Microsoft Warns of Wormable Windows Bug That Could Lead to Another WannaCry

Microsoft has issued a dire warning about a critical vulnerability in Windows systems that could pave the way for a global-scale exploit similar to the 2017 WannaCry attack. The company has taken an extraordinary step by releasing patches for unsupported systems such as Windows XP and Windows 2003, which have been out of support for years. This decision underscores the severity of the vulnerability, indexed as CVE-2019-0708.

The Nature of the Threat

In a blog post coinciding with May Update Tuesday, Simon Pope, Director of Incident Response at the Microsoft Security Response Center, described the vulnerability as “wormable.” This means malicious actors could exploit it to propagate malware across networks without user interaction. Although no exploitation has been observed yet, experts believe it is only a matter of time before an exploit is developed.

“This vulnerability is pre-authentication and requires no user interaction,” said Pope. “It is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”

Low Complexity, High Risk

The flaw resides in Windows Remote Desktop Services (RDP), making it particularly dangerous because of its low exploitation complexity. Microsoft’s Common Vulnerability Scoring System (CVSS) rates this complexity as 3.9 out of 4, indicating how easily attackers could exploit it.

Brian Bartholomew of Kaspersky Lab noted that exploiting this vulnerability requires sending specific packets to systems running RDP. He predicted an exploit could surface within days of the vulnerability’s disclosure.

Who Is at Risk?

Windows versions vulnerable to CVE-2019-0708 include:

• Windows XP
• Windows Server 2003
• Windows 7
• Windows Server 2008
• Windows Server 2008 R2

Modern systems such as Windows 8 and Windows 10 are unaffected, a testament to Microsoft’s ongoing security improvements. “Customers running Windows 8 and Windows 10 are not affected by this vulnerability,” Pope confirmed. “Later versions of Windows incorporate major architectural improvements that are not possible to backport to earlier versions.”

Scale of Exposure

According to independent researcher Kevin Beaumont, approximately 3 million RDP endpoints are exposed directly to the Internet, as revealed by Shodan search engine queries. Another Internet scanner, BinaryEdge, estimates 16 million endpoints are exposed on TCP ports 3389 and 3388.

Industrial systems are also at risk. CyberX analyzed 850 operational technology networks and found that 53% run unsupported Windows versions, many of which are likely vulnerable. In such environments, upgrading is often infeasible due to continuous operations. CyberX recommends measures like network segmentation and continuous monitoring as interim solutions.

Lessons from WannaCry

The WannaCry ransomware attack of 2017 exploited similar vulnerabilities in older Windows systems, causing billions of dollars in damages worldwide. The attack highlighted the critical need for prompt patching and robust network defenses. Despite these lessons, many organizations continue to expose RDP to the Internet, often inadvertently.

What You Can Do

Microsoft has provided patches for all affected versions, including unsupported ones. Users and administrators should:

• Apply the latest updates immediately.
• Disable RDP if it is not necessary.
• Implement strong network defenses, such as firewalls and VPNs.
• Use network segmentation to limit exposure.

Long-term solutions include upgrading to supported Windows versions and adopting modern security practices.

Unanswered Questions

The discovery of CVE-2019-0708 raises intriguing questions about its origins. “Did they see this in attacks elsewhere? Was this an old exploit that was used by friendly governments?” wondered Bartholomew. While the exact circumstances remain speculative, the urgency of addressing the vulnerability is clear.