The vulnerability was discovered by the UK's National Cyber Security Centre.
In a blog post, Simon Pope, the director of Incident Response at the Microsoft Security Response Centre, said the Remote Desktop Protocol itself was not vulnerable.
This is neat: buried in the updates that went out today, Microsoft added “https://t.co/Ci6NavFNk7” as an HTTP Strict Transport Security Top Level Domain for Internet Explorer and Microsoft Edge. HTTPS only for UK government sites.— Kenn White (@kennwhite) May 14, 2019
He said vulnerable systems that were still supported by the company included Windows 7, Windows Server 2008 R2, and Windows Server 2008. Windows 8 and Windows 10 are not affected by this vulnerability.
"While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware."
After the dust settles and patches go out, it might be good for Enterprise teams to reassess the risk trade-off for exposing unfiltered Internet-facing Windows RDP.— Kenn White (@kennwhite) May 14, 2019
WannaCry hit computers around the world on 13 May two years ago, with a leaked NSA exploit being used to craft the ransomware that brought hospitals in Britain and various organisations in other countries to their knees, with demands for payment after the malware was used to lock Windows systems at these institutions.
Underlining the seriousness of the flaw, Microsoft released patches for Windows 2003 and Windows XP as well, even though official support for these Windows versions has long ended.
Auditors: You must stay patched— SwiftOnSecurity (@SwiftOnSecurity) May 14, 2019
Vendors: Only use approved patches
Management: No support contract
IT department: pic.twitter.com/4OCW0tDcVH
Pope said there was partial mitigation on affected systems that had Network Level Authentication enabled.
"The affected systems are mitigated against ‘wormable’ malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered," he wrote. "However, affected systems are still vulnerable to Remote Code Execution exploitation if the attacker has valid credentials that can be used to successfully authenticate."
Commenting on the vulnerability, Phil Kernick, co-founder and chief technology officer of cyber security specialist CQR Consulting, told iTWire: "While any critical vulnerability like this should be addressed immediately, the only affected systems are very old, and businesses should have already had a program to upgrade them.
"Windows 7 end of life is January 2020, and after this date Microsoft won't be issuing any patches for security vulnerabilities for it at all."
The WannaCry developer waiting for a CVE-2019-0708 PoC to copy and paste into shit tier ransomware. pic.twitter.com/H0B9RqyTeH— MalwareTech (@MalwareTechBlog) May 14, 2019
Joanne Wong, senior regional marketing director APAC and Japan at security intelligence firm LogRhythm, told iTWire the announcement of the flaw served to remind IT users once again that to protect today’s networks and systems, organisations needed to focus closely on three key areas: IT hygiene (e.g., patching, maintenance, upgrades), a modernisation of IT with preventive security controls built in, and the ability to detect and respond to threats before they led to significant breaches.
"At the same time, we must unfortunately operate with the mindset that compromises will occur, and organisations around the world might lose data," she said.
"Hopefully, most CISOs would have implemented robust security operations and monitoring capabilities – allowing them to defend themselves and our data from breach and theft.”