Microsoft Pushes Its May Patches To Stop RDS Worm
Microsoft recently urged organizations to install its May security patches to prevent attackers from exploiting a "wormable" vulnerability (CVE-2019-0708) in Remote Desktop Services (RDS).
The vulnerability, which could enable remote code execution by attackers, is only present in older systems, such as Windows 7, Windows Server 2008 and Windows Server 2008 R2. However, Microsoft took a rare action and also issued downloadable patches for unsupported Windows systems, namely Windows XP and Windows 2003.
In its Thursday announcement, Microsoft suggested that an RDS exploit likely exists, and it could spread rapidly across networks, much like the infamous WannaCry wiper malware.
Here's the current state of the threat, as described by Simon Pope, director of incident response at the Microsoft Security Response Center:
Microsoft is confident that an exploit exists for this vulnerability, and if recent reports are accurate, nearly one million computers connected directly to the internet are still vulnerable to CVE-2019-0708. Many more within corporate networks may also be vulnerable. It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise.
Security researcher Kevin Beaumont has been tracking attempts to exploit the vulnerability, which he called "BlueKeep." In a Twitter post, he suggested that no public exploit had been found in the wild at that time. However, he also noted that security researchers at McAfee had shown a proof-of-concept that ran the Calculator program (a common test for executing code).
McAfee researchers confirmed that Microsoft's RDS patches will ward off the exploits. They recommended disabling the Remote Desktop Protocol entirely if it's not needed, but it should at least be disabled "from outside of your network and limit it internally." McAfee also recommended blocking MS_T120 client requests "on any channel other than 31." It's possible to change the Remote Desktop Protocol default port, but unpatched systems would still be vulnerable, according to McAfee.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.