GCHQ's NCSC finds WannaCry-bad, wormable bug; Microsoft even to patch Windows XP
- 15 May, 2019 05:56
Microsoft on Tuesday released patches for 79 vulnerabilities for May's Patch Tuesday, but one of them affecting a feature called Remote Desktop Services (RDS) stands out because and has even warranted a rare patch for Windows XP.
Windows 10 PCs aren’t vulnerable to this RDS bug so consumers can breath a sign of relief, but this “critical” rated vulnerability is worth paying attention to for anyone responsible for networks that have older versions of Windows, from unsupported Windows XP to the still-supported Windows 7.
Microsoft last patched Windows XP in the wake of WannaCry, which used the National Security Agency’s (NSA) leaked Eternal Blue exploit to spread within networks. The malware encrypted files on thousands of computers at the UK’s National Health Service.
The WannaCry attack, which happened this month two years ago, was eventually blamed by Five Eye nations on North Korean government hackers.
Microsoft’s unscheduled May 2017 update in response to WannaCry was the first time in three years it had patched unsupported versions of Windows, including most notably Windows XP. Microsoft described it as a “highly unusual step”.
The software giant will now do it again for the RDS bug, CVE-2019-0708, because it is wormable (an exploit could use the flaw to quickly multiply across vulnerable machines), it doesn’t require users to click on attachments or links to exploit, and has the potential to be as devastating as WannaCry, which infected nearly 300,000 Windows PCs around the world.
The RDS bug can allow an attacker without valid credentials to connect to a vulnerable system over RDP or the Remote Desktop Protocol and send specially modified RDP requests. An attacker who exploits the flaw could then execute code of their choice and install malware.
“This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system,” Microsoft explains in a sparse advisory.
The RDS bug was reported to Microsoft by the UK’s National Cyber Security Centre (NCSC), the public-facing arm of the UK’s spy agency, GCHQ, which aims to help UK organizations improve cybersecurity.
That NCSC reported the bug is interesting in itself, given the background to WannaCry and the NSA’s EternalBlue exploit.
NCSC plays a critical role in GCHQ's vulnerability “equities process”, which guides the agencies’ decisions about which bugs to report to affected vendors and those that it will keep to itself for intelligence-related activities. In the wake of WannaCry, Microsoft president Brad Smith accused the NSA of “hoarding” vulnerabilities and exploits to the detriment of the public. The NSA has since detailed its vulnerabilities equities process.
The Microsoft Security Response Center (MSRC) has posted a blog explaining the importance of patching this particular bug urgently, even on older versions of Windows like XP.
“This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,” explained Simon Pope, director of incident response at MSRC.
Microsoft considers it “highly likely” this bug will be incorporated into malware in the near future, even though it hasn’t seen any malicious activity yet.
Pope said that organizations need to patch affected systems “as quickly as possible” to prevent the next potential WannaCry.
“In response, we are taking the unusual step of providing a security update for all customers to protect Windows platforms, including some out-of-support versions of Windows,” said Pope.
Windows 10 and Windows 8 users don’t need to worry as these versions are not affected by the RDS issue. However, supported but vulnerable systems — Windows 7, Windows Server 2008 R2, and Windows Server 2008 — can get patches from the Microsoft Security Update Guide.
Microsoft is encouraging users with unsupported Windows 2003 and Windows XP to upgrade to a supported version as the safest option going forward. Despite this and because of the severity of the bug, it is making fixes available via the Knowledge Base article KB4500705.
Most consumers likely wouldn't be aware of RDS. Once known as Terminal Server, RDS allows enterprise organizations to provide remote desktops to users and access to virtualized apps.