CVE-2019-0708: Winter Doesn’t Have to Come Today

For those of you not in love with Game of Thrones Season 8 (see the petition asking HBO to redo this season), Microsoft Patch Tuesday is offering its own degree of dramatic flare.

On Tuesday, May 14, Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC) wrote the blog post, “Prevent a worm by updating Remote Desktop Services (CVE-2019-0708). He said, “In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”

This turned a lot of heads. Eye-grabbing headlines appeared quickly such as “To Prevent Another WannaCry, Microsoft Patches Old OSs” (BankInfoSecurity) and “Microsoft Issues Urgent Fix For Windows In First XP Patch Since WannaCry” (Forbes). This is compounded by the reality that, using representative Flexera data, approximately 70% of customers will have a vulnerable system in their environment.

So what do we take from all this and what should you do?

  • Understand your environment: It’s simple to say and hard to do: you need to understand your environment. The consequences of end-of-life (EOL) software and hardware — and products at end-of-support (EOS) — are too great to ignore. To reduce the risks and costs associated with end-of-life software and hardware, you first must know whether you have any obsolete software and hardware, and where they reside. But finding the EOL and EOS dates and accurately locating all the instances of obsolete products isn’t easy.
  • Update where you can: Downloads for in-support versions of Windows (Windows 7, Windows Server 2008 R2, and Windows Server 2008) can be found in the Microsoft Security Update Guide.
  • Upgrade when you have to: As we said above, and as Microsoft proved this week, the consequences of EOL software and hardware are significant. Out-of-support systems include Windows 2003 and Windows XP. If you are on an out-of-support version, the best way to address this vulnerability is to upgrade to the latest version of Windows. Even so, Microsoft is also making fixes available for these out-of-support versions of Windows in KB4500705.
  • Prioritize: With tens of thousands of theoretical software vulnerabilities, it’s hard to know where to start with software vulnerabilities. How do you prioritize them all? Machine learning. Machine learning has gotten so good that, with natural language processing (AI) and human curation, we can now know what’s exploited—taken from theoretical to real. With a great degree of certainty and scalability, we can now know which of those thousands of vulnerabilities that are released every year are actually used by the bad guys. Flexera is one of the first companies in the world to put together an assessment of real software in an environment’s vulnerabilities that includes exploitation evidence.

We might not get a redo on Season 8 of Games of Thrones. But with the right tools and focus, you can make Microsoft Patch Tuesday a lot less dramatic.