Microsoft reports 'critical' flaw in Windows 7 and older

Microsoft Patches 'Wormable' Flaw in Windows XP, 7 and Windows 2003

Referred to as the May 14, 2019-KB4500154 Update, this update brings the Windows 10 Mobile operating system to build number 15254.566.

The vulnerability causing all the fuss is a flaw in Remote Desktop Services, which as the name implies lets you remotely control a far-off PC from a second PC.

Patch Tuesday It's that time of the month again, and Microsoft has released a bumper bundle of security fixes for Patch Tuesday, including one for out-of-support operating systems Windows XP and Server 2003.

Microsoft says that the critical RDS vulnerability tracked as CVE-2019-0708 impacts only older in-support versions of Windows (i.e. Windows 7, Windows Server 2008 R2, and Windows Server 2008), with security updates for the affected versions being available via the Microsoft Security Update Guide.

"This vulnerability is pre-authentication and requires no user interaction", the MSRC blog post says. The vulnerability, he said, "should be the highest priority patching because, in addition to the wormable capabilities in this exploit, many modern ransomware variants, such as Dharma, Robbinhood, and CrySIS, often use vulnerable RDP servers to gain access to victim networks".

Customers who use an in-support version of Windows such as Windows 7 and Windows Server 2008 will receive the update if they have automatic updates enabled, while Windows XP users can download fixes from Microsoft's Update Catalogue or upgrade their version of Windows. Windows 8 and 10 are unaffected, but there's still a vast pool of older systems out there that could be hit if left unpatched.

Despite this, potential attackers could still abuse the RCE vulnerability if they already have the credentials needed to authenticate on a system where RDS is enabled. But this flaw is so serious that Microsoft has also issued a patch for Windows XP and its server brethren, which officially died five years ago.

A patch is now available for a privilege escalation vulnerability exploited in the wild that affects the way Windows Error Reporting handles files. In particular there's fixes out for the information-leaking family of Microarchitectural Data Sampling (MDS) security flaws in Intel processors revealed this week.

RIDL and Fallout can be exploited via unprivileged code such as shared cloud computing resources and Javascript on malicious websites or in ads.

Microsoft's May 2019 Patch Tuesday fixed 79 vulnerabilities, 19 of which are classed as Critical.

Related:

Comments

Latest news

Four officers in Trump motorcade involved in crash
The Secret Service says four officers were involved, and three of them were taken to a hospital to be treated for minor injuries. Images of the crash show one officer in a grassy area between two lanes on the highway, apparently in the process of sitting up.

Trump meets Hungary’s far-right prime minister
When a reporter asked Trump about "democratic backsliding" in Hungary, where Orban has imposed restrictions on the press and on universities, Trump praised Orban as "tough".

Britain's May to launch new push on her Brexit deal next month
Ministers had a "very clear understanding that the British public want the Government to get on with delivering this". He said the Tories "may well have to concede that there is a public vote of some sort" on the deal.

Man Arrested While Roadtripping With Dead Wife's Body Riding Shotgun
The release said the deceased woman, identified later as Linda Puckett, was nude and the driver was dressed only in underwear. An investigation was taking place to determine whether Linda Puckett's death was the result of a homicide, police said.

Jedinak's Villa through to play-off final after shootout win over West Brom
West Brom was without suspended star striker Dwight Gayle but got a goal from Craig Dawson in the 29th minute to draw level. Leeds United and Derby are in the other playoff semi-final.

Other news