May 14, 2019

Microsoft today is taking the unusual step of releasing security updates for unsupported but still widely-used Windows operating systems like XP and Windows 2003, citing the discovery of a “wormable” flaw that the company says could be used to fuel a fast-moving malware threat like the WannaCry ransomware attacks of 2017.

The May 2017 global malware epidemic WannaCry affected some 200,000 Windows systems in 150 countries. Source: Wikipedia.

The vulnerability (CVE-2019-0708) resides in the “remote desktop services” component built into supported versions of Windows, including Windows 7, Windows Server 2008 R2, and Windows Server 2008. It also is present in computers powered by Windows XP and Windows 2003, operating systems for which Microsoft long ago stopped shipping security updates.

Microsoft said the company has not yet observed any evidence of attacks against the dangerous security flaw, but that it is trying to head off a serious and imminent threat.

“While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware,” wrote Simon Pope, director of incident response for the Microsoft Security Response Center.

“This vulnerability is pre-authentication and requires no user interaction,” Pope said. “In other words, the vulnerability is ‘wormable,’ meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. It is important that affected systems are patched as quickly as possible to prevent such a scenario from happening.”

The WannaCry ransomware threat spread quickly across the world in May 2017 using a vulnerability that was particularly prevalent among systems running Windows XP and older versions of Windows. Microsoft had already released a patch for the flaw, but many older and vulnerable OSes were never updated. Europol estimated at the time that WannaCry spread to some 200,000 computers across 150 countries.

CVE-2019-0708 does not affect Microsoft’s latest operating systems — Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.

More information on how to download and deploy the update for CVE-2019-0708 is here.

All told, Microsoft today released 16 updates targeting at least 79 security holes in Windows and related software — nearly a quarter of them earning Microsoft’s most dire “critical” rating. Critical bugs are those that can be exploited by malware or ne’er-do-wells to break into vulnerable systems remotely, without any help from users.

One of those critical updates fixes a zero-day vulnerability — (CVE-2019-0863) in the Windows Error Reporting Service — that’s already been seen in targeted attacks, according to Chris Goettl, director of product management for security vendor Ivanti.

Other Microsoft products receiving patches today including Office and Office365, Sharepoint, .NET Framework and SQL server. Once again — for the fourth time this year — Microsoft is patching yet another critical flaw in the Windows component responsible for assigning Internet addresses to host computers (a.k.a. “Windows DHCP client”).

“Any unauthenticated attacker who can send packets to a DHCP server can exploit this vulnerability,” to deliver a malicious payload, notes Jimmy Graham at Qualys.

Staying up-to-date on Windows patches is good. Updating only after you’ve backed up your important data and files is even better. A good backup means you’re not pulling your hair out if the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches.

Note that Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.

As per usual, Adobe has released security fixes for Flash Player and Acrobat/Reader. The Flash Player update fixes a single, critical bug in the program. Adobe’s Acrobat/Reader update plugs at least 84 security holes.

Microsoft Update should install the Flash fix by default, along with the rest of this month’s patch bundle. Fortunately, the most popular Web browser by a long shot — Google Chrome — auto-updates Flash but also is now making users explicitly enable Flash every time they want to use it. By the summer of 2019 Google will make Chrome users go into their settings to enable it every time they want to run it.

Firefox also forces users with the Flash add-on installed to click in order to play Flash content; instructions for disabling or removing Flash from Firefox are here. Adobe will stop supporting Flash at the end of 2020.

As always, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.


47 thoughts on “Microsoft Patches ‘Wormable’ Flaw in Windows XP, 7 and Windows 2003

  1. PA

    Where did you get information on out of band patches for XP and 2003? There is nothing similar mention in the official Windows advisory?

  2. Old School

    KB4494441 had to be installed twice so be sure to run Windows Update twice. I was not amused.

    1. BDM

      I too had to install that Update twice on 2 PCs (WIN10 Pro & Home).

      1. Mark

        Win 10 is not one of the affected OS’s. So no worries if you have Win10.

  3. CW

    Would it be a correct assumption that if Remote Assistance/Remote Desktop is NOT enabled on a Windows 7 machine, then this the exploit would not work?

    1. PJJ

      Maybe, but I wouldn’t count on it. I certainly wouldn’t bet my job on it.
      Better patched and safe than sorry, in any case.

      1. CW

        Well of course I will patch, but the question is: how aggressively? I’ve got a fleet of machines, and knowing whether or not they are vulnerable (based on whether Remote Desktop is enabled) affects the speed and timing of when I’ll be patching.

        1. Katlego

          Well, logically that should solve the problem… Microsoft recommends closing port 3389 at a firewall level to solve this if you cannot immediately patch.

    2. Steve

      I subscribe to your concern. I cannot understand WHY when reporting a serious issue like this one Microsoft is not more specific. I mean, the CVE MS published says there are no mitigations, but I interpret if you want to use RDS.

    1. BrianKrebs Post author

      So does the story: “The vulnerability (CVE-2019-0708) resides in the “remote desktop services” component built into supported versions of Windows, including Windows 7, Windows Server 2008 R2, and Windows Server 2008. It also is present in computers powered by Windows XP and Windows 2003, operating systems for which Microsoft long ago stopped shipping security updates.”

      But Microsoft says this does not impact Server 2012: “CVE-2019-0708 does not affect Microsoft’s latest operating systems — Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.”

  4. ASB

    This month is big breach-prep month.

    – Microsoft is patching a wormable vulnerability.

    – Cisco has a vulnerability of epic proportions which will affect millions and millions of systems (with a patch coming “soon”)

    https://www.wired.com/story/cisco-router-bug-secure-boot-trust-anchor/

    – Intel CPU vulnerabilities continue to mount, with 4 new vulnerabilities that Intel insists are low-to-medium issues.

    https://www.wired.com/story/intel-mds-attack-speculative-execution-buffer/

    1. Whoever

      @asb, I think you need to read something a little less click- bait than that wired article. IF SOMEONE HAS ADMIN ACCESS TO YOUR ROUTER, which is the requirement for the TAm vulnerability, THAT SOMEONE HAS ALREADY LOST. Not quite epic as the article states.

      1. That Guy

        You missed that the researchers used two exploits, the first one gave them root.

  5. BK

    Imminent threat? Sounds like a 3 letter agency has lost* its code.

  6. Mike

    No MS (multiple sclerosis) products for me.

  7. vb

    Why would anyone running an old Windows operating system check for this security update if they have long been told that their system is unsupported and is no longer receiving security updates?

    1. Anon404

      Third world countries where the only option they might have is XP. the world consists of more then just 1st world nations and poor countries have computers too.

  8. Matt

    If patching windows 7, does the machine need to reboot for it to take effect?

  9. The Sunshine State

    Never got any email notification on this post?

  10. JD

    Any nmap definition for this vunerability yet?

  11. Jay Johnson

    Like a jones’n junkie, Micro$oft is feeling the need to break some PCs with “updates.”

    If it ain’t broke don’t update it. If you want it broke, permit Micro$oft to update it.

  12. Johanne

    What is the reason for enabling RDP on a Home computer?
    Remote Terminal Services are a type of “backdoor” and hardening processes or default configurations must do away with it.

    Microsoft (or any other manufacturer) should be held accountable (taken to court) for insecure default configurations which cause harm to consumers.

    1. Gunther

      I buy ‘Professional’ Windows to enable RDP on home computers because I have more than one and like to access them without sitting down in front of them and using their keyboard and mouse.

      You can’t enable Remote Desktop on ‘Home’ without hacking a .dll and Remote Desktop access is disabled by default on ‘Pro’. I consider that a decision that limits harm to consumers.

  13. Andres

    Brian, no comment on the slew of new CPU vulnerabilities announced yesterday?

  14. oldunixguy

    I tried to download from the microsoft catalog for this new fix. All I get is this:
    The website has encountered a problem
    [Error number: 8DDD0001]
    The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem.

    I have tried on 5 different computers using both Firefox and IE.

    any ideas?

  15. Readership1

    Brian,

    Is Microsoft making a strategic mistake in helping out users of unsupported versions of Windows? Or is it all about protecting the Windows brand?

    Also– Any comments on the Whatsapp vulnerability stories that are making the rounds in the mass media? I’m a bit suspicious of claims that NSO is at fault, and that the vague sources seem to originate in Saudi Arabia, not exactly a hotbed of technical knowledge.

  16. KFritz

    My machine is a Windows 7 64 bit HP desktop, partitioned with Ubuntu. The first bootup and the installation reboot was 45 seconds to a minute slower than normal.

    For the second month in a row, Windows Media Player reverts to default, and it’s necessary to reconfigure it.

    Initially everything else seems fine.

  17. marion

    where do i get the patch for windows 7 ?

  18. KH

    This worm had infected our XP computers already, saw a redirect with bank logons back in April. It puzzled our IT who said it locked the administrator out of the operating system by taking control by using remote process. Disabled services so that admin and users cannot enable, nor copy or paste files.
    Its a shame the info was not released earlier as it would have saved us a lot of headaches. Now need a good repair tool.

  19. Linux

    Has anyone assessed if any Linux RDP application is vulnerable to CVE-2019-0708? It’s not a protocol vulnerability, per Microsoft. But wondering if Linux implementations are safe.

  20. Adrian

    I’ve been trying to use SCCM to deploy the required updates for both Windows 2008 & 2008 R2 (KB4499180, KB4499149, KB4499164 & KB4499175), along with manual install. Nothing seems to work. Some servers install it ok, but then roll back once it reboots. Other servers show it’s been installed in Software Centre but then show as “Failed” in Update history.

    Even getting conflicting reports showing servers require KB4499164 but won’t install and return “The update is not applicable to your computer) even though that update is for 2008 R2 where I’m installing it.

  21. Erik

    @Adrian – have you verified that the servers rolling back the patch have the required servicepack installed (SP2 for Windows Server 2008 and SP1 for Windows Server 2008 R2) ?

    If they’re already running those, you could check the Windows eventlogs and update related logfiles (“%sysdir%\WindowsUpdate.log” and “%windir%\Logs\CBS\CBS.log” for further clues.

  22. michical

    can you make a blog post on security keys and how microsoft has a huge flaw in the email sign in page compared to googles security key setup for accounts?

Comments are closed.