Microsoft just warned of a wormable Windows bug that could lead to another WannaCry - a malware that shut down computers across the globe in 2017 - unless people patch a high-severity vulnerability.
What is it?
Named CVE-2019-0708, the vulnerability, "Is pre-authentication and requires no user interaction,” said Simon Pope, director of incident response at the Microsoft Security Response Center, “In other words, the vulnerability is ‘wormable,’ meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”
“Exploitation of the vulnerability, as described in the advisory, would simply require someone to send specific packets over the network to a vulnerable system that has the RDP service available,” said Brian Bartholomew, a senior security researcher on Kaspersky Lab’s Global Research and Analysis Team. “In the past, exploits for this service have been pretty easy to craft once the patch is reversed. My best guess is that someone will release an exploit for this in the next few days.”
As if a self-replicating, code-execution vulnerability wasn’t bad enough, CVE-2019-0708, as the flaw in Windows Remote Desktop Services is indexed, requires low complexity to exploit. Microsoft’s Common Vulnerability Scoring System Calculator scores that complexity as 3.9 out of 10.
Who will this effect?
Besides Windows 2003 and XP, CVE-2019-0708 also affects Windows 7, Windows Server 2008 R2, and Windows Server 2008. In a testament to Microsoft’s steadily improving security, later versions of Windows aren’t at risk.
What should I do?
"Network firewalls and other defenses that block the RDP service would effectively stop the attack from happening."
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Microsoft Security Advisory and Microsoft Customer Guidance for CVE-2019-0708 and apply the necessary updates.
The subtext is that, while anyone still using a vulnerable version of Windows should patch immediately, the smarter long-term move is to upgrade to Windows 8 or 10 in the near future.
Microsoft credited the UK's National Cyber Security Centre for privately reporting the vulnerability. While Microsoft said it hasn’t observed any exploits in the wild, it remains unclear precisely how a vulnerability this old and this severe was identified only now.
“It does make one ask, how did they find it in the first place?” Kaspersky Lab’s Bartholomew said. “Did they see this in attacks elsewhere? Was this an old exploit that was used by friendly governments in the past and it’s run its course now? Did this exploit get leaked somehow and they're being proactive? Of course, we will probably never know the real answer, and honestly it’s all speculation at this point, but there may be something here to dig on.”