Microsoft released fixes Tuesday for a “wormable” remote code execution flaw reminiscent of the vulnerability that allowed WannaCry ransomware to propagate to computers around the globe in 2017.
The Remote Desktop Services vulnerability, which Microsoft has rated as critical, could allow hackers to install programs, and view, change, or delete data. It requires no user interaction to work, meaning users don’t have to click on anything, such as a link, document, or message box, and attackers don’t need to run social engineering projects to dupe users.
Microsoft took the unusual step of launching security updates for all users, including unsupported operating systems like XP and Windows 2003, due to the risk that the flaw can lead to self-propagating attacks.
“In other words, the vulnerability is ‘wormable,’ meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,” Simon Pope, director of incident response at the Microsoft Security Response Center, wrote in a blog post. “While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”
The WannaCry ransomware infected hundreds of thousands of computers in 150 countries within just a few hours two years ago. The malware, which had its roots in a hacking tool stolen from the U.S. National Security Agency, relied on Windows’ SMB protocol to spread through the web like a worm. Now, while Microsoft says it hasn’t seen any evidence of another attack, researchers say this flaw also would be relatively easy for hackers to exploit.
“An unpatched, internet-facing Win7/2008 computer can therefore be compromised (lose stored information or be used to launch attacks on others) without the user being prompted for any action,” Vikram Thakur, technical director at Symantec, said in an email.
Right now there are approximately 3 million Remote Desktop endpoints that are directly exposed to the internet, according to independent researcher Kevin Beaumont.
Senior Research Engineer at Tenable Satnam Narang said administrators should apply patches quickly to curtail their risk.
“It is critically important for organizations and system administrators to apply patches as soon as possible to reduce their risk of compromise,” Narang said.
UK’s National Cyber Security Centre appears to have been involved in alerting Microsoft to the flaw, according to Microsoft. When reached for comment Microsoft did not offer information about how the NCSC learned of the flaw and how long they had known about it. The NCSC did not respond to request for comment.
Windows 8 and Windows 10, later versions of Windows, are not affected by the vulnerability, but the flaw takes a little more effort to run than the flaw that enabled WannaCry to spread.
Users will need to download the update from the Microsoft Update Catalog to patch their systems.