team-bg-img
time 2 minute read

Helient Systems :

by Jamie Engelhard
Chief Technology Officer

Microsoft is urging all Windows 7 – 10 and Server 2008 R2 – Server 2016 customers to update their operating system to the latest monthly patches due to “Critical” vulnerabilities exposed this week. Malicious code could be developed to exploit these vulnerabilities which can act like malicious worms that spread viruses and malware without any input or actions by a user. Microsoft warns that there are “potentially hundreds of millions of vulnerable computers.”

“It is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these, and downloads for these can be found in the Microsoft Security Update Guide,” said Simon Pope, Microsoft’s director of Incident Response said in a blog post Tuesday.

Windows users who have Windows Update configured to install automatically should have already received the patches. For businesses and enterprises that delay or withhold Windows patches, Microsoft is strongly urging businesses to treat these latest vulnerabilities like zero-day exploits, and to install the latest updates as quickly as possible to affected workstations and servers.

“These vulnerabilities were discovered by Microsoft during hardening of Remote Desktop Services as part of our continual focus on strengthening the security of our products. At this time, we have no evidence that these vulnerabilities were known to any third party,” Pope said.

The affected versions of Windows are Windows 10, Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. Windows XP, Windows Server 2003, and Windows Server 2008 are not affected, nor is the Remote Desktop Protocol (RDP) itself affected.

The full blog post from Microsoft’s Security Response Center regarding CVE-2019-1181/1182 including links to download the latest patches can be found here:

https://msrc-blog.microsoft.com/2019/08/13/patch-new-wormable-vulnerabilities-in-remote-desktop-services-cve-2019-1181-1182/

What is Helient Doing in the Face of this Critical Vulnerability?

Helient is working with our Helient Managed Services and HeliX® customers on a two-tier remediation plan. To immediately limit the attack surface, make sure that an exploit of these vulnerabilities could only come from a trusted internal system, and to effectively neuter any future worm-based exploit, we are taking the following actions:

  1. Verifying a secure perimeter against RDS connections from unknown/untrusted source IP addresses. This includes the public Internet, guest WiFi, and any other networks that could be used by a malicious actor.
  2. Confirming or introducing a Group Policy setting to disable RDS on any systems where it is not a short-term critical need. This likely includes all Windows 7 – Windows 10 desktop systems.
  3. Verifying Group Policy settings are in place to enable and require Network Level Authentication (NLA) for RDS connections that are essential to operations. This likely includes all Windows Server 2008 R2 – 2016 systems.

After these safeguards are in place, we will be working with our HMS and HeliX customers to expedite installation of these patches onto their servers and desktops during the next available maintenance window or to perform an out-of-band update as needed. For customers with active Windows 10 upgrade/refresh projects underway, we recommend an expedited Dev/Test cycle before releasing the patch to pilot or production users.

If you need assistance, Helient engineers are available to assist. Email service@helient.com for help.