There are still a boatload of manufacturers still operating unsupported Windows XP and Windows 2003, but Microsoft is coming out with a patch that can mitigate a critical Remote Code Execution vulnerability in Remote Desktop Services, formerly known as Terminal Services, that affects older versions of Windows.
“This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable,’ meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,” said Simon Pope, director of incident response at Microsoft Security Response Center (MSRC).
Manufacturing Report: Financial Attacks on Rise
Siemens, TÜV SÜD Partner on Safety-Security
Security Spotlight: Triton Fallout, Securing Supply Chain
How Executives Think about Security
Keep in mind, the Remote Desktop Protocol (RDP) itself is not vulnerable.
While Microsoft observed no exploitation of this vulnerability, which has a case number of CVE-2019-0708, it is likely attackers will write an exploit for this vulnerability and incorporate it into their malware.
“Now that I have your attention,” Pope said in the post, “it is important that affected systems are patched as quickly as possible to prevent such a scenario from happening. In response, we are taking the unusual step of providing a security update for all customers to protect Windows platforms, including some out-of-support versions of Windows.
Vulnerable in-support systems include Windows 7, Windows Server 2008 R2, and Windows Server 2008. Downloads for in-support versions of Windows can be found in the Microsoft Security Update Guide. Customers who use an in-support version of Windows and have automatic updates enabled are automatically protected.
Out-of-support systems include Windows 2003 and Windows XP. If a user is working with an out-of-support version, the best way to address this vulnerability is to upgrade to the latest version of Windows. “We are making fixes available for these out-of-support versions of Windows in KB4500705,” Pope said.
“Microsoft is aware some customers are running versions of Windows that no longer receive mainstream support,” Microsoft said in another post. “That means those customers will not have received any security updates to protect their systems from CVE-2019-0708, which is a critical remote code execution vulnerability.
“Given the potential impact to customers and their businesses, we made the decision to make security updates available for platforms that are no longer in mainstream support. These updates are available from the Microsoft Update Catalog only. We recommend that customers running one of these operating systems download and install the update as soon as possible.”
Customers running Windows 8 and Windows 10 are not affected by this vulnerability.
There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled.
The affected systems are mitigated against ‘wormable’ malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate, Pope added.
“Threat researchers at industrial cybersecurity company CyberX have analyzed traffic from more than 850 production OT networks worldwide and found that 53 percent of industrial sites are still running unsupported Windows boxes, many of which are likely affected by Microsoft’s announcement,” said Phil Neray, vice president of Industrial Cybersecurity at CyberX, a Boston-based ICS security provider. “The problem stems from the fact that patching computers in industrial control networks is challenging because they often operate 24×7 controlling large-scale physical processes like oil refining and electricity generation. For companies that can’t upgrade, we recommend implementing compensating controls such as network segmentation and continuous network monitoring.”