Critical wormhole brings patches for Windows XP and Server 2003

A newly discovered vulnerability in the commonly used Remote Desktop Services (RDS) that can be abused to create worms or self-spreading malware has prompted Microsoft to create security patches for the obsolete Windows XP and Server 2003 operating systems.

Microsoft's Security Research Centre director Simon Pope said RDS which was known as Terminal Services, a management and network access tool for Windows, contains a wormable vulnerability.

This could allow malware to propagate to vulnerable computers without authentication or user interaction like the WannaCry worm that wreaked havoc two years ago, Pope warned.

"While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware," Pope said.

The Remote Desktop Protocol (RDP) is not itself vulnerable.

Windows 7, Windows 2008 and 2008 R2, are vulnerable, along with the even older and out of support Windows Server 2003 and XP variants.

Microsoft has posted patches for the two latter versions of Windows but strongly suggests users upgrade to newer variants of the operating system.

"Customers running Windows 8 and Windows 10 are not affected by this vulnerability, and it is no coincidence that later versions of Windows are unaffected.

Microsoft invests heavily in strengthening the security of its products, often through major architectural improvements that are not possible to backport to earlier versions of Windows," Pope said.

Partial mitigation against the RDS vulnerability is possible with network-level authentication (NLA). This measure would stop worms as long as attackers don't have valid credentials for authentication on vulnerable systems. 

Separately, Microsoft's regular monthly round of security patches for Windows addresses 22 critical vulnerabilities.

Of these, 18 patches deal with vulnerabilities in the Windows Scripting Engine and web browsers. Four handle remote code execution vulnerabilties in the Windows dynamic host control protocol (DHCP) server that assigns internet protocol addresses to clients, as well as flaws in the GDI+ graphics rendering component and Microsoft Word.

A patch is now available for a privilege escalation vulnerability exploited in the wild that affects the way Windows Error Reporting handles files. Attackers exploiting the vulnerability can run arbitrary code in kernel mode, allowing them to install programs, access, modify and delete data and make new accounts with Administrator privileges.

Microsoft also issued mitigation guidance for the latest hardware design flaws affecting Intel processors that allow so-called Microarchitectural Data Sampling (MDS) attacks.

Security researchers have shown it is possible to exploit MDS vulnerabilities with attacks such as rogue in-flight data load (RIDL) and Fallout to glean secrets and sensitive information such as password and digital keys on recent Intel processors.

RIDL and Fallout can be exploited via unprivileged code such as shared cloud computing resources and Javascript on malicious websites or in ads.

Fallout breaks the kernel address space layout randomisation (KASLR) security feature that makes it harder for attackers to guess where in memory data is stored.

The researchers from the universities in Australia, the United States, Belgium, Austria and CSIRO's Data 61 unit noted that newer Coffee Lake Refresh i9 processors are ironically enough more vulnerable to Fallout compared to older parts, due to Intel's countermeasures against the earlier Meltdown speculative execution information leak flaw.

Researchers have also tested Intel processors from 2011 onwards and found that they are vulnerable to the ZombieLoad that can read sensitive data from users' machines through malicious websites.

Fixing the MDS side-channel vulnerabilities will require micro-code updates from Intel for processors, along with updates to operating systems and hypervisors.

While Microsoft says in its guidance that customers might need to disable HyperThreading on processors, Intel recommends against doing so and says it does not fully mitigate against MDS attacks.