A vulnerability in old Windows machines is so bad that even the US National Security Agency is urging the public to patch their systems.
On Tuesday, the NSA issued an advisory warning that millions of Windows machines may be vulnerable to a remote desktop flaw (CVE-2019-0708) that could pave the way for a computer worm.
“NSA urges everyone to invest the time and resources to know your network and run supported operating systems with the latest patches,” the advisory says. “This is critical not just for NSA’s protection of National Security Systems but for all networks.”
The vulnerability—which Microsoft itself has warned about twice—deals with the Remote Desktop Services feature in Windows 7, Windows Vista, and Windows XP along with Windows Server 2003 and 2008 systems. A bug in the feature can allow an attacker to control an affected Windows machine potentially without the need to supply a password.
Why the vulnerability has the security community so worried is that it can be exploited without any interaction from the Windows machine’s owner. As a result, an attacker could theoretically create a malicious computer worm to spread from one vulnerable machine to another. The owners of these affected Window systems are also probably enterprises and government agencies.
“We have seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw,” the NSA says in the advisory.
Although Microsoft issued a security patch last month, one estimate has found that a million internet-connected machines remain vulnerable to the threat. “It is likely only a matter of time before remote exploitation code is widely available for this vulnerability,” the advisory adds.
In other words, hackers are bound to come up with ways to remotely take over the affected Windows machines. As an example, the NSA points to the risk of cybercriminals installing ransomware across vulnerable systems, which could hold them hostage unless the owners pay up.
It’s rare for the NSA to weigh in on a vulnerability, although it did issue two other security advisories this year. But the US spy agency played a role in indirectly sparking another computer worm in 2017 with the malware outbreak WannaCry.
The attack was able to spread to hundreds of thousands of machines thanks to a leaked NSA cyberweapon, which also exploited a vulnerability in older Windows systems. Reportedly, the US spy agency knew about the flaw for at least five years, and kept it secret from Microsoft.
Whether the NSA was previously aware about the recently discovered remote desktop flaw in Windows isn’t clear. The US agency didn’t immediately respond to a request for comment. But according to Microsoft’s security advisory, the UK’s National Cyber Security Centre discovered the vulnerability.
Independent security researchers have also warned they’ve managed to come up with experimental proof-of-concepts attacks that can indeed exploit the Windows flaw. To address the threat, you can check out the security advisories from the NSA and Microsoft. However, Windows machines with the Remote Desktop Service feature turned off are not affected.