A newly acknowledged vulnerability in Windows XP and Windows 2003 means that some utilities, healthcare providers, and other 24-7 networks will be caught “out in the open” by exploits soon to come.
Microsoft Security Response Center (MSRC) published an update on May 14: “Prevent a worm by updating Remote Desktop Services (CVE-2019-0708).” In case you were wondering, that string of letters and numbers at the end of the title refers to a critical Remote Code Execution (RCE) vulnerability that would allow malware to infect networks with old versions of Remote Desktop Services (formerly known as Terminal Services).
Like many of the vulnerabilities that have allowed hacks to infect computers on a global scale in the last few years, this last is like a backdoor into your network. Once the hacking community knows it is there (which it does by now) it will be able to easily infect antiquated versions of Remote Desktop Services.
For 96.43% of our computers this is just another humdrum affair. Vulnerabilities are identified and patched all the time. No problem. We just update our Operating System to remove the vulnerability. Odds are very good that your system is already protected.
But for some of the 3.57% of computers that still run Windows XP (data from Net Marketshare), this update will be impossible to execute. It just so happens that many of these computers are currently running some of the United States’ most valuable systems and organizations.
BLAME THE PATCHWORK PATCHING SYSTEM, BUT THE PROBLEM RUNS DEEPER
The current blindspot that will allow many of the 3.57% of Windows XP users to go unpatched and unprotected involves the patching process itself. The same process was responsible for multiple global Malware attacks in the last couple of years, worm-based attacks like WannaCry and WannaCrypt.
More recently two oldie-but-goodie campaigns have targeted Apache Struts servers. Apache Struts published another RCE vulnerability (CVE-2017-5638) two years ago and resulted in the Equifax data breach. Despite a patch coming online as of March, 2017, the vulnerability is still cause to intermittent malware infections worldwide and was recently identified in a recent report by F5 Labs.
Like it’s astonishing precedents, this latest Remote Desktop vulnerability will in all likelihood be exploited by hackers for quite some time.
Windows XP is over 15 years old, and Microsoft announced in April, 2014 that they would discontinue servicing the OS. This means instead of automatic updates that occur with the click of the “OK” button, Windows XP users will need to patch their systems manually.
Which would be fine, but many of the systems still relying on XP to function do so because they are sleepless networks. The resources they help to organize tend to be critical assets, so they cannot afford any downtime. CyberX, a cybersecurity company, recently estimated 53% of industrial sites run unsupported Windows machines (CyberX Global ICS & IIoT Risk Report, 2019). For these companies and the many organizations like them, the Microsoft download-and-install-it-yourself kit cannot solve the complexities that these organizations face. As with previous security threats like WannaCry, there will likely be a large number of companies without the free resources required to upgrade to the latest version of Windows; they will remain unprotected, and over the years they will be hacked.
These are organizations like healthcare providers, electric companies and manufacturers whose services are depended on by countless people.
HOW TO PREVENT FUTURE EXPLOITS?
In the last two decades since Windows XP came out, IT has developed new capabilities while understanding the full software lifecycle. Upgrading a system without incurring downtime is possible and even relatively simple to do — especially with a business continuity-disaster recovery plan.
The problem is motivating a proactive solution before problems arise. More businesses will take active steps in prevention as their neighbors are hacked first. But there will always be a few easy pickings for the hacker community.
The best thing any of us can do is to prioritize network security, not only for ourselves but also the organizations and individuals we engage with. Even a question as simple as, “Does your business have a disaster recovery plan?” can really make a difference in terms of shoring up the community. It means less coming from us because security is a big part of what we do.
But take a moment and think about the following scenario. You come home one day and notice the neighbor’s back door is wide open. Wouldn’t you walk over and make sure everything was alright? If they for some reason weren’t aware that entrances and exits should be closed and locked at all times, wouldn’t they understand the importance of the issue from the look on your face and tone of your voice?
Security is a communal problem both on your block and in your local data center. When one of us is exploited, we all become more likely targets. If we can start treating network security like the communal problem that it is, our society will save itself a lot of damages, theft, and outages in the years to come.