Microsoft has taken the unusual step of pushing out a security update for Windows customers running some out-of-support versions, after the UK’s National Cyber Security Centre (NCSC) disclosed a critical “wormable” remote code execution Windows vulnerability in Remote Desktop Services (RDP) that could allow malware to propagate freely.
Vulnerable “in-support” systems include Windows 7, Windows Server 2008 R2, and Windows Server 2008. “Out-of-support” systems affected (and for which Microsoft has put out the rare patch) include Windows 2003 and Windows XP. Newer Windows 8 and Windows 10 are unaffected by the vulnerability, which would let any future malware exploiting it move freely across vulnerable computers; much as WannaCry did 2017.
The NCSC’s disclosure will be welcomed by Microsoft, which has been agitating against nation state use of critical cybersecurity vulnerabilities for their own offensive uses. Microsoft President Brad Smith spoke out particularly strongly against the stockpiling and exploitation of such so-called 0days by nation states in the wake of the WannaCry attack.
(GCHQ, which oversees the NCSC, recently published an unusually transparent explanation of the decision making process it uses to decide when to retain a technology vulnerability, or when to disclose it to a vendor to be patched, saying: “Our default is to tell the vendor and have them fix it. But sometimes… we decide to keep the fact of the vulnerability secret and develop intelligence capabilities with it.”)
The Windows Vulnerability
The vulnerability, CVE-2019-0708, is pre-authentication and requires no user interaction, Microsoft’s Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC) said Tuesday, adding: “While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”
The remote code execution vulnerability exists in RDP – formerly known as Terminal Services – and can be exploited by an unauthenticated attacker connecting to the target system using RDP and then sending specially crafted requests. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system, install programs; view, change, or delete data; or create new accounts with full user rights.
A quick fix is blocking TCP port 3389 at the enterprise perimeter; the port is used to initiate a connection with the affected component. Blocking it will protect networks from attacks originating outside the enterprise perimeter.
Patch Tuesday: Plenty of Fixes Needed
The vulnerability was one of 79 vulnerabilities pushed out on Patch Tuesday, with 22 of them labeled as Critical. Of the 22 Critical vulns, 18 are for scripting engines and browsers. The remaining 4 are remote code execution (RCE) in Remote Desktop, DHCP Server, GDI+, and Word. Microsoft also released guidance on the recently disclosed Microarchitectural Data Sampling (MDS) techniques, known as ZombieLoad, Fallout, and RIDL.
Adobe’s Patch Tuesday includes patches for vulnerabilities in Flash, Acrobat/Reader (83 vulnerabilities!) and Media Encoder.
Jimmy Graham, Senior Director of Product Management at Qualys said: “Microsoft has [also] issued a guidance document for how to mitigate Microarchitectural Data Sampling (MDS) attacks. Examples of this style of attack are ZombieLoad, Fallout, and RIDL. The CVEs for these vulnerabilities are: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091. Intel has also released an overview, as well as a deep-dive document covering the techniques and mitigations.”
“Microcode updates for impacted processors will be required to mitigate these attacks, as well as OS patches. Microsoft mentions that disabling Hyper-threading (also known as Simultaneous Multi Threading (SMT)) may also be required to fully mitigate, though Intel discourages this. Microsoft will distribute microcode updates for Windows 10 systems only. For other Operating Systems, the OEM will need to provide these updates, often in the form of a BIOS update.”
Allan Liska, senior solutions architect at Recorded Future said in an emailed comment: “CVE-2019-0708 should be the highest priority patching because, in addition to the wormable capabilities in this exploit, many modern ransomware variants, such as Dharma, Robbinhood, and CrySIS, often use vulnerable RDP servers to gain access to victim networks. This vulnerability will make that process even easier.”
He added: “Once again, continuing a now long-running trend, this month sees updates (a total of 12) for critical vulnerabilities in the ChakraCore scripting engine for Microsoft Edge; malicious actors could lure victims to specially crafted websites to exploit these vulnerabilities and execute arbitrary code. However, the more important item is likely the disclosure of CVE-2019-0953, a vulnerability in Microsoft Word that could allow attackers to execute remote code with the security permissions of the current user. Threat actors of many stripes have long relied on malicious documents exploiting Microsoft Office vulnerabilities (e.g., CVE-2017-11882 or CVE-2018-0802) to spread malware or gain access to victim systems.”