Microsoft releases emergency patches for serious RDS flaw

Microsoft has warned of a serious security vulnerability in its older, theoretically-unsupported Windows operating systems, releasing patches which need to be applied manually for those systems no longer receiving automated updates.

Despite a steady stream of stays of execution, Windows XP is officially end-of-life alongside server-centric Windows 2003. Late last night, however, Microsoft announced it was releasing emergency security patches for both - alongside the still-in-support Windows 7, Windows Server 2008 R2, and Windows Server 2008 - to head off a worm which is targeting a hitherto undiscovered vulnerability in the company's Remote Desktop Services (RDS) functionality formerly known as Terminal Services.

'This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is "wormable," meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,' warns Microsoft's Simon Pope of the flaw. 'While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.

'Now that I have your attention, it is important that affected systems are patched as quickly as possible to prevent such a scenario from happening. In response, we are taking the unusual step of providing a security update for all customers to protect Windows platforms, including some out-of-support versions of Windows.'

Those running Windows 7, Windows Server 2008 R2, and Windows Server 2008, Pope explains, will receive the patch automatically through the Windows Update system as usual; Windows XP and Windows 2003 users, by contrast, need to download and install a manual update - or, Pope recommends, 'upgrade to the latest version of Windows'. Windows 8 and Windows 10, by contrast, are unaffected.

'There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled. The affected systems are mitigated against "wormable" malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered,' Pope adds. 'However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate. It is for these reasons that we strongly advise that all affected systems – irrespective of whether NLA is enabled or not – should be updated as soon as possible.'

More information is available in the Technet blog post.