Skip to content
PATCH NOW!

Microsoft warns wormable Windows bug could lead to another WannaCry

Company takes the unusual step of patching Win 2003 and XP. 7, Server 2008 and 2008 R2 also vulnerable.

Dan Goodin | 106
Image of ones and zeros with the word "Hacked" superimposed.
Credit: Pixabay
Credit: Pixabay
Story text

Microsoft is warning that the Internet could see another exploit with the magnitude of the WannaCry attack that shut down computers all over the world two years ago unless people patch a high-severity vulnerability. The software maker took the unusual step of backporting the just-released patch for Windows 2003 and XP, which haven’t been supported in four and five years, respectively.

“This vulnerability is pre-authentication and requires no user interaction,” Simon Pope, director of incident response at the Microsoft Security Response Center, wrote in a published post that coincided with the company’s May Update Tuesday release. “In other words, the vulnerability is ‘wormable,’ meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”

As if a self-replicating, code-execution vulnerability wasn’t serious enough, CVE-2019-0708, as the flaw in Windows Remote Desktop Services is indexed, requires low complexity to exploit. Microsoft’s Common Vulnerability Scoring System Calculator scores that complexity as 3.9 out of 4. (To be clear, the WannaCry developers had potent exploit code written by, and later stolen from, the National Security Agency, to exploit the wormable CVE-2017-0144 and CVE-2017-0145 flaws, which had exploit complexities rated as "high.") Ultimately, though, developing reliable exploit code for this latest Windows vulnerability will require relatively little work.

“Exploitation of the vulnerability, as described in the advisory, would simply require someone to send specific packets over the network to a vulnerable system that has the RDP service available,” Brian Bartholomew, a senior security researcher on Kaspersky Lab’s Global Research and Analysis Team, told Ars in an email. “In the past, exploits for this service have been pretty easy to craft once the patch is reversed. My best guess is that someone will release an exploit for this in the next few days.”

Bartholomew said network firewalls and other defenses that block the RDP service would effectively stop the attack from happening. But as the world learned during the WannaCry attacks, those measures often fail to contain damage that can collectively cost billions of dollars.

Independent researcher Kevin Beaumont, citing queries on the Shodan search engine of Internet-connected computers, said here that about 3 million RDP endpoints are directly exposed.

Tod Beardsley, director of research at security firm Rapid7, said an alternate Internet scanner, BinaryEdge, shows there are an estimated 16 million endpoints exposed to the Internet on TCP ports 3389 and 3388, which are typically reserved for RDP.

"A pre-authentication RCE in RDP is a pretty big deal," Beardsley wrote in an email. "While we are often giving the standard advice of not exposing RDP to the Internet, many still do (usually by accident). Much of the attack traffic we see against RDP appears to be directed specifically at point-of-sale systems, so I expect there are a fair number of out-of-support cash registers with RDP exposed to the internet."

A different security company, CyberX, analyzed traffic from 850 operational technology systems, which are used to manage factory production lines, gas monitoring, and other types of industrial operations. Researchers found that 53 percent of them run unsupported versions of Windows, many of which are likely affected by the just-patched vulnerability. The lack of upgrading stems from the difficulty of taking computers offline in mission-critical environments that operate continuously. Phil Neray, VP of industrial cybersecurity at Boston-based CyberX said a stop-gap measure for these companies is implementing compensating controls such as network segmentation and continuous network monitoring.

What versions are vulnerable?

Besides Windows 2003 and XP, CVE-2019-0708 also affects Windows 7, Windows Server 2008 R2, and Windows Server 2008. In a testament to Microsoft’s steadily improving security, later versions of Windows aren’t at risk.

“Customers running Windows 8 and Windows 10 are not affected by this vulnerability, and it is no coincidence that later versions of Windows are unaffected,” Pope wrote. “Microsoft invests heavily in strengthening the security of its products, often through major architectural improvements that are not possible to backport to earlier versions of Windows.”

The subtext is that, while anyone still using a vulnerable version of Windows should patch immediately, the smarter long-term move is to upgrade to Windows 8 or 10 in the near future.

Microsoft credited the UK's National Cyber Security Centre for privately reporting the vulnerability. While Microsoft said it hasn’t observed any exploits in the wild, it remains unclear precisely how a vulnerability this old and this severe was identified only now.

“It does make one ask, how did they find it in the first place?” Kaspersky Lab’s Bartholomew said. “Did they see this in attacks elsewhere? Was this an old exploit that was used by friendly governments in the past and it’s run its course now? Did this exploit get leaked somehow and they're being proactive? Of course, we will probably never know the real answer, and honestly it’s all speculation at this point, but there may be something here to dig on.”

Post updated to add comments from Rapid7's Beardsley and to correct scoring system.

Listing image: Pixabay

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at @dangoodin on Mastodon. Contact him on Signal at DanArs.82.
106 Comments