After many postponed dates of termination of support and despite the recent killing of the niche Windows Embedded 2009 POSReady, work on Windows XP, however, has not stopped. As part of the monthly update package, known under the informal Patch Tuesday name, a number of notes were published on Microsoft’s MSRC portal. These notes relate to the affected vulnerabilities, contain basic details about holes, methods of protection, characteristics of updates (checksums, file names) and CVE valuation. There are also published additional and supplementary materials that can be compared to the “Release Notes” practice. Among such additional documents, in the May portion of the notes there is a charming article entitled “Customer guidance for CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability: May 14, 2019 “. There are links to update for Windows XP and Windows Server 2003. Publication of updates for these several years of products was motivated by a very high level of risk, which is the CVE-2019-0708 vulnerability.
Hole in the Remote Desktop
Indeed, this vulnerability, identified in the Terminal Services protocol (the classic name of the Remote Desktop function), was valued at the staggering 9.8 in the CVSS classification! Problems of such caliber happen quite rarely and usually involve holes allowing eg to bypass authentication and acquisition of superuser rights, escape from a virtual machine and bypass memory protection. The 9.8 mark was given to the infamous Shellshock and recent error (regression in the appendix!) Of an empty root password in the Alpine Linux system, massively used by rows of lost souls, convinced that everything should be a container today (and the Docker Hub is holier than Root CA).
The error in Windows Terminal Services applies to Windows 7 and Vista (and their server versions), but according to The “secret protocol” of MS KB4500705 is also included in Windows XP and 2003 Server (and probably also in Windows 2000). It allows remote code execution on the machine with the Remote Desktop service enabled. It does not require authentication: just send a properly formulated request, and the target machine will execute the code with the termsvcs service privilege.
It is not known at present about any use of this vulnerability on the Net, but problems with such specificity bring to mind the darkest times in the history of Microsoft’s systems security, the beginning of the 21st century, before the Principles of Trustworthy Computing were implemented. It was then that the Blaster, Sasser and MyDoom worms blazed on the Internet, which required only a listening service to their spontaneous propagation. CVE-2019-0708 clearly demonstrates this very nature, but over the last fifteen years the nature of network worms has changed unpleasantly. Today, we have to reckon with WannaCry-type epidemics that provide encryption and ransomware as their payload. WannaCry exploded in her disgrace due to the large number of computers running Windows XP. The patch for this weakness (partial) was released earlier, but the devices on the mass scale remained unpatched. Here is a hole that has not been patched so far. Old Windows XP will not download it automatically because it was not released by Windows Update, but the practice proves that XP has not been patched anyway. Meanwhile, the problem with the remote desktop also applies to Windows 7! A few favorable circumstances are enough for the new epidemic to break out.
How to protect yourself
The vulnerability, interestingly, has not yet received any catchy and fashionable name, like many holes in recent years. To protect yourself against it on Windows 7, you must install update KB4499164. It has already been distributed by Automatic Updates. According to Microsoft’s note, Windows 10 is not susceptible. The note, however, is of poor quality. These are frequent versions of vulnerability documents in versions 1.0, but the statement that “there are no limiting factors” in the text, however, is a bit misguided. Disabling the RDP service, however, probably to such …
It is also worth remembering that the malicious request must come from the network and be directed to the RDP port. It is difficult to use this hole from the Internet in most home cases, where a network of several controlled devices operates behind the NAT router supplied by the ISP. Nevertheless, vulnerability occurs and better to patch it, than to assume the rightness of unlimited trust in home electronics.
Check free antivirus list.