ALERT: Update Windows ASAP for critical vulnerabilities

Wednesday, August 14, 2019

The information below was sent to U-M staff groups via email on August 14, 2019. This message was intended for U-M IT staff who are responsible for university machines running Microsoft Windows.

Summary

Microsoft has recently announced Windows and Windows Server updates for four new vulnerabilities in the Remote Desktop Service (RDS), two of which are critical. The two critical vulnerabilities are “wormable” (capable of being turned into a computer worm) and could spread quickly among vulnerable computers. Apply updates as soon as possible after appropriate testing.

Problem

The vulnerabilities, which affect the Remote Desktop Service (RDS) component of Windows, make it possible for unauthenticated attackers to execute malicious code by sending a specially crafted data request. Unlike the May 2019 RDS vulnerability found in older versions of Windows, these vulnerabilities affect newer versions of Windows.

Affected Versions

  • Windows 7, 8, and 10
  • Windows Server 2008, 2012, 2016, and 2019

Action Items

Apply the updates provided by Microsoft as soon as possible after appropriate testing. This is important because of the elevated risks associated with wormable vulnerabilities. The threat posed by the four vulnerabilities justifies an accelerated timeline for patching that is faster than the timelines specified in Vulnerability Management (DS-21).

See Microsoft's CVE pages for links to downloads:

The updates that patch CVE-2019-1181 and 1182 will be deployed to MiWorkspace Windows computers on August 15, 2019.

Threats

Microsoft has no evidence of active exploitation of these vulnerabilities in the wild. However, it is expected that exploits will soon be written into malware.

Technical Details

According to Microsoft: "A remote code execution vulnerability exists in Remote Desktop Services—formerly known as Terminal Services—when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP. The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests."

How We Protect U-M

  • Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
  • IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
  • IA provides vulnerability management guidance to the university.
  • MiServer partially mitigates against this vulnerability through a mandatory security policy enabling Network Level Authentication (NLA). MiServer will apply the Microsoft security updates as soon as possible.
  • MiWorkspace will apply the updates that patch CVE-2019-1181 and 1182 tomorrow (August 15); updates for the other two vulnerabilities will be applied according to the MiWorkspace normal update schedule.

Information for Users

MiWorkspace will apply the updates for the two critical vulnerabilities on August 15; updates for the other two vulnerabilities will be applied soon. Other university-managed machines will be updated as soon as possible. If you have a personal computer running Windows, and it is set to receive automatic updates, your computer will be updated for you. We recommend that you set Windows to update automatically.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports

Please contact info-assurance@umich.edu.