Microsoft Patches Wormable Flaw That Could Cause Another WannaCry

It is reported that Microsoft is taking the unusual step of releasing security patches for operating systems like Windows XP and Windows Server 2003 even though they are out of support (still widely-used).

On Tuesday, this company said it discovered a serious flaw in these Windows systems, which can be exploited to create malware designed to propagate from one vulnerable computer to another.

Wormable Critical RDP Vulnerability

This flaw (CVE-2019-0708) exists in the Remote Desktop Services component that is built into supported Windows versions, such as Windows 7, Windows Server 2008 R2 and Windows Server 2008 as well as Windows XP and Server 2003 (mentioned above).

According to Windows IP Pro Center of Microsoft, Remote Desktop Services (RDS) refers to the platform of choice for building virtualization solutions for every end customer need, such as delivering individual virtualized apps, providing remote desktop access, and so on.

Windows Virtual Desktop to Bring Multi-user Virtualization

Microsoft's Windows Virtual Desktop will bring multi-user virtualization to Windows and Office 365, letting users run Windows 10 in the cloud.

Read More

Usually, the access requires a correct username and password but some unauthenticated attackers can execute arbitrary code on the target system and install malware over a Windows machine via RDS by sending specially crafted packets.

Microsoft said in the vulnerability advisory that attackers could then install programs, view, delete and change data or create new accounts with full user rights.

According to Simon Pope, director of incident response for the Microsoft Security Response Center, this Windows bug is pre-authentication and doesn’t require interaction from the owner of the affected Windows machine.

Thus, theoretically, attackers could scan the internet to find other machines to target. But security researcher Kevin Beaumont cites data from device search engine Shodan and estimates that 3 million Remote Desktop Protocol endpoints are currently exposed to the internet.

More seriously, this vulnerability is wormable, meaning that any future malware using this flaw could propagate from the infected computer to another in a similar way as the WannaCry ransomware spread across the world in 2017 (particularly prevalent among systems running Windows XP and older versions of Windows).

Related article: Protect PC from Continuous Ransomware

Microsoft Patches Wormable Remote Desktop Services Security Flaw

This wormable Windows bug can be partially mitigated by enabling NLA (Network Level Authentication) for Remote Desktop Services Connections on impacted systems. This is an authentication way that completes user authentication before a remote desktop connection is established and the login screen appears. This way can protect the remote computer from malicious software.

Despite this, if potential attackers already have the credentials needed to authenticate on a system where RDS is enabled, they could still abuse the Remote Code Execution bug.

Although Microsoft says it hasn’t observed exploits of this vulnerability, the patches are released since it is only a matter of time before attackers create malware.

Windows 7, Windows Server 2008 R2, and Windows Server 2008 users can get the security updates via the Microsoft Security Update Guide. Windows XP and Windows 2003 users should either upgrade to newer releases or apply the security updates available via KB4500705.

Fortunately, this wormable Remote Desktop Services security flaw tracked as CVE-2019-0708 only impacts older versions of Windows and it doesn’t affect these operating systems, including Windows 8/8.1, Windows 10, Windows Server 2012/2012 R2, and Windows Server 2016/2019.