Last Tuesday Microsoft released an unexpected patch for Windows XP, Windows 7, Windows 2003 and Windows Server 2008 to fix a huge “wormable” flaw. The surprise patch for Windows XP as well as 16 other Microsoft updates was released to address 79 Common Vulnerabilities and Exposures (CVE) listed vulnerabilities.
Microsoft’s reason to roll out a security patch for their out-of-date unsupported operating systems was to address a major security flaw within these old Microsoft operating systems that could be exploited to create another WannaCry-like worm. As we remember, in May 2017, the UK (the NHS was mostly affected) as well as other countries globally were crippled through a ransomware cyber attack and the damage caused to the NHS as a result of WannaCry cost the UK £92m.
The vulnerability which is aptly named CVE-2019-0708, lies within remote desktop services which attackers can exploit by sending a specially created message to the target systems’ remote desktop service via the Remote Desktop Protocol (RDP). What’s really scary about this flaw is that it is “pre-authentication” (so before you enter any login details) which means it requires no user interaction whatsoever! ????????
As the security compromise can be made into a worm, it will facilitate the spread of the virus from one vulnerable system to another across an entire network without any user handling.
It has been reported by Microsoft that no exploitation of the vulnerability has been noticed so far, but to protect its good name from a potential PR nightmare in the future, it is predicted that hackers will likely create an exploit for it and include the malicious code into their malware in the near future. Microsoft do not need to be exposed as having allowed a security flaw to remain in their old operating systems and then having ignored it, by proxy facilitated cyber criminals to launch another WannaCry cyber attack globally.
In addition to the patch for the wormable flaw in Microsoft’s old and unsupported Windows operating systems, they also released 16 software updates to address 78 other CVE-listed vulnerabilities in its products, including Microsoft Office, Internet Explorer and the .NET Framework. 18 of those vulnerabilities are rated as “critical” in severity. Among the patches is a fix for a zero-day vulnerability in the Windows Error Reporting Service which has already been exploited by cyber hackers to carry out malicious attacks.
It’s a very determined yet unprecedented move by Microsoft, as after the end of their extended support period, no patches not evey security patches are usually rolled out to their old operating systems. What has made this circumstance quite different is that WannaCry still remains a serious IT security threat worldwide, and hundreds of thousands of computer systems globally are still highly susceptible to the security vulnerability that WannaCry exploited two years ago.
The security company Malwarebytes have identified a total of over 4 million WannaCry detections since its first attack in May 2017. WannaCry encrypted hundreds of thousands of computer systems in a matter of hours across more than 150 countries and it was the first time that any ransomware had infected so many computers so quickly, and in so many countries.
Although WannaCry was neutralised by Marcus Hutchins after he discovered a ‘kill switch’ left in the code, variants of WannaCry still exist two years on and still continue to infect computer systems. In fact according to Malwarebytes since April 2019 there have been almost 500,000 cases of WannaCry malware infections recorded globally. So it’s no wonder why Microsoft have released their new security patch to plug holes in their old unsupported vulnerable operating systems to prevent another future cyber attack like WannaCry.
These malicious malware programmes are a major threat to companies worldwide and businesses must take this cyber threat seriously whilst making all possible cyber security changes to protect their computer systems from a cyber attack and from any data compromise. One sure fire way of doing that is upgrading to the latest supported Microsoft operating system, the latest for workstations being Windows 10. In fact Windows 7 will also become totally unsupported with no further security updates by January 2020, the same applies for Windows Server 2008 (and 2008 R2), so this needs to be on all business’ IT security action plan currently with only 8 months left.
Jake Moore, a security specialist at anti-virus company ESET says it all, “If people haven’t decided to update their operating systems or patch where they can by now, then they probably won’t ever change and continue to be a risk to themselves…WannaCry did a hefty amount in teaching people about the risks attached to not keeping on top of your cyber security, but if over a million devices are still out there unpatched, then they will most likely never be updated…Many have argued that by updating their operating system their bespoke software may not run anymore, but the risks attached come with a far higher price tag should they have their data encrypted and backups lost.”