Microsoft Patches Critical WannaCry-like Vulnerability, Including Legacy XP and Windows Server 2003
May 15th, 2019
Today Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services (formerly known as Terminal Services) that exists in Windows XP, Windows 7, and server versions like Windows Server 2003, Windows Server 2008 R2, and Windows Server 2008. Newer versions of Windows i.e. Windows 8 and Windows 10 are not affected by the vulnerability because of the strengthened security built into the latest Windows releases.
As a testament to its potential for havoc, Microsoft is taking the unusual step of releasing patches for Windows XP and Windows Server 2003 even though both operating systems are out of support. The reason Microsoft has included these unsupported OS is to prevent a wormable vulnerability that could — if unchecked — wreak havoc in the same way that WannaCry did.
The Remote Desktop Protocol (RDP) itself is not vulnerable. “This vulnerability is pre-authentication and requires no user interaction.” Simon Pope, director of incident response at the Microsoft Security Response Center, wrote in a published post that coincided with the company’s May Update Tuesday release. “In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”
An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
While no exploitation of this vulnerability has been identified, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware imminently. It is vital that all affected systems are patched as quickly as possible to prevent such a scenario from happening. The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests. However, the smarter long-term move is to upgrade to Windows 8 or 10 in the near future.
Microsoft credited the UK’s National Cyber Security Centre for privately reporting the vulnerability.