Microsoft reports 'critical' flaw in Windows 7 and older

Yolanda Curtis
May 15, 2019

According to the company, the Remote Desktop Protocol itself is not susceptible, but that the vulnerability is pre-authentication and requires no user interaction.

Usually support for such aging operating systems costs an arm and a leg, though Redmond has released a freebie because of the serious nature of the critical flaw, assigned CVE-2019-0708, in Remote Desktop Services, or Terminal Services as it was.

"While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware", wrote Simon Pope, director of incident response for the Microsoft Security Response Center.

The vulnerability causing all the fuss is a flaw in Remote Desktop Services, which as the name implies lets you remotely control a far-off PC from a second PC. Windows 8 and 10 are unaffected, but there's still a vast pool of older systems out there that could be hit if left unpatched.

"Customers who use an in-support version of Windows and have automatic updates enabled are automatically protected", says Microsoft. The latter, CVE-2019-0725, is a particularly nasty memory corruption vulnerability, since all that is needed to exploit it is a well-crafted packet sent to a DHCP server and affects all now supported versions of Windows, client and server.

"Microsoft invests heavily in strengthening the security of its products, often through major architectural improvements that are not possible to backport to earlier versions of Windows". The company is also backporting a patch for this vulnerability to versions that are no longer supported, such as Windows 2003 and XP.

Of these, 18 patches deal with vulnerabilities in the Windows Scripting Engine and web browsers. That vulnerability affects both Mac and Windows systems.

The flaw, which Microsoft described as "critical", enables an attacker to execute arbitrary code on the target system. "This vulnerability will make that process even easier".

RIDL and Fallout can be exploited via unprivileged code such as shared cloud computing resources and Javascript on malicious websites or in ads.

The patch came as part of Microsoft's monthly Patch Tuesday, which in May addressed 22 critical vulnerabilities.

Researchers have also tested Intel processors from 2011 onwards and found that they are vulnerable to the ZombieLoad that can read sensitive data from users' machines through malicious websites.

Other reports by iNewsToday