Share this article on:
On Tuesday May 14, 2019, Microsoft released a patch to fix a ‘wormable’ flaw in Windows, similar to the vulnerability that was exploited in the WannaCry ransomware attacks in May 2017.
The flaw is a remote code execution vulnerability in Remote Desktop Services – formerly Terminal Services – that can be exploited via RDP.
The flaw (CVE-2019-0708) can be exploited by sending specially crafted requests via RDP to a vulnerable system. No authentication is required and the flaw can be exploited without any user interaction.
If exploited, malware could propagate from one compromised computer to all other vulnerable computers on a network. If ransomware exploited the vulnerability, healthcare organizations could experience widespread file encryption and major disruption to operations.
Microsoft has not received any reports to suggest the flaw is being actively exploited at present, but it is almost certain that exploits will be developed for the vulnerability and that those exploits will be incorporated into malware.
The vulnerability is not present in Windows 8 and Windows 10, only older Windows versions. However, it is of concern for the healthcare industry as many healthcare organizations are still using older, vulnerable operating systems.
Patches have been released for Windows 7, Windows Server 2008, and Windows Server 2008 R2. The flaw is so serious that Microsoft has taken the unusual step of issuing patches for Windows XP and Windows 2003, even though both operating systems are no longer supported.
A workaround is available for all organizations that use the above operating systems but are not able to apply the patch. In such cases, TCP port 3389 should be blocked and Network Level Authentication should be enabled to prevent the flaw from being exploited. Given the speed at which vulnerabilities are exploited once a patch has been released, it is imperative that the patch or workaround is implemented as a priority.
It was slow patching that allowed the 2017 WannaCry attacks to succeed. Those attacks clearly demonstrated that many organizations are slow to apply patches, even those that address critical and actively exploited vulnerabilities.
The WannaCry attacks occurred in May 2017 yet the patch to address the flaw – MS17-010 – was released by Microsoft in March. Had the patch been applied promptly, the attacks would not have been possible.
The UK’s National Health Service (NHS) was badly affected by WannaCry. Around one third of all NHS Trusts and 8% of GP practices were affected. The attacks cost the NHS an estimated £92 million and resulted in the cancellation of 19,000 appointments. The global cost of WannaCry has been estimated to be $4 billion.
Attacks exploiting CVE-2019-0708 have potential to be much worse than WannaCry. It is unlikely that a malware variant will be developed to exploit the vulnerability that contains such an easily activated kill switch as WannaCry.
In addition to the wormable vulnerability, Microsoft has issued updates to correct a further 21 critical flaws, including one that is being actively exploited and another that was disclosed publicly prior to a patch being released. Patches have also been released to address a new type of vulnerability in Intel processors. The Microarchitectural Data Sampling (MDS) flaws could allow a threat actor to deploy malware that can obtain sensitive data from applications, virtual machines, operating systems and trusted execution environments.