Microsoft reports 'critical' flaw in Windows 7 and older

Microsoft reports 'critical' flaw in Windows 7 and older

Referred to as the May 14, 2019-KB4500154 Update, this update brings the Windows 10 Mobile operating system to build number 15254.566.

The vulnerability causing all the fuss is a flaw in Remote Desktop Services, which as the name implies lets you remotely control a far-off PC from a second PC.

Patch Tuesday It's that time of the month again, and Microsoft has released a bumper bundle of security fixes for Patch Tuesday, including one for out-of-support operating systems Windows XP and Server 2003.

Microsoft says that the critical RDS vulnerability tracked as CVE-2019-0708 impacts only older in-support versions of Windows (i.e. Windows 7, Windows Server 2008 R2, and Windows Server 2008), with security updates for the affected versions being available via the Microsoft Security Update Guide.

"This vulnerability is pre-authentication and requires no user interaction", the MSRC blog post says. The vulnerability, he said, "should be the highest priority patching because, in addition to the wormable capabilities in this exploit, many modern ransomware variants, such as Dharma, Robbinhood, and CrySIS, often use vulnerable RDP servers to gain access to victim networks".


Customers who use an in-support version of Windows such as Windows 7 and Windows Server 2008 will receive the update if they have automatic updates enabled, while Windows XP users can download fixes from Microsoft's Update Catalogue or upgrade their version of Windows. Windows 8 and 10 are unaffected, but there's still a vast pool of older systems out there that could be hit if left unpatched.

Despite this, potential attackers could still abuse the RCE vulnerability if they already have the credentials needed to authenticate on a system where RDS is enabled. But this flaw is so serious that Microsoft has also issued a patch for Windows XP and its server brethren, which officially died five years ago.

A patch is now available for a privilege escalation vulnerability exploited in the wild that affects the way Windows Error Reporting handles files. In particular there's fixes out for the information-leaking family of Microarchitectural Data Sampling (MDS) security flaws in Intel processors revealed this week.

RIDL and Fallout can be exploited via unprivileged code such as shared cloud computing resources and Javascript on malicious websites or in ads.

Microsoft's May 2019 Patch Tuesday fixed 79 vulnerabilities, 19 of which are classed as Critical.

Related:

Comments

Latest news

Schumacher documentary in the works and headed to Cannes
He retired for good in 2012 and still holds various other F1 records, such as most race wins with 91. The German driver is recognized as one of the best Formula One drivers of all time.

Jeremy Kyle Show suspension 'not a reflection on the show — ITV exec
Dymond's social media posts before and during the recent split conveyed similarly loving messages about Callaghan. Steven Dymond was found dead on 9 May a week after filming the show, during which he took a lie detector test.

Man Arrested While Roadtripping With Dead Wife's Body Riding Shotgun
The release said the deceased woman, identified later as Linda Puckett, was nude and the driver was dressed only in underwear. An investigation was taking place to determine whether Linda Puckett's death was the result of a homicide, police said.

Jedinak's Villa through to play-off final after shootout win over West Brom
West Brom was without suspended star striker Dwight Gayle but got a goal from Craig Dawson in the 29th minute to draw level. Leeds United and Derby are in the other playoff semi-final.

Asian stocks drop, yuan slides as trade war escalates
The idea that China would dump its $1.1 trillion of Treasuries to retaliate against USA tariffs is often dismissed as improbable. China industrial production and retail sales are slated for Wednesday, same day as USA retail sales and industrial production.

Other news