Microsoft today is taking the unusual step of releasing security updates for unsupported but still widely-used Windows operating systems like XP and Windows 2003, citing the discovery of a “wormable” flaw that the company says could be used to fuel a fast-moving malware threat like the WannaCry ransomware attacks of 2017.
The May 2017 global malware epidemic WannaCry affected some 200,000 Windows systems in 150 countries. Source: Wikipedia.
The vulnerability (CVE-2019-0708) resides in the “remote desktop services” component built into supported versions of Windows, including Windows 7, Windows Server 2008 R2, and Windows Server 2008. It also is present in computers powered by Windows XP and Windows 2003, operating systems for which Microsoft long ago stopped shipping security updates.
Microsoft said the company has not yet observed any evidence of attacks against the dangerous security flaw, but that it is trying to head off a serious and imminent threat.
“While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware,” wrote Simon Pope, director of incident response for the Microsoft Security Response Center.
“This vulnerability is pre-authentication and requires no user interaction,” Pope said. “In other words, the vulnerability is ‘wormable,’ meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. It is important that affected systems are patched as quickly as possible to prevent such a scenario from happening.”
The WannaCry ransomware threat spread quickly across the world in May 2017 using a vulnerability that was particularly prevalent among systems running Windows XP and older versions of Windows. Microsoft had already released a patch for the flaw, but many older and vulnerable OSes were never updated. Europol estimated at the time that WannaCry spread to some 200,000 computers across 150 countries.
CVE-2019-0708Â does not affect Microsoft’s latest operating systems — Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.
All told, Microsoft today released 16 updates targeting at least 79 security holes in Windows and related software — nearly a quarter of them earning Microsoft’s most dire “critical” rating. Critical bugs are those that can be exploited by malware or ne’er-do-wells to break into vulnerable systems remotely, without any help from users.
One of those critical updates fixes a zero-day vulnerability — (CVE-2019-0863) in the Windows Error Reporting Service — that’s already been seen in targeted attacks, according to Chris Goettl, director of product management for security vendor Ivanti.
Other Microsoft products receiving patches today including Office and Office365, Sharepoint, .NET Framework and SQL server. Once again — for the fourth time this year — Microsoft is patching yet another critical flawÂ in theÂ Windows component responsible for assigning Internet addresses to host computers (a.k.a. âWindows DHCP clientâ).
“Any unauthenticated attacker who can send packets to a DHCP server can exploit this vulnerability,” to deliver a malicious payload, notes Jimmy Graham at Qualys.
Staying up-to-date on Windows patches is good. Updating only after youâve backed up your important data and files is even better. A good backup means youâre not pulling your hair out if the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches.
Note that Windows 10Â likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesnât make it easy for Windows 10 users to change this setting,Â but it is possible. For all other Windows OS users, if youâd rather be alerted to new updates when theyâre available so you can choose when to install them, thereâs a setting for that inÂ Windows Update.
As per usual, Adobe has released security fixes for Flash Player and Acrobat/Reader. The Flash Player update fixes a single, critical bug in the program. Adobe’s Acrobat/Reader update plugs at least 84 security holes.
Microsoft Update should install the Flash fix by default, along with the rest of this month’s patch bundle. Fortunately, the most popular Web browser by a long shot âÂ Google ChromeÂ â auto-updates Flash but also is now making users explicitly enable Flash every time they want to use it. By the summer of 2019 Google willÂ make Chrome users go into their settings to enable itÂ every time they want to run it.
Firefox also forces users with the Flash add-on installed to click in order to play Flash content; instructions for disabling or removing Flash from Firefox areÂ here. Adobe will stop supporting Flash at the end of 2020.
As always, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; thereâs a good chance other readers have experienced the same and may even chime in here with some helpful tips.
Tags: Chris Goettl, CVE-2019-0708, DHCP, Flash Player, Ivanti, Qualys, WannaCry, Windows 2003, Windows XP
This entry was posted on Tuesday, May 14th, 2019 at 1:11 pm and is filed under Time to Patch. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.
Where did you get information on out of band patches for XP and 2003? There is nothing similar mention in the official Windows advisory?
It’s on a different Microsoft page. I found the link on another site. https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708
Would it be a correct assumption that if Remote Assistance/Remote Desktop is NOT enabled on a Windows 7 machine, then this the exploit would not work?
Maybe, but I wouldn’t count on it. I certainly wouldn’t bet my job on it. Better patched and safe than sorry, in any case.
Well of course I will patch, but the question is: how aggressively? I’ve got a fleet of machines, and knowing whether or not they are vulnerable (based on whether Remote Desktop is enabled) affects the speed and timing of when I’ll be patching.
Well, logically that should solve the problem… Microsoft recommends closing port 3389 at a firewall level to solve this if you cannot immediately patch.
I subscribe to your concern. I cannot understand WHY when reporting a serious issue like this one Microsoft is not more specific. I mean, the CVE MS published says there are no mitigations, but I interpret if you want to use RDS.
So does the story: “The vulnerability (CVE-2019-0708) resides in the âremote desktop servicesâ component built into supported versions of Windows, including Windows 7, Windows Server 2008 R2, and Windows Server 2008. It also is present in computers powered by Windows XP and Windows 2003, operating systems for which Microsoft long ago stopped shipping security updates.”
But Microsoft says this does not impact Server 2012: “CVE-2019-0708 does not affect Microsoftâs latest operating systems â Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.”
The human-readable post from the Microsoft Security Response Center team (MSRC) is at https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/
Users of Windows Vista can download the updates (Monthly Rollup or Security Online) of Windows Server 2008 from the Update Catalog and install them manually
Customer guidance for CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability: May 14, 2019https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708
– Cisco has a vulnerability of epic proportions which will affect millions and millions of systems (with a patch coming “soon”)
– Intel CPU vulnerabilities continue to mount, with 4 new vulnerabilities that Intel insists are low-to-medium issues.
@asb, I think you need to read something a little less click- bait than that wired article. IF SOMEONE HAS ADMIN ACCESS TO YOUR ROUTER, which is the requirement for the TAm vulnerability, THAT SOMEONE HAS ALREADY LOST. Not quite epic as the article states.
Why would anyone running an old Windows operating system check for this security update if they have long been told that their system is unsupported and is no longer receiving security updates?
Third world countries where the only option they might have is XP. the world consists of more then just 1st world nations and poor countries have computers too.
What is the reason for enabling RDP on a Home computer? Remote Terminal Services are a type of “backdoor” and hardening processes or default configurations must do away with it.
Microsoft (or any other manufacturer) should be held accountable (taken to court) for insecure default configurations which cause harm to consumers.
I buy ‘Professional’ Windows to enable RDP on home computers because I have more than one and like to access them without sitting down in front of them and using their keyboard and mouse.
You can’t enable Remote Desktop on ‘Home’ without hacking a .dll and Remote Desktop access is disabled by default on ‘Pro’. I consider that a decision that limits harm to consumers.
I tried to download from the microsoft catalog for this new fix. All I get is this: The website has encountered a problem [Error number: 8DDD0001] The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem.
Is Microsoft making a strategic mistake in helping out users of unsupported versions of Windows? Or is it all about protecting the Windows brand?
Also– Any comments on the Whatsapp vulnerability stories that are making the rounds in the mass media? I’m a bit suspicious of claims that NSO is at fault, and that the vague sources seem to originate in Saudi Arabia, not exactly a hotbed of technical knowledge.
My machine is a Windows 7 64 bit HP desktop, partitioned with Ubuntu. The first bootup and the installation reboot was 45 seconds to a minute slower than normal.
For the second month in a row, Windows Media Player reverts to default, and it’s necessary to reconfigure it.
To access Windows Update in Windows 7: Open the Windows Control Panel, and then click System and Security, then Windows Update.
This worm had infected our XP computers already, saw a redirect with bank logons back in April. It puzzled our IT who said it locked the administrator out of the operating system by taking control by using remote process. Disabled services so that admin and users cannot enable, nor copy or paste files. Its a shame the info was not released earlier as it would have saved us a lot of headaches. Now need a good repair tool.
Has anyone assessed if any Linux RDP application is vulnerable to CVE-2019-0708? It’s not a protocol vulnerability, per Microsoft. But wondering if Linux implementations are safe.
I’ve been trying to use SCCM to deploy the required updates for both Windows 2008 & 2008 R2 (KB4499180, KB4499149, KB4499164 & KB4499175), along with manual install. Nothing seems to work. Some servers install it ok, but then roll back once it reboots. Other servers show it’s been installed in Software Centre but then show as “Failed” in Update history.
Even getting conflicting reports showing servers require KB4499164 but won’t install and return “The update is not applicable to your computer) even though that update is for 2008 R2 where I’m installing it.
2.4g Wifi With 5v 4a
@Adrian – have you verified that the servers rolling back the patch have the required servicepack installed (SP2 for Windows Server 2008 and SP1 for Windows Server 2008 R2) ?
If they’re already running those, you could check the Windows eventlogs and update related logfiles (“%sysdir%WindowsUpdate.log” and “%windir%LogsCBSCBS.log” for further clues.
can you make a blog post on security keys and how microsoft has a huge flaw in the email sign in page compared to googles security key setup for accounts?
Windows 10 Pro, Win 10 Pro, Windows 10 Professional, Windows 10 - Aoxun,https://www.aoxunsoftware.com/