In a move that has surprised the world, Microsoft just urgently released a patch for older Windows operating systems including unsupported versions of Windows XP and Windows 2003. When was the last time that happened? Yes, that’s right – WannaCry.
This Announcement is Against Microsoft’s DNA
Microsoft pushes harder than ever to eliminate the long tail of legacy devices. There are a few reasons for this:
- Microsoft puts user experience above all else (including security). Windows 10 has many features and an almost-as-new OS experience; Microsoft wants all its users to enjoy the “latest and greatest.”
- Windows 10 has better security features (finally!).
- The effort of supporting such old code is a costly pain.
Microsoft has long had a schedule for ridding itself of legacy OS versions: end-of-life for Windows 7 is scheduled for January 14, 2020, and Windows 7 will become entirely unsupported as of March 14, 2020. At that time, it will no longer receive software updates, even though it currently represents 33.38% of the Windows market.
Source: StatCounter Global Stats – Windows Version Market Share
What Does the Microsoft Patch Include?
It seems the main fix is for CVE-2019-0708, a RCE (remote code execution) vulnerability in Remote Desktop Services. This vulnerability doesn’t require any user interaction and allows an attacker to execute arbitrary code on the victim’s system. According to Microsoft, in order to exploit this vulnerability, an attacker would have to send a specially-crafted request to the target systems Remote Desktop Service via RDP. The update resolves the issue through improved handling of connection requests.
We’ve confirmed exploitability of Windows Pre-Auth RDP bug (CVE-2019-0708) patched yesterday by Microsoft. Exploit works remotely, without authentication, and provides SYSTEM privileges on Windows Srv 2008, Win 7, Win 2003, XP. Enabling NLA mitigates the bug. Patch now or GFY!
— Chaouki Bekrar (@cBekrar) May 15, 2019
Why Are Legacy Devices Still Out There?
Given that Windows XP and other patched version of Windows are so far out of support, how is it possible that there are so many of these devices still running unsupported versions of Microsoft’s software? The reasons can be complicated, and vary from lack of investment in new hardware to old, but mission-critical, industrial infrastructure that can’t easily be taken offline for updating. These include areas such as
- ATM machines
- CNC and pharmaceutical manufacturing
- Industrial control and naval vessels
- Weapons platforms (XP3 Embedded)
- Food safety inspection systems
On top of that, there are devices that use industrial control interfaces that are so old they don’t physically exist on newer systems and computers that do not have sufficient RAM to run Windows 10.
Why is Patching Important?
Although patching is not a cybersecurity silver bullet, it doesn’t mean it is not helpful. Just remember WannaCry: “the biggest ransomware offensive in history.” Within 24 hours, WannaCry had infected more than 230,000 computers in over 150 countries. This outbreak exploited a vulnerability that had been known for 91 days and that had already been patched by Microsoft.
WannaCry spread quickly around the globe, and also crippled the UK’s National Health Service. 18 months after the incident, the Department of Health has attempted to calculate the financial cost of WannaCry and puts the total figure at £92m.
At SentinelOne, we help our clients to see the unpatched devices, with their priority. No additional installation is needed.
What a Week! And As If That Wasn’t Bad Enough… 🙁
There is no doubt that the cybersecurity industry is having a tough week. In other news, three AV firms were allegedly hacked with their source code sold on the market, followed by Crowdstrike’s underwhelming S1 filing highlighting massive cash burn, and then the WhatsApp encryption scandal. Just when it seemed things couldn’t get much worse this week, a new speculative execution bug that leaks data from Intel chips’ internal buffers was revealed.
Finally, in case you missed it, Adobe fixed an unprecedented number of vulnerabilities this week in a single update:
Given the sudden glut of bad news, our advice is: install these updates to as many devices as possible on your network. We know there will be more, so make sure your security procedures are in place and, if you aren’t already a SentinelOne customer, install a free demo to see the difference we make. We’ve proved time and time again that our automated, easy-to-use technology can cope with such open vulnerabilities and keep our clients safe, with or without a dedicated SOC team.
Subscribe to our blog to stay up to date with the latest breaking news.