Microsoft urges Windows customers to patch wormable RDP flaw

Credit: Dreamstime

Microsoft has fixed a critical vulnerability in some versions of Windows that can be exploited to create a powerful worm.

The technology giant even took the unusual step of releasing patches for Windows XP and Windows Server 2003, which haven’t been supported in years, because it believes the threat to be very high.

The vulnerability, tracked as CVE-2019-0708, is located in Remote Desktop Services, formerly known as Terminal Services. This component handles connections over the Remote Desktop Protocol (RDP), a widely used protocol for remotely managing Windows systems on corporate networks.

What makes the vulnerability so dangerous is that it can be exploited remotely with no authentication or user interaction by simply sending a maliciously crafted RDP request to a vulnerable system.

A successful attack can result in malicious code being executed on the system with full user rights, giving attackers the ability to install programs, modify or delete user data and even to create new accounts.

“In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,” Simon Pope, director of Incident Response at the Microsoft Security Response Center, said in a blog post.

“While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”

WannaCry did not exploit a vulnerability in RDP, but in Microsoft’s implementation of SMB, a file sharing and authentication protocol that’s used on all Windows networks and is enabled by default.

While the attacks are different, Pope’s analogy to WannaCry is based on the ease of exploitation — remotely with no authentication — and the popularity of both protocols.

RDP has been a popular infection vector for malware threats in the past, particularly for ransomware, cryptominers and point-of-sale memory scrapers. Attackers typically steal or bruteforce RDP credentials in order to gain access to systems.