Microsoft Patches RDS Vulnerability Allowing WannaCry-Like Attacks

Microsoft’s Patch Tuesday updates for May 2019 address nearly 80 vulnerabilities, including a zero-day and a flaw that can be exploited by malware to spread similar to the way the notorious WannaCry did back in 2017.

The zero-day vulnerability, tracked as CVE-2019-0863, is a privilege escalation issue related to the way the Windows Error Reporting (WER) system handles files. Exploitation requires low-privileged access to the targeted system.

A researcher from Palo Alto Networks and an individual who uses the online moniker “Polar Bear” have been credited by Microsoft for reporting the vulnerability. Palo Alto Networks has told SecurityWeek that it cannot share any information about the attacks at this time.

Microsoft has also patched CVE-2019-0708, a remote code execution vulnerability in Remote Desktop Services (RDS), formerly known as Terminal Services. The flaw can be triggered by an unauthenticated attacker by connecting to the targeted system via the Remote Desktop Protocol (RDP) and sending specially crafted requests. The company has pointed out that RDP itself is not vulnerable.

Microsoft says it’s important that patches for this vulnerability are installed as soon as possible due to the fact that it can be exploited without authentication and without user interaction.

“The vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,” said Simon Pope, Director of Incident Response at the Microsoft Security Response Center (MSRC). “While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”

The security hole does not impact Windows 8 and Windows 10, but it poses a serious risk for organizations using older versions of the operating system, including industrial facilities.

Industrial cybersecurity firm CyberX told SecurityWeek that it has analyzed traffic from over 850 operational technology (OT) networks worldwide and found that 53 percent of industrial sites still house devices running unsupported versions of Windows. Many of these devices are likely vulnerable to the type of attack described by Microsoft.

“The problem stems from the fact that patching computers in industrial control networks is challenging because they often operate 24×7 controlling large-scale physical processes like oil refining and electricity generation. For companies that can’t upgrade, we recommend implementing compensating controls such as network segmentation and continuous network monitoring,” said Phil Neray, VP of Industrial Cybersecurity at CyberX.

Microsoft on Tuesday also released patches for a new class of vulnerabilities affecting Intel processors. The flaws have been dubbed by researchers ZombieLoad, RIDL, and Fallout, and their official name is Microarchitectural Data Sampling (MDS). The vulnerabilities can allow malware to obtain sensitive information from applications, the operating system, virtual machines and trusted execution environments.

Of all the vulnerabilities resolved on Tuesday by Microsoft, 22 have been rated “critical,” and one, an information disclosure flaw affecting Skype for Android, had been publicly disclosed before a fix was released.

Adobe’s Patch Tuesday updates for May 2019 address over 80 vulnerabilities in Acrobat products and one critical flaw in Flash Player.

Related: Microsoft Patches Internet Explorer Zero-Day Reported by Google

Related: Microsoft Patches Two Windows Flaws Exploited in Targeted Attacks