Microsoft is warning that the Internet could see another exploit with the magnitude of the WannaCry attack that shut down computers all over the world two years ago unless people patch a high-severity vulnerability. The software maker took the unusual step of backporting the just-released patch for Windows 2003 and XP, which haven't been supported in four and five years, respectively. "This vulnerability is pre-authentication and requires no user interaction," Simon Pope, director of incident response at the Microsoft Security Response Center, wrote in a published post
that coincided with the company's May Update Tuesday release. "In other words, the vulnerability is wormable,
meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware."
As if a self-replicating, code-execution vulnerability wasn't serious enough, CVE-2017-0708
(as the flaw in Windows Remote Desktop Services is indexed) requires low complexity to exploit. Microsoft's Common Vulnerability Scoring System Calculator
scores that complexity as 3.9 out of 10. (To be clear, the WannaCry developers had potent exploit code written by, and later stolen from, the National Security Agency
, to exploit the wormable CVE-2017-0144
flaws, which had exploit complexities rated as "high.") Ultimately, though, developing reliable exploit code for this latest Windows vulnerability will require relatively little work.
Bartholomew said network firewalls and other defenses that block the RDP service would effectively stop the attack from happening. But as the world learned during the WannaCry attacks, those measures often fail to contain damage that can collectively cost billions of dollars. Independent researcher Kevin Beaumont, citing queries on the Shodan search engine of Internet-connected computers, said here
that about 3 million RDP endpoints are directly exposed.
Besides Windows 2003 and XP, CVE-2019-0708 also affects Windows 7, Windows Server 2008 R2, and Windows Server 2008. In a testament to Microsoft's steadily improving security, later versions of Windows aren't at risk.