On August 13, Microsoft released information regarding patches that will impact virtually every modern version of Windows. This alert, Patch New Wormable Vulnerabilities in Remote Desktop Services, outlines “a set of fixes for Remote Desktop Services that include two critical Remote Code Execution (RCE) vulnerabilities.” As Microsoft points out, these vulnerabilities raise significant red flags because they are “wormable,” which means that this exploit can carry malware and can spread through a network in an automated fashion without any user or human interaction.
The affected versions of Windows are Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions.
This headline-generating alert from Microsoft should be of immediate concern to any organization using Windows products. As we have learned from past vulnerabilities, including the BlueKeep issue earlier this year, these new vulnerabilities (CVE-2019-1181 and CVE-2019-1182) should be acknowledged and protected against immediately, as the impact of an attack can be massive and could strike at any time.
Asset Management/Vulnerability Management
This new concern, coming so quickly on the heels of BlueKeep, also serves as a reminder to all organizations on the importance of asset and vulnerability management. Asset management is foundational to a robust security program as it’s very difficult to secure assets when they are not properly identified and tracked. A robust asset inventory should capture asset name, network address, owner, operating system, data classification, and would ideally tie into a software inventory of the system. This will enable fast identification of affected systems.
A mature vulnerability management program will enable an organization to scan and triage affected systems. This will allow teams to focus patching efforts on areas with the most risk, such as internet-facing systems. Additionally, identifying systems that cannot be patched due to operational concerns will allow security teams to implement secondary security measures to prevent compromise.
It is impossible to predict when this identified weakness will be weaponized, but this often happens within days to weeks of the vulnerability being embedded within the system, and without the aforementioned security practices in place, companies place themselves at much greater risk of compromise.
Patch Management and Timely Patching
Organizations with robust patch management programs already in place, and who practice timely patching, consider this week’s Microsoft announcement to be old news. As soon as the notification was published, IT and infrastructure teams should already have identified affected systems and begin identifying requirements for patching. They would be notifying security teams of systems that couldn’t be patched, and working with them to find creative means of implementing secondary security controls.
Over 90 issues were covered in this week’s announcement, so while the two most potentially damaging are capturing the media’s attention, a robust patch management program will already be tracking and addressing all concerns.
One of the often-overlooked responses in a situation like this is vendor management. In the current environment with companies often directly connected and sharing data, a compromise in one company can lead to an attacker using it as a foothold to enter partner and vendor environments. During times like these it is important to reach out to partners and vendors and ensure they are aware of the issues, and ensure companies have proper logging and monitoring in place to identify anomalous vendor or partner activity.
Plan, Don’t Panic
We all recognize that vulnerabilities will continue to raise risk management concerns for organizations across locations and industries. However, maintaining security fundamentals: asset management, vulnerability management, patch management, vendor management, is the foundation to being able to respond to situations like this without causing panic and churn within an organization. Companies identifying zero-day vulnerabilities in their systems is not unusual, having a controlled, measured, response to them is the mark of a mature security organization.