Strategy Created for RDP Vulnerability

Monday, May 20, 2019 @ 04:05 PM gHale

Kaspersky Lab researchers created detection strategies for a new Microsoft RDP vulnerability to help all security vendors prepare and protect.

Microsoft issued a patch May 17 for a “wormable” Remote Desktop Protocol vulnerability the software giant said could be quickly exploited by attackers.

RELATED STORIES
Malware Beware: Update Windows ASAP
Manufacturing Report: Financial Attacks on Rise
Siemens, TÜV SÜD Partner on Safety-Security
Security Spotlight: Triton Fallout, Securing Supply Chain

Kaspersky Lab researchers analyzed and successfully created a detection strategy for the vulnerability. They are making this available to colleagues across the security industry so others can create their own detection strategies.

“We analyzed the vulnerability and can confirm that it is exploitable. We have therefore developed detection strategies for attempts to exploit the vulnerability and would now like to share those with trusted industry parties, so that together we can build a shield around all our customers before the attackers figure out what to do and unleash another devastating worm on the world,” – said Boris Larin, security researcher at Kaspersky Lab.

There is a critical Remote Code Execution vulnerability in Remote Desktop Services, formerly known as Terminal Services, that affects older versions of Windows.

“This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable,’ meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,” said Simon Pope, director of incident response at Microsoft Security Response Center (MSRC).

While Microsoft observed no exploitation of this vulnerability, which has a case number of CVE-2019-0708, it is likely attackers will write an exploit for this vulnerability and incorporate it into their malware.

“Now that I have your attention,” Pope said in the post, “it is important that affected systems are patched as quickly as possible to prevent such a scenario from happening. In response, we are taking the unusual step of providing a security update for all customers to protect Windows platforms, including some out-of-support versions of Windows.

Vulnerable in-support systems include Windows 7, Windows Server 2008 R2, and Windows Server 2008. Downloads for in-support versions of Windows can be found in the Microsoft Security Update Guide. Customers who use an in-support version of Windows and have automatic updates enabled are automatically protected. 

Out-of-support systems include Windows 2003 and Windows XP. If a user is working with an out-of-support version, the best way to address this vulnerability is to upgrade to the latest version of Windows. “We are making fixes available for these out-of-support versions of Windows in KB4500705,” Pope said.

Security vendors who would like to receive further details should contact Kaspersky Lab mailto:nomoreworm@kaspersky.com



Leave a Reply

You must be logged in to post a comment.