Critical security flaw in Windows 7 and Windows XP

Microsoft Patches 'Wormable' Flaw in Windows XP, 7 and Windows 2003

Microsoft issues new patch for Windows XP to fight a dangerous 'wormable' vulnerability

ZombieLoad is known as a Microarchitectural Data Sampling (MDS) vulnerability, and it shares some characteristics with Spectre and Meltdown, the two side channel attacks announced in January 2018.

There are 22 critical flaws this month, out of which no less than 18 affect browsers and scripting engines, with other 4 representing Remote Code Execution (RCE) vulnerabilities in key products like Remote Desktop and Word.

CVE-2019-0708 does not affect Microsoft's latest operating systems - Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.

The researchers from the universities in Australia, the United States, Belgium, Austria and CSIRO's Data 61 unit noted that newer Coffee Lake Refresh i9 processors are ironically enough more vulnerable to Fallout compared to older parts, due to Intel's countermeasures against the earlier Meltdown speculative execution information leak flaw. However, it has made fixes available for these systems as patch KB4500705.

The WannaCry ransomware threat spread quickly across the world in May 2017 using a vulnerability that was particularly prevalent among systems running Windows XP and older versions of Windows.

Partial mitigation against the RDS vulnerability is possible with network-level authentication (NLA). An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system.

Usually support for such aging operating systems costs an arm and a leg, though Redmond has released a freebie because of the serious nature of the critical flaw, assigned CVE-2019-0708, in Remote Desktop Services, or Terminal Services as it was. These include CVE-2019-0725, a vulnerability in Windows Server's DHCP server.

A newly discovered vulnerability in the commonly used Remote Desktop Services (RDS) that can be abused to create worms or self-spreading malware has prompted Microsoft to create security patches for the obsolete Windows XP and Server 2003 operating systems.

While you're patching that, there's a lot of other stuff to fix in the Patch Tuesday update.

Microsoft also patched CVE-2019-0953, a remote code vulnerability in Microsoft Office which lets an attacker run code as the targeted user by persuading them to open a malicious file. As is traditional, Adobe dropped 86 flaw fixes, mainly in Reader and Acrobat, and Citrix, too, has one of its own.

Altre Notizie