Two days ago, a new vulnerability was discovered in Windows, affecting users of Windows XP, Windows 7, and other older Windows systems. Users of Windows 8 and 10 are not affected. This remote code execution exists in Remote Desktop services, and can be remotely exploited without authentication to execute arbitrary code.
Microsoft explains: A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
According to Microsoft, this vulnerability is “wormable”, which means that, theoretically, an attacker could use it to deploy malware that would spread automatically between systems with the same vulnerability.
In fact, to illustrate just how serious this problem is, it is worth remembering a notorious attack that also exploited a vulnerability in Windows systems. WannaCry. The global WannaCry attacks used a vulnerability called EternalBlue to infect over 200,000 computers in 150 countries Microsoft launched a patch for this vulnerability two months before the WannaCry attacks, a fact that underlines the importance of installing patches as soon as they are available. As of today, WannaCry is still active; there have been almost 5 million detections of this ransomware in the two years since the global attacks.
Recommendations: Patch your system and don’t leave any doors open
To protect its users, Microsoft has already launched a patch for the affected systems, including Windows XP, Windows 7 and Windows Server 2008. Although Microsoft “observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.” As such, it is vital that all users of the affected systems install the corresponding patch as soon as possible.
Meanwhile, advanced protection solutions such as Panda Adaptive Defense and Panda Adaptive Defense 360 provide extra layers of security that can turn your endpoints into bunkers by activating Lock Mode. This stops any unknown program from being able to run until it has been validated by Panda Security.
Microsoft also recommends:
- Enabling Network Level Authentication (NLA) on compatible systems (Windows 7, Windows Server 2008 and Windows Server 2008 R2)
- Disabling the Remote Desktop service on those computers where it is not strictly necessary.
Make sure you are on top of updates and patches
The list of cyberattacks that have been made possible by a lack of relevant patches is extensive: from ransomware and cryptojacking, to massive data breaches. One of the problems when it comes to searching for and applying the necessary patches is a lack of resources and time in companies. What’s more, a lot of the time it is difficult to prioritize which patches to apply first.
To help prioritize, manage and deploy patches and updates, Panda Clients have Panda Patch Management. This module, which requires no additional deployment from the client, not only provides patches and updates for operating systems, but also for hundreds of third party applications.
- Discover, plan, install, and monitor: Provides visibility of endpoint health in real time, in terms of vulnerabilities, patches or pending updates, and unsupported software (EoL).
- Audit, monitor, and prioritize updates on operating systems and applications. Allows real time visibility of the status of pending patches and updates for the system and third party applications.
- Prevents incidents, systematically reducing the attack surface created by software vulnerabilities. The management of patches and updates enables organizations to get ahead of vulnerability exploit attacks.
- Contains and mitigates attacks, immediately patching one or several endpoints: The console correlates detected threats and exploits with the uncovered vulnerabilities. Response time is minimized, containing and remediating attacks.
Discover Patch Management here.