerability in XP, Windows 7 and Server 2008 Could Be 'Wormable'
On Tuesday, Microsoft took the extraordinary step of issuing patches for XP, Windows 2003, Windows 7 and Windows Server 2008 - older operating systems that, in theory, shouldn't be still in use. But alas, they are.
Microsoft made the move after the discovery of a remote execution vulnerability within Remote Desktop Services, which more than a decade ago was known as Terminal Services. Remote Desktop Services allows admins to connect to other computers on a network.
The vulnerability, CVE-2019-0708, allows for exploitation of Remote Desktop Services within those operating systems without any authentication. Windows 8 and 10 and later operating systems are not affected, and Remote Desktop Protocol itself is not vulnerable. The U.K.'s National Cyber Security Center found the flaw.
The fix is just one of 79 patches Microsoft issued on Tuesday, including one for a privilege escalation vulnerability (CVE-2019-0863) and a remote code execution issue (CVE-2019-0725) within Windows DHCP Server.
Essentially, the remote desktop problem is a worst-case scenario for organizations running those older Microsoft operating systems, and one in which a single successful exploit of unpatched machines could rapidly spread.
"In other words, the vulnerability is 'wormable', meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017," writes Simon Pope, director of incident response at Microsoft's Security Response Center.
Easy to Exploit
As of Tuesday, the bug apparently wasn't being exploited in the wild, but organizations should not delay patching, writes Dustin Childs of Trend Micro's Zero Day Initiative.
"Microsoft gives this its highest Exploit Index (XI) rating, so I would not be surprised to see this included in future exploit kits," Childs writes.
The vulnerability comes in the same week as researchers found a hard-to-fix issue within a variety of Cisco routers, new flaws within Intel processors and a zero-interaction flaw in WhatsApp (see Attackers Exploit WhatsApp Flaw to Auto-Install Spyware).
Those issues, however, would be of more use to more advanced hackers, such as state-sponsored groups, and used in targeted attacks (see Cisco's 'Thrangrycat' Router Flaw Tough to Neuter).
But due to the ease of exploitation with this vulnerability, it could be taken up by nearly any miscreant to create global havoc, either for ransomware purposes or sheer destruction.
Pope writes that systems that have Network Level Authentication enabled would be more resistant to an attempted attack because authentication credentials would be required.
Proof of concept code exists, this is not a drill. pic.twitter.com/qcF6qdIAh3— Kevin Beaumont (@GossiTheDog) May 14, 2019
"However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authentication," Pope writes.
Some 3 million systems have RDP exposed to the internet, according to a search of the Shodan search engine, writes Kevin Beaumont, a U.K.-based security researcher. Another search engine for connected devices using Switzerland-based BinaryEdge's search shows far more internet-exposed systems responding on remote desktop ports 3388 and 3389, Beaumont showed in another tweet.
"Proof of concept code exists; this is not a drill," Beaumont writes.
Blocking Mass Worms
Mass worms, which infect a machine and then hunt for other machines to infect, are relatively rare these days. Numerous mass worms struck Microsoft systems in the early 2000s, but the company's subsequent focus on security hardened Windows against attacks.
That was until early 2017. In a mind-bending turn of events, a group calling itself The Shadow Brokers leaked a batch of exploits and tools, including "Eternal Blue," from the U.S. National Security Agency. in April 2017. External Blue was a software exploit that targeted version one of Microsoft's Server Message Block file-sharing protocol (see: WannaCry Ransomware Outbreak Spreads Worldwide).
Microsoft patched that vulnerability, MS170-010, about a month prior. But many organizations hadn't applied the patch, which allowed WannaCry to spread to at least 200,000 systems worldwide. In June 2017, another ransomware program, NotPetya, also employed EternalBlue (see: Massive Malware Outbreak: More Clever Than WannaCry).
Shortly after WannaCry emerged, Microsoft issued more patches to secure its older operating systems out of mainstream support in light of the scale of threat including for Windows XP, Server 2003, Vista and Windows 8 (see: Microsoft Issues Another Emergency Windows XP Patch).