Dark Reading, May 17, 2019, with comments from Satya Gupta;

Microsoft’s decision to patch unsupported machines for the critical CVE-2019-0708 flaw is a reminder that XP, 2003, and other older versions of Windows still run in some enterprises.

In the last couple of weeks, a number of cyber security flaws made news but the capturing the most attention is the critical Microsoft remote code execution (RCE) bug. This vulnerability is also known as CVE-2019-0708 (or BlueKeep-see our article Microsoft ‘Bluekeep’ Flaw Threatens Medical Devices, IoT https://virsec.com/microsoft-bluekeep-flaw-threatens-medical-devices-iot/ ), impacting systems running versions of Windows that are both still under support (Windows 7, Server 2008 and Server 2008 R2) and no longer supported (Windows 2003 and XP).

Due to weaponizable-worm threat, Microsoft releases rare patch

The RCE vulnerability hasn’t yet been exploited by hackers in the wild, but the potential for destructive is so extensive, Microsoft was motivated to release security patches and fixes for these older systems. In the hands of bad actors, the flaw could be weaponized as a worm, capable of spreading rapidly to other at-risk computers. The vulnerability shares some similarities with WannaCry, which quickly spread around the world in 2017 and cost organizations billions.

Microsoft’s step to release a patch deviates from the norm and emphasizes the importance of addressing the threat. In a blog post, the director of Microsoft Security Center, Simon Pope, referred to the patch as an unusual step and urged businesses to respond as quickly as possible. The urgency comes in part because so many companies are still using older machines and systems with old and retired software versions. The nature of the applications they run make it difficult to perform upgrades. These complexities can also make implementing security patches difficult as well. But remaining exposed poses significant risks to these organizations.

“As we saw with WannaCry, thousands of legacy systems remain unpatched because they’re running fragile software stacks nobody wants to touch,” notes Satya Gupta, cofounder and CTO at Virsec. “But patching is always slower and more difficult than organizations want to admit because it’s a disruptive process and can cause unintended problems. While businesses should act on Microsoft’s alerts as soon as possible, there remain issues for “unpatchable” systems.”

Low hanging fruit for attackers

This flaw carries several aspects that are bound to draw attackers. First, it doesn’t require any authentication from a user. Once attackers authenticate themselves, they can connect to other systems using Remote Desktop Protocol. From there they can install programs, steal or delete information, download malware, set up new accounts and basically perform any desired action they wish with full privileges. Remote systems are vulnerable too – hackers can easily access and compromise additional systems remotely across the network.

Scan reveals nearly a third of systems vulnerable

Alert Logic research performed scans of 4,000 sites. Sixty-one percent of workloads running on Windows 7 and Windows 2008 systems were vulnerable. The older systems – Windows XP and 2003 – showed far less at 2.4% vulnerable. But the two combined come close to 2/3s of these systems that are at risk of being attacked. Boston research firm CyberX reveals that 53% of websites are still using outdated versions of Windows.

Perhaps most threatened are Medical and Industrial Control Systems (ICS)

All types of organizations are vulnerable to this threat, but few have such life-and death risks as healthcare and critical infrastructure. Manufacturing companies are also in the same boat. And all of these industries are known for relying on older Windows systems. Connected systems are especially threatened, such as healthcare staff managing medical equipment or ICS/SCADA staff managing the safety of machinery and public utilities. Engineers and remote operators utilize RDS to control their equipment and their environments. Leveraging the RDS flaw, a bad actor need only access one vulnerable machine to then take hold of an entire network.

Words like WannaCry, ransomware, and widespread system failure strike fear and bad memories into the hearts of many at companies like FedEx, Boeing, Nissan, Honda, Telefonica and more. CVE-2019-0708 opens the same kinds of doors to attacks and exposes companies to the same threats these firms experienced first hands. Companies like ICS and others that can’t readily patch face especially challenging choices.

If organizations are unable to implement patches, other security measures, such as those from Virsec, that provide equivalent protections are options to consider.

Read full When Older Windows Systems Won’t Die article

Further resources:

White paper:
ICS-SCADA SECURITY: Protection for Critical Infrastructure Servicesand Information Systems

Solution brief/Case study:
Case Study: Raytheon and Virsec Partner to Guard the Grid

Blogs:
Microsoft ‘Bluekeep’ Flaw Threatens Medical Devices, IoT

Prediction Series #2: Companies are unprepared for cyber attacks that continue to threaten ICS/SCADA systems

Patching the Iron Tail Is Easier Said than Done

Newsletter: Latest issue

Critical Infrastructure Security: Product page