Microsoft Calls on Users to Patch Older Windows Operating Systems to Prevent WannaCry-like Cyberattack
Microsoft recently released a patch for older Windows operating systems and calls on users to apply this patch as soon as possible to prevent a disaster similar to the WannaCry cyberattack in 2017.
In the blog post “Prevent a worm by updating Remote Desktop Services (CVE-2019-0708)”, Simon Pope, Director of Incident Response at Microsoft Security Response Center (MSRC), said that a security vulnerability was discovered on Remote Desktop Services, formerly known as Terminal Services, in older Windows operating systems. The security vulnerability, Pope said, allows remote code execution – the ability of an attacker to access someone else’s computing device regardless of where this device is geographically located.
In addition to the remote code execution capability, Pope said the security vulnerability is also a “wormable”, which means that “any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017”.
Affected systems include in-support versions of Windows, specifically Windows 7, Windows Server 2008 R2, Windows Server 2008; and out-of-support systems, specifically Windows 2003 and Windows XP. Customers who use in-support versions of Windows can avail software updates from Microsoft. On the hand, customers who use out-of-support versions of Windows no longer can avail software updates.
Early this week, Microsoft released the patch for the above-mentioned in-support and out-of-support versions of Windows. This is the second time in just over two years that Microsoft broke its tradition of not supplying patches for Windows operating systems that are out of support.
WannaCry Malware
Just over two years ago, Microsoft broke the tradition of not supplying patches for Windows operating systems that are out of support in reaction to the WannaCry cyberattack. On May 12, 2017, the WannaCry malware infected more than 300,000 computers in over 150 countries in less than 24 hours.
WannaCry acts like any other ransomware – malware that encrypts systems and files, locking out legitimate users and demands ransom in exchange for the decryption keys that supposedly would unlock the encrypted systems and files. In addition to the ransomware feature, WannaCry has a worm feature, that is, the ability to spread itself within networks without user interaction – a feature that enabled this malware to infect hundreds of thousands of computers in less than 24 hours.
Victims of WannaCry who opted to pay ransom were unable to get their data back as the source code of this malware was written in such a way that the attacker or attackers themselves can’t determine who paid the ransom and who didn’t, as such they can’t decrypt on a per-user basis.
WannaCry exploits the vulnerability of Windows Server Message Block 1.0 (SMBv1) server, a protocol used for sharing access to files, printers and other resources on a network. Similar to the newly discovered vulnerability in older Windows operating systems, the vulnerability that WannaCry exploited allows remote code execution and, as mentioned, has worm capability.
On March 14, 2017, close to two months prior to the WannaCry attack, Microsoftreleased a patch to vulnerable in-support versions of Windows, specifically Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows 10, Windows Server 2012 R2, Windows Server 2016. The company, however, didn’t release a patch for out-of-support versions of Windows, specifically Windows XP, Windows 8 and Windows Server 2003.
At the height of the WannaCry cyberattack, on May 12, 2017, Microsoft resolved to break the tradition of not supplying patches for Windows operating systems that are out of support by providing a patch to these 3 out of support Windows systems: Windows XP, Windows 8 and Windows Server 2003.
It’s worthy to note that even though it has been a long time since the major WannaCry attack, this attack continues to this day – an indicator that there are still organizations that haven’t installed Microsoft’s March 14, 2017 security update.
On March 28, 2018, Mike VanderWel, chief engineer at BoeingCommercial Airplane Production Engineering, sent out a memo informing his colleagues that the WannaCry malware was “metastasizing” out of the Boeing’s North Charleston production plant and could potentially “spread to airplane software”.
“The vulnerability was limited to a few machines,” Linda Mills, head of communications for Boeing Commercial Airplanes, said in a statement. “We deployed software patches. There was no interruption to the 777 jet program or any of our programs.”
Cybersecurity Best Practices
Microsoft’s recent released of a patch for out-of-support versions of Windows is clearly an attempt on the part of the company to prevent a WannaCry-like cyberattack.
Simon Pope, Director of Incident Response at Microsoft Security Response Center, said that while there’s no evidence that the recently discovered vulnerability in older Windows operating systems has been exploited, “it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware”.
The latest vulnerability discovered by Microsoft, which exploits the vulnerability in Remote Desktop Services, can be mitigated by enabling Network Level Authentication (NLA). This gives affected systems added protection against the worm capability as NLA requires authentication before the vulnerability can be triggered. Affected systems with enabled NLA are, however, are still vulnerable to remote code execution, Pope said, for instance, when a malicious actor has valid credentials that can be used to successfully authenticate.
Specific to the WannaCry malware, Microsoft recommends users of Windows systems to consider blocking legacy protocols on their networks.
The recent security vulnerability discovered by Microsoft and the WannaCry cyberattack in 2017 demonstrate the importance of applying software updates in a timely manner.
When you need help with timely patching and on-going computer network maintenance our experts can help you fill the skill and staffing gaps on-demand.
Give us a call at (416) 920-3000or email sales@genx.ca