UPDATE NOW! Critical, remote, ‘wormable’ Windows vulnerability

By Mark Stockley

Microsoft has issued a patch for a vulnerability in its Remote Desktop Services that can be exploited remotely, via RDP, without authentication and used to run arbitrary code:

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

It doesn’t get much worse than that.

Fixes are included in for versions of Windows 7 and Windows 2008 (see the advisory for the full list) as part of Microsoft’s most recent Patch Tuesday. Patches have also been made available for versions of Windows XP and Windows 2003 (see the customer guidance for the full list).

The flaw is considered ‘wormable’, meaning that it has the potential to be used in malware that spreads by itself across and between networks.

Millions of computer networks around the world have RDP exposed to the outside world so that they can be managed not only via their local network but also across the internet. Sometimes, that external access was enabled on purpose; sometimes the exposure is an unwanted mistake – but in either case, a network where RDP can be reached from the outside is a potential gateway for an automated attack to reach a new victim.

Given the number of targets, and the potential for an explosive, exponential spread, we suggest you treat it as a matter of when, not if, the patch is reverse engineered and an exploit created, so you should update immediately. For more guidance, check out this article’s What to do? section.

Read more at https://nakedsecurity.sophos.com/2019/05/15/update-now-critical-remote-wormable-windows-vulnerability/

Microsoft fixes Intel ZombieLoad bug with Patch Tuesday updates

By Danny Bradbury

Microsoft’s May 2019 Patch Tuesday fixed 79 vulnerabilities, 19 of which are classed as Critical. Here’s a summary of the most notable ones. 

ZombieLoad

The update fixed a processor logic flaw (CVE-2018-12130) that allows computer programs to steal each other’s’ data.

Discovered by researchers at the Graz University of Technology and KU Leaven, the attack is able to read data between different threads, which are separate programs running on the same physical computer core.

ZombieLoad is known as a Microarchitectural Data Sampling (MDS) vulnerability, and it shares some characteristics with Spectre and Meltdown, the two side channel attacks announced in January 2018. It is a flaw in Intel processor hardware, meaning that it affects any operating systems running on x86 chips, including Windows. It uses Intel’s speculative execution feature to pilfer other programs’ data. As Microsoft explained in the note associated with the patch:

In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another.

The attack affects both desktop and server-based systems, although exploiting it isn’t trivial. Someone would need to run a malicious app on the target system.

Microsoft’s patch joins other fixes from companies including Apple and Google. It provides a software workaround until Intel fixes the bug in future processor releases. The patch probably won’t affect performance on consumer systems, said the advisory.

Read more at https://nakedsecurity.sophos.com/2019/05/15/microsoft-fixes-intel-zombieload-bug-with-patch-tuesday-updates/