Microsoft patches Windows XP, Server 2003 to try to head off ‘wormable’ flaw
As part of its May 14 Patch Tuesday, Microsoft is releasing a security fix for several older versions of Windows, including Windows XP and Windows Server 2003 — neither of which is supported by Microsoft any longer. Officials said a potentially “wormable” flaw in those systems could result in them being hit by a malware attack like WannaCry.
The vulnerability, CVE-2019-0708, is in remote desktop services (a k a terminal services). To exploit the vulnerability “an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP,” Microsoft officials noted. The update corrects how Remote Desktop Services handles connection requests.
“The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,” explains Microsoft officials in today’s Microsoft Security Response Center (MSRC) blog post.
The vulnerability — which Microsoft officials said they haven’t yet seen exploited — doesn’t affect Windows 8.1 or 10 (or Server variants starting with 2012), but it does affect Windows 7, Windows Server 2008 and 2008 R2, along with the previously mentioned Windows variants. The patches for XP and 2003 are here.
Microsoft occasionally issues patches for Windows variants that are no longer in support, but only when a vulnerability has a strong possibility of rampant exploitation. This practice has resulted in some customers playing Russian roulette when it comes to continuing to run unsupported Windows versions.