More critical Remote Desktop flaws expose Windows systems to hacking

Microsoft has identified and patched several vulnerabilities in the Windows Remote Desktop Services (RDS) component — formerly known as Terminal Services — which is widely used in corporate environments to remotely manage Windows machines. Some of the vulnerabilities can be exploited without authentication to achieve remote code execution and full system compromise, making them highly dangerous for enterprise networks if left unfixed.

All the flaws have been discovered internally by Microsoft during hardening of the RDS component, so no public exploits are available at this time. However, Microsoft researcher Justin Campbell said on Twitter that his team “successfully built a full exploit chain using some of these, so it’s likely someone else will as well.”

In a blog post, Simon Pope, director of incident response at Microsoft warned that two of the flaws, tracked as CVE-2019-1181 and CVE-2019-1182, are wormable. If malware makes its way inside a corporate network, it could exploit these flaws to propagate from computer to computer.

The two vulnerabilities affect Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2 and all supported versions of Windows 10. Since RDS is a system service, successful exploitation would provide attackers with the necessary privileges to install programs; read and delete data and create new accounts.

Microsoft also patched two other remote code execution vulnerabilities in RDS on Tuesday that are tracked as CVE-2019-1222 and CVE-2019-1226. These flaws only affect supported versions of Windows 10, Windows Server 2019 and Windows Server version 1803 and don’t require authentication to exploit.

The company also fixed an unauthenticated denial-of-service flaw (CVE-2019-1223) and two memory disclosure issues (CVE-2019-1224 and CVE-2019-1225), bringing the total number of RDS flaws fixed this Patch Tuesday to seven.

It started with BlueKeep

Microsoft’s deeper investigation of RDS and the newly identified issues come after a wormable RDS flaw was discovered and patched in May. Tracked as CVE-2019-0708 that vulnerability is known in the security community as BlueKeep and public exploits are available for it.

Last week, Microsoft’s Detection and Response Team (DART) issued a warning that BlueKeep exploitation is very likely. The team said at the time based on its telemetry that more than 400,000 endpoints lack network level authentication, which makes the problem much worse and could enable the easy spread of Remote Desktop Protocol (RDP) worms.

Network level authentication (NLA) is suggested by Microsoft as a possible mitigation for both BlueKeep and the newly patched RDS flaws because it forces attackers to authenticate before attempting an exploit. However, in practice, there are many scenarios where attackers can obtain legitimate credentials and bypass this protection, so deploying patches for these vulnerabilities as soon as possible is the best solution.

According to a new report by SecurityScorecard, around 800,000 machines with vulnerable RDS service were exposed directly to the internet when BlueKeep came out in May. The company has been rescanning those machines daily and found that the patching response has been slow, with around 1% being patched each day.

For machines that did get the BlueKeep patches, the majority were updated during the first 13 days after the announcement. This means that in most cases vulnerable machine owners either patched their systems within 13 days or not at all.

Some industries performed better than others, according to SecurityScorecard’s data. The financial services industry had the largest number of machines patched within a day of the fixes coming out. Many other financial organizations patched them by day 11. Overall, the financial services industry patched around 713 vulnerable machines per day.

Organizations from the manufacturing and hospitality industries patched around 3% of their machines per day, a significantly higher rate than average. However, these industries also had a much lower number of vulnerable machines exposed to the internet to begin with, which is indicative of good security practices and network architecture.

“A five- to 13-day response time is rather respectable. However, SecurityScorecard advises that Remote Desktop (RDP) should not be exposed on the internet,” the company wrote in its report. “Rather, it should be behind a firewall and/or VPN. Thus, the true fix for these machines is a combination of fixes: Upgrade to a more recent Windows version, patch the vulnerability, and prevent internet-wide access to these machines.”

Bypassing Apple FaceID’s Liveness Detection Feature

Apple’s FaceID has a liveness detection feature, which prevents someone from unlocking a victim’s phone by putting it in front of his face while he’s sleeping. That feature has been hacked:

Researchers on Wednesday during Black Hat USA 2019 demonstrated an attack that allowed them to bypass a victim’s FaceID and log into their phone simply by putting a pair of modified glasses on their face. By merely placing tape carefully over the lenses of a pair glasses and placing them on the victim’s face the researchers demonstrated how they could bypass Apple’s FaceID in a specific scenario. The attack itself is difficult, given the bad actor would need to figure out how to put the glasses on an unconscious victim without waking them up.

Posted on August 15, 2019 at 6:19 AM

1 Comments

Safe travels: 7 best practices for protecting data at border crossings

Border forces across the world are increasing the number of devices that they inspect and copy the content from. That can present huge problems if the device is corporate provisioned or a personal device containing company information.

While westerners might assume this is an issue only in authoritarian countries, border officials in many democratic counties can legally seize mobile devices without warrants. The U.S., UK and New Zealand all can and do demand devices from people entering the country and can ask users to unlock their phones (and in some cases passwords to certain accounts) under threat of fines, refusal of entry to the country, or detainment. Not only does that create problems for the people at the border – especially if they refuse – but also for organizations if those devices are linked to corporate networks or data.

“The matter is you’re carrying around your corporate assets with you,” says Rob Smith, research director within Gartner’s Mobile and Client Computing group. “You’re going to give a foreign power, or even the domestic power for that matter, full rights to view it.”

Device seizures put data and networks at risk

Device inspection or seizure isn’t new, but recent years have seen their number increase. In the U.S. the number of devices searched at the border rose by over a third between 2016 and 2017 (the most recent year for which the U.S. Customs and Border Protection [CBP] has posted data). This can create risks for enterprises.

“You never know what you’re going to get no matter what border you go to these days,” says Smith. “Be it the UK, be it the U.S., be it China, someone, sometime is going to ask you to surrender your device. And you’re not going to have a choice. As Europeans, we have a much stronger view about privacy and a much better expectation of what should be. But then when you go to places like China or the U.S., it’s completely thrown out the window, because there are laws today really designed for luggage.”

In 2018, Australian Border Force (ABF) agents in Sydney, Australia seized a software developer’s devices. They reportedly refused to tell him what whether his digital data was being copied and stored or explain the ABF’s data retention policy. In 2017, a NASA engineer was forced to hand over the company-provisioned phone (and its passcode) that contained sensitive information from the agency’s Jet Propulsion Lab. This happened at the Houston airport in the U.S.

At the very minimum, a third party is potentially making a copy of any corporate data on the device without applying the same access controls your company would and giving you no visibility into how and where that information is stored or when it might be deleted. Any regulated data copied could also create possible compliance issues. Commercially sensitive information or intellectual property stored locally on devices could, depending on the country in question, potentially make its way to a domestic rival. If an employee is detained, the chances of having the device returned decrease, potentially meaning two copies of corporate data have been lost.