Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Microsoft Patches RDS Vulnerability Allowing WannaCry-Like Attacks

Microsoft’s Patch Tuesday updates for May 2019 address nearly 80 vulnerabilities, including a zero-day and a flaw that can be exploited by malware to spread similar to the way the notorious WannaCry did back in 2017.

Microsoft’s Patch Tuesday updates for May 2019 address nearly 80 vulnerabilities, including a zero-day and a flaw that can be exploited by malware to spread similar to the way the notorious WannaCry did back in 2017.

The zero-day vulnerability, tracked as CVE-2019-0863, is a privilege escalation issue related to the way the Windows Error Reporting (WER) system handles files. Exploitation requires low-privileged access to the targeted system.

A researcher from Palo Alto Networks and an individual who uses the online moniker “Polar Bear” have been credited by Microsoft for reporting the vulnerability. Palo Alto Networks has told SecurityWeek that it cannot share any information about the attacks at this time.

Microsoft has also patched CVE-2019-0708, a remote code execution vulnerability in Remote Desktop Services (RDS), formerly known as Terminal Services. The flaw can be triggered by an unauthenticated attacker by connecting to the targeted system via the Remote Desktop Protocol (RDP) and sending specially crafted requests. The company has pointed out that RDP itself is not vulnerable.

Microsoft says it’s important that patches for this vulnerability are installed as soon as possible due to the fact that it can be exploited without authentication and without user interaction.

“The vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,” said Simon Pope, Director of Incident Response at the Microsoft Security Response Center (MSRC). “While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”

The security hole does not impact Windows 8 and Windows 10, but it poses a serious risk for organizations using older versions of the operating system, including industrial facilities.

Industrial cybersecurity firm CyberX told SecurityWeek that it has analyzed traffic from over 850 operational technology (OT) networks worldwide and found that 53 percent of industrial sites still house devices running unsupported versions of Windows. Many of these devices are likely vulnerable to the type of attack described by Microsoft.

“The problem stems from the fact that patching computers in industrial control networks is challenging because they often operate 24×7 controlling large-scale physical processes like oil refining and electricity generation. For companies that can’t upgrade, we recommend implementing compensating controls such as network segmentation and continuous network monitoring,” said Phil Neray, VP of Industrial Cybersecurity at CyberX.

Microsoft on Tuesday also released patches for a new class of vulnerabilities affecting Intel processors. The flaws have been dubbed by researchers ZombieLoad, RIDL, and Fallout, and their official name is Microarchitectural Data Sampling (MDS). The vulnerabilities can allow malware to obtain sensitive information from applications, the operating system, virtual machines and trusted execution environments.

Of all the vulnerabilities resolved on Tuesday by Microsoft, 22 have been rated “critical,” and one, an information disclosure flaw affecting Skype for Android, had been publicly disclosed before a fix was released.

Adobe’s Patch Tuesday updates for May 2019 address over 80 vulnerabilities in Acrobat products and one critical flaw in Flash Player.

Related: Microsoft Patches Internet Explorer Zero-Day Reported by Google

Related: Microsoft Patches Two Windows Flaws Exploited in Targeted Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.