The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Microsoft Urging Users to Patch New Wormable Vulnerabilities

by Chris Brook on Wednesday August 14, 2019

Contact Us
Free Demo
Chat

Microsoft is urging users to patch a series of critical, BlueKeep-like vulnerabilities in Windows that could be used to spread malware and affect as many as 800 million machines.

Similar to what it did earlier this year, when it warned of what became known throughout the industry as BlueKeep, a vulnerability in Remote Desktop Protocol, Microsoft is encouraging users to patch their systems this week in order to mitigate two new critical vulnerabilities in Remote Desktop Services.

Microsoft patched both of vulnerabilities, CVE-2019-1181 and CVE-2019-1182, on Tuesday as part of its regularly scheduled patch update but the company says users should update as soon as possible as the vulnerabilities are "wormable," meaning that malware could use them to jump from machine to machine without user interaction.

Older versions of Windows, in particular Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions, are affected by the vulnerabilities. Windows XP, Windows Server 2003, and Windows Server 2008 are not affected, according to Microsoft.

For understandable reasons, there's scant information about the two vulnerabilities beyond the fact that both of the bugs are remote code execution vulnerabilities in RDS and considered critical by Microsoft.

While not explicitly mentioned in a blog Microsoft posted about the vulnerabilities on Tuesday, two other vulnerabilities fixed this week, CVE-2019-1222 and CVE-2019-1226, also affect RDS in a similar capacity and deserve the attention of administrators.

RDS, also known as Terminal Services in older versions of Windows, is a component of the operating system that allows users to take control of a remote computer or virtual machine over a network connection; RDP, Microsoft's protocol is not affected by the bugs.

Simon Pope, the Director of Microsoft's Security Response Center's Incident Response team, said that systems that have Network Level Authentication, or NLA, enabled, something that requires authentication before the vulnerability can be triggered, are protected. Pope says the company uncovered the vulnerabilities while hardening Remote Desktop Services.

Unlike BlueKeep, which affected much older operating systems, like Windows Vista, Windows 7, Windows XP, Server 2003 and Server 2008, these vulnerabilities affect newer, more deployed versions.

Since the vulnerabilities apparently affect all Windows 10 machines, it’s possible as many as 800 million devices, the total number of Windows 10 users worldwide Microsoft gave earlier this year, are affected.

In comparison, BlueKeep affected just one million systems at the end of May, the month it was disclosed.

The BlueKeep vulnerability even prompted the U.S. government - the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency - to issue a warning encouraging administrators to apply the appropriate mitigations.

Microsoft didn't relent in sounding the alarm over BlueKeep; in a blog post just last week the company's Detection and Response Team (DART) advised applying the Windows Update and to protect RDP with through a form of second factor authentication. In a blog last Thursday the company said it could see "more than  400,000 endpoints lacking any form of network level authentication," something that "puts each of these systems potentially at risk from a worm-based weaponization of the BlueKeep vulnerability."

As a public service, DART reminded users of the timeline behind previous, critical vulnerabilities and when attacks (MS08-067 and Conficker, MS17-010 and EternalBlue) were launched, hinting it could only be a matter of time.

 

Tags: Vulnerabilities

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • The Five Stages of Threat Hunting
  • A Proactive Approach to Threat Hunting
  • Expert Tips

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.