Microsoft warns that the Internet may experience another exploit with the extent of the WannaCry attack that shut down computers around the world two years ago, unless users have fixed a high-severity vulnerability. The software maker took the unusual step of porting back the recently released patch for Windows 2003 and XP, which has not been supported for four or five years.
"This vulnerability is a preauthentication that does not require user interaction," wrote Simon Pope, Director of Incident Response, Microsoft Security Response Center, in a post that coincided with the May Update Tuesday release. In other words, the vulnerability is "wormbar". This means that any future malware that exploits this vulnerability can similarly spread from a vulnerable computer to a vulnerable computer, such as the WannaCry malware that is spreading throughout the world in 201
As a self-replicating code execution vulnerability would not be severe enough, CVE-2017-0708 requires a low level of complexity to exploit because the error is indexed in the Windows Remote Desktop Services. Microsoft's Common Vulnerability Scoring System Calculator rates this complexity at 3.9 out of 10. (To be precise, the WannaCry developers had strong exploit code written by the National Security Agency and later stolen to exploit the wormable CVE-2017-0144 and CVE-2017-0144 CVE-2017-0145 flaws however, the development of a reliable exploit code for this latest Windows vulnerability requires relatively little work.
"Exploiting the vulnerability, as in the case of this, only someone would need to send certain packets over the network to a vulnerable system where the RDP service is available," said Brian Bartholomew, a senior security researcher on the global research and analytics team at Kaspersky Lab, opposite Ars in an e-mail. "In the past, it was pretty easy to make exploits for this service once the patch was undone. I assume that in the next few days someone will publish an exploit for this issue. "
Bartholomew said that network firewalls and other defense mechanisms that block the RDP service would effectively stop the attack. However, as the world learned during the WannaCry attacks, these measures often do not involve damage that can cost billions of dollars.
Independent researcher Kevin Beaumont quoted questions about the Shodan search engine for computers connected to the Internet, said about 3 million RDP endpoints are directly available.
🚨 Very Important Security Update for Windows 🚨 CVE-2018-0708 allows remote execution of unauthenticated code over Remote Desktop (RDP). A very bad thing to counter. Around 3 million RDP endpoints are connected directly to the Internet. https://t.co/EAdg3VNMjw pic.twitter.com/u2V3uyoyVs
– Kevin Beaumont (@GossiTheDog) May 14, 2019
In addition to Windows 2003 CVE-2019-0708 and XP also affect Windows 7, Windows Server 2008 R2, and Windows Server 2008. Proof of the ever-improving security provided by Microsoft, later versions of Windows are not in jeopardy.
"Customers running Windows 8 and Windows 10 are not affected by this vulnerability, and it is no coincidence that later versions of Windows are not affected," Pope wrote. "Microsoft is investing heavily in improving the security of its products, often through important architectural enhancements that can not be ported back to previous versions of Windows."
The subtext states that anyone using a vulnerable version of Windows, should patch immediately The more intelligent long-term measure is to upgrade to Windows 8 or 10 in the near future.
Microsoft blamed the British National Cyber Security Center for privately reporting the vulnerability. While Microsoft stated that it had not observed any exploits in the wild, it is still unclear how exactly such an old and so severe vulnerability has just been identified.
"You have to ask yourself how you found it at all? Said Bartholomew of Kaspersky Lab. "Did you see that in attacks elsewhere? Was this an old exploit used by friendly governments in the past and now taking its course? Has this exploit leaked and you are proactive? Of course, we'll probably never know the right answer, and frankly, it's just speculation, but there may be something to dig about. "