Microsoft usually washes its hands of old versions of Windows. However, on Tuesday it issued fixes for organizations still running Windows 2003 and Windows XP to prevent a worm-like attack from spreading around the globe the way Wannacry did in 2017,
“It is important that affected systems are patched as quickly as possible to prevent such a scenario from happening,” the Microsoft security team said in a blog. “While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”
The fixes, which are also needed for Windows 7, Windows Server 2008 R2, and Windows Server 2008, cure a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services (RDP).
They were released as part of the regular monthly Patch Tuesday bundle of security updates.
Wannacry is a piece of ransomware that includes the worm-like ability to leap from one infected computer to another. The vulnerability was identified in 2017 and Microsoft issued patches in Microsoft Security Bulletin MS17-010. However, those that didn’t patch fast enough were hit hard. In fact, organizations are still being hit. One security company estimated in two years there have been over 4 million systems victimized.
Researchers said Wannacry is able to spread so quickly because its creators use hacking tools dubbed EternalBlue and EternalRomance believed to have been stolen from the U.S. National Security Agency.
Fortunately one security expert realized how Wannacry was spreading and neutered the server that was distributing it. Still, the door that allows it and similar worms from spreading hasn’t been fully shut.
By coincidence Malwarebytes issued a report Monday estimating there are hundreds of thousands of Windows systems running and still vulnerable to EternalBlue and EternalRomance. Such vulnerabilities are especially prevalent in countries such as India, Indonesia and Malaysia, it said, “where there is a poor culture of updating and securing computer software.”
Since April 1st alone there have been 430,943 WannaCry detections globally, said Malwarebytes.
Ars Technica quoted one researcher estimated 3 million RDP endpoints are exposed, while another estimated it could be as high as 16 million.
Tod Beardsley, director of research at security firm Rapid7, told Ars that much of the attack traffic it sees against RDP appears to be directed specifically at point-of-sale systems, so he suspects there are many of out-of-support cash registers with RDP exposed to the Internet.”
Some companies also run servers on operational or industrial control networks with older versions of Windows. Threat researchers at industrial cybersecurity company CyberX analyzed traffic from more than 850 production operational technology (OT) networks worldwide and found that 53 per cent of industrial sites are still running unsupported Windows boxes. Many of them, it said in an email are likely affected by the Microsoft announcement.
“The problem stems from the fact that patching computers in industrial control networks is challenging because they often operate 24×7 controlling large-scale physical processes like oil refining and electricity generation,” said Phil Neray, CyberX’s vice-president of industrial cybersecurity. “For companies that can’t upgrade, we recommend implementing compensating controls such as network segmentation and continuous network monitoring,”
There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled, Microsoft said. The affected systems are mitigated against ‘wormable’ malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate.