Why You Need to Be Concerned About Microsoft’s Latest Vulnerability

In 2017 we said, "By now everyone knows about WannaCry and the problem with unpatched systems. But, what happens when the next Windows vulnerability is released, and no patch is issued on an end-of-life product?" That moment might have arrived.


According to a security advisory published by Microsoft on May 14th, 2019 CVE-2019-0708 impacts Remote Desktop Services, formerly Terminal Services, and is more likely exploitable in older versions of Windows (various 32-bit and x64 versions of Windows 7 and Windows Server 2008) using the RDP protocol without authentication or user interaction and ranges from High to Critical severity (CVSS scoring). Microsoft issued updates for all affected systems including Windows XP and Windows Server 2003 saying that this vulnerability “...could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”


Remote Desktop Services is a critical tool used by IT teams to interact with remote Windows workstations and servers. Restricting or disabling it is a security best practice. According to Microsoft, the vulnerability does not require authentication or user-interaction to exploit, which makes it much easier to execute a stealthy remote attack successfully.


Similarities to the WannaCry Outbreak

This latest vulnerability and Microsoft’s rapid response are eerily similar to the events surrounding the outbreak of WannaCry. ICYMI, WannaCry devastated businesses around the world, causing billions of dollars in damage. enSilo protected against WannaCry out of the box.


One of the primary reasons why WannaCry spread so quickly was the gap between when exploits became available, and the time it took to secure vulnerable Windows workstations and servers either by restricting SMB-based communications or installing patches.


enSilo issued the following warning in 2017 during the WannaCry outbreak “By now everyone knows about WannaCry and the problem with unpatched systems. But what happens when the next Windows vulnerability is released, and no patch is issued on an end-of-life product?” Well, that moment has partially arrived. The vulnerability is out there; however, the difference is that patches are available for affected supported and unsupported versions of Windows.


Unsupported versions of windows may be difficult to patch

Despite the official end of support for Windows XP and Windows Server 2003 and the lasting effects of the WannaCry outbreak, it’s likely there are still millions of active computers running those versions. Also, they might be in hard to reach places where it’s difficult to either automatically or manually install a patch. Alternatively, they might have been forgotten, left to run unattended. Either way, WannaCry proved how easy it is to discover these systems. Microsoft is worried enough about this possibility given the effort expended in crafting and publishing patches for unsupported versions of Windows. Another moment may have arrived where those systems are once again both vulnerable and difficult to patch and may represent a severe risk.

Patching Takes Time Giving Attackers The Advantage

There are many reasons why it takes time to deploy patches successfully. These range from testing the patch in a lab to ensure it doesn’t disrupt anything, to scheduling installation so that the patch doesn't disrupt operations. All of which takes time and resources. Hoping that attackers don’t notice your systems haven’t been patched isn’t a successful strategy. The lesson we can learn from WannaCry and other major malware outbreaks is that immediately implementing additional security controls to prevent and detect attacks is critical.

Conclusion

enSilo recommends either restricting or disabling Remote Desktop Services until patching of all impacted systems is complete. Given that it is a valuable administrative tool and that patching takes time, this is easier said than done. The enSilo Endpoint Security Platform protects “out-of-the-box” against attacks using the RDP protocol to target previous, similar vulnerabilities in Remote Desktop Services. Our Threat Intelligence team is monitoring for new exploits in the wild which target CVE-2019-0708 and researching possible attack methods. At the time of publication of this blog, at least one group claims to have a working exploit for the vulnerability, although it did not provide proof.
Related Blog Posts

Customers Say It Best - Managed Security Service Provider one

cybersecurity , enSilo Corporate and Product

 

Retailers, restaurants, hoteliers, and small businesses are having problems discovering breaches on their POS systems. Delayed detection of a.

Read More

5 Ways to Tackle Ransomware Attacks One

cybersecurity , enSilo Corporate and Product

“Nearly 98% of all recorded point of sale (POS) attacks resulting in a confirmed data breach”. Verizon Data Breach Investigations

PROBLEM:

.

Read More

enSilo Blocks New Variant of Adwind RAT one

cybersecurity , enSilo Corporate and Product

“Nearly 98% of all recorded point of sale (POS) attacks resulting in a confirmed data breach”. Verizon Data Breach Investigations

PROBLEM:

.

Read More

enSilo RECOMMENDED in NSS Labs 2018 Advanced Endpoint Protection (AEP) Group Test

cybersecurity , enSilo Corporate and Product

“Nearly 98% of all recorded point of sale (POS) attacks resulting in a confirmed data breach”. Verizon Data Breach Investigations

PROBLEM:

.

Read More