On May 14, Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows. In its previous blog post on this topic Microsoft had warned that the vulnerability is ‘wormable’, and that future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.
Microsoft says that its confident that an exploit exists for this vulnerability, almost nearly one million computers connected directly to the internet are still vulnerable to CVE-2019-0708. Many more within corporate networks may also be vulnerable. It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise. This scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed.
As Microsoft puts it “It’s been only two weeks since the fix was released and there has been no sign of a worm yet. This does not mean that we’re out of the woods. If we look at the events leading up to the start of the WannaCry attacks, they serve to inform the risks of not applying fixes for this vulnerability in a timely manner”.
Microsoft: “Our recommendation remains the same. We strongly advise that all affected systems should be updated as soon as possible.”
- Anyone who is running a vulnerable computer to update at once.
- If using versions from Windows XP through Server 2008 R2, ensure a patch is in place.
- Should also test to make sure RDP is not exposed to the Internet unless absolutely necessary.
- Enabling Network Level Authentication for remote desktop services is advised. (but it’s ineffective against attackers who have network passwords, which is a common occurrence in ransomware infections).
- Windows 8 and 10 are unaffected.