Microsoft releases worm fix for older versions of Windows

by Mark Tyson on 15 May 2019, 11:21

Tags: Microsoft (NASDAQ:MSFT), Windows XP, Windows 7

Quick Link: HEXUS.net/qad7pz

Add to My Vault: x

In efforts to prevent another WannaCry (2017) style malware outbreak, Microsoft has released some software patches for older Windows systems, including some that are long past their support dates. The CVE-2019-0708 patches that are available target a critical Remote Code Execution vulnerability in Remote Desktop Services (formerly known as Terminal Services), to prevent worm transmission. Such transmission would be pre-authorised and require no user interaction on an unpatched system. At the time of writing Microsoft has not observed any exploitation of this vulnerability but thinks it is "highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware," in the future.

Windows versions that are affected

Microsoft notes that vulnerable in-support systems include Windows 7, Windows Server 2008 R2, and Windows Server 2008 systems. For such systems you can download updates via the Microsoft Security Update Guide or they will be delivered via automatic updates, if enabled.

Windows XP and Windows 2003 systems are out of support, and being so aged Microsoft strongly recommends users update to a newer OS. However, it has made fixes available for these systems as patch KB4500705.

Lastly, customers running Windows 8 or Windows 10 are not affected by the critical Remote Code Execution vulnerability outlined in the intro. Microsoft crows that "it is no coincidence that later versions of Windows are unaffected". It explains "Microsoft invests heavily in strengthening the security of its products, often through major architectural improvements that are not possible to backport to earlier versions of Windows."

Microsoft mentions that some older Windows OSes will have partial mitigation against the vulnerability if they have Network Level Authentication (NLA) enabled, as NLA requires authentication before the vulnerability can be triggered. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if any attacker somehow has valid credentials.

Just because updates are available doesn't mean they will be applied

WannaCry / Wanna Decryptor had a devastating impact on PCs worldwide, famously including systems installed in the UK's health services. However, the issuing of these patches for older OSes doesn't mean that users, companies and institutions will get around to updating their old systems anytime soon.

 


HEXUS Forums :: 6 Comments

Login with Forum Account

Don't have an account? Register today!
Seems even Microsoft have completely forgotten about Vista's existence (although the codebase has some acknowledgement with Server 2008).
A good, responsible move from MS.



However, the issuing of these patches for older OSes doesn't mean that users, companies and institutions will get around to updating their old systems anytime soon.
True enough …. but for various reasons.

I won't be updating my several remaining W7 systems, but then I know they are not susceptible to infection, and absolutely incapable of taking part in future WannaCry attacks.

The problem is that the vast majority of potentially vulnerable users don't know they're vulnerable, wouldn't know WannaCry if it bit their backside and therefore aren't likely to see, let alone apply, this or any other patch.

Still, MS can't do much about them, now.
Saracen999
The problem is that the vast majority of potentially vulnerable users don't know they're vulnerable, wouldn't know WannaCry if it bit their backside and therefore aren't likely to see, let alone apply, this or any other patch.

Still, MS can't do much about them, now.

If only MS had a system of mandatory patching… <runs for cover…>
DanceswithUnix
<runs for cover…>

A wise move!
DanceswithUnix
If only MS had a system of mandatory patching… <runs for cover…>
Three reactions :-


1) Oooh, you …. you …. dammit, why can I never find a spare custard pie when I need one, and hiding behind the sofa won't do you any good. Oh, never mind custard pies, found a fresh cowpat.

2) Ever considered a career on the stage? No? Probably wise.


3) The serious one, ignoring the obvious prodding at tender spots.


Okay, two different things.

As I said yesterday I think) I see three types of “update” :-

a) Bug-fixes.

b) Security patches (of varying degree of urgency)

c) feature changes or new features.


In regard to a), only a fool objects to bug-fixes of stuff they use. And possibly, standard components even if they dont use them, though removing unwanted components would be a better option for many users.

In regard to b), only a fool ignores security patches.

However, there is a difference between “ignore” and “defer”, in relation to both a) and b).

Personally, I would install critical security patches right now unless I am doing something too importsnt to interrupt at the moment. I reserve the right to disregard even that, in order to finish what I need to do, or transfer to a different machine, or run a backup, file-sync, whatever. If necesary, turn off wifi router or disconnect ethernet cable in the meantime.

A LOT depends on what “update” means, because it can be anything from replacing a single file, perhaps shutting and restarting a service in the process, to installing thousands of files, GB of stuff, and effectively applying what used to be a service pack which will both take a goodly chunk of time and run the risk small though it may be, of borking the machine …. which I cannot afford to risk if it's 9am and an editor is expecting copy on his (electronic) desk by 10am, latest.

My argument in those cases is, by all means default to auto-update, and give more sophisticated users a decent level of control of, at a minimum, when.

It's a bit different, as said elsewhere, when it comes to new features, or radically changing or removing existing ones.

Put it this way. Why should MS be able to decide what new “features” you, or I, need?

There's about a gazzillion software houses out there, all writing stuff they hope will sell. And good luck to them. I've bought quite a few packages that way, from FTP Server software, to a Book Collectir database, to genealogy software. But each of those is a niche product. You personally, Dances, might want or have decent FTP Server software, but I'd bet about 99% of Win users would either have no clue what it is, or no need at all for it.

Similarly, only people seriously researching their family tree are likely to want commercial-grade software, and only a serious book collector (I'm at about 4000 books) needs a commercial-grade database.

And there must be thousands of other niches. In fact, here's one. I have some software that allows mil-spec encryption and burnjng to CD/DVD. Without both that software and user-generated keys, you aren't decrypting those disks unless you're GCHQ, the NSA or some other world-class and probably sovereign state agency, or hacker collective …. and if you are and do decrypt ‘em, you’re due to be mightily disappointed unless you're desperate for my letters from my doctor, archived domestic utility bills and so forth.


Anyway, back on point.

Nobody in their right mind would let any of those gazzilions of software houses just install thejr stuff whether the user wants it ir not, but if MS decides to buy 100,000 of those packages and install them, we're supposed to just let them because, hey, it's MS and they called in a feature, or enhancement, or whatever.


Here's a somewhat purist thought any software developer ouhht to get - if it ain't installed, it can't go wrong. It also doesn't pointlessly use seemingly ever-larger amounts og HD let alone SSD) space installing loads of bloatware I don't want, would never buy ir even install if free, and sometimes (like Alexa-AI) vehementky object to.

Microsoft are, IMHO, abusing a perfectly rational case for categories a) and b) by push-installing stuff with or without user's agreement and regardless of their wishes.

Oh, and note …. re: a) and b), when MS FINALLY extended the deferrsl period go e5 days, I said in the relevant thread that that was probably enough, even for a vocsl critic like me.

But not for c).