Last Windows 7 patch updates critical remote desktop flaw

IT departments have experienced the first impact of Windows 7 end of support with the latest Patch Tuesday release. Microsoft has issued a critical security patch that affects all its operating systems. This fix has been rolled into the final Patch Tuesday security update for Windows 7.

The Patch Tuesday Windows update fixes a vulnerability, disclosed by the US National Security Agency (NSA), which could be exploited by using a spoofed code-signing certificate to sign a malicious executable file, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious because the digital signature would appear to be from a trusted provider.

Microsoft issued a patch for the CVE2020-0601 vulnerability, which affects all 32-bit and 64-bit Windows 10 systems. The NSA also reported that it had found a remote desktop vulnerability, CVE-2020-0611, which affects Windows 7 and newer operating systems, for which Microsoft has also issued a patch.

“These vulnerabilities – in the Windows Remote Desktop Client and RD Gateway Server – allow for remote code execution, where arbitrary code could be run freely,” the NSA stated. “The server vulnerabilities do not require authentication or user interaction and can be exploited by a specially crafted request. The client vulnerability can be exploited by convincing a user to connect to a malicious server.”

The Cybersecurity and Infrastructure Security Agency (CISA) said it was unaware of active exploitation of these vulnerabilities. However, since the patches are now publicly released, the underlying vulnerabilities can be reverse-engineered to create exploits that target unpatched systems, it warned.

“CISA strongly recommends organisations install these critical patches as soon as possible – prioritise patching by starting with mission-critical systems, internet-facing systems and networked servers. Organisations should then prioritise patching other affected information technology/operational technology (IT/OT) assets.”

Microsoft has made a critical security patch available for Windows 7, which it said corrects how the Windows Remote Desktop Client handles connection requests.

Along with patching the operating system, IT security company Symantec urged IT departments to limit access rights for all software. “To reduce the impact of latent vulnerabilities, always run non-administrative software as an unprivileged user with minimal access rights,” it said.

It also recommended that IT departments deploy network intrusion detection (NID) systems to monitor network traffic for malicious activity and use NIDs to monitor network traffic for signs of anomalous or suspicious activity. Such monitoring can be used to identify unexplained incoming and outgoing traffic.

“This may indicate exploit attempts or activity that results from successful exploits,” said Symantec.

Symantec suggested that chief information security officers implement multiple redundant layers of security and use memory-protection schemes that can be used to complicate exploits of memory-corruption vulnerabilities.

Although Windows 7 is no longer supported, Microsoft is likely to continue to develop and release patches for the most critical security vulnerabilities that affect the unsupported operating system, since many organisations have yet to complete their migration to Windows 10. Organisations that use embedded systems will also need to rely on such updates being made available, as it is often much harder to upgrade the operating system on such equipment. 

For instance, according to data provided by healthcare cyber security specialist Cynerio, due to the long lifecycles of medical devices critical to patient care, more than 20% of all device models in the global medical ecosystem run on the now unsupported operating system.

“No device is risk-free, especially network-connected devices. Medical devices are the weakest link – they are not designed with security in mind, have extensive lifecycles and often cannot afford any downtime,” said Leon Lerman, Cynerio’s CEO and co-founder.

“Cyber security is an ever-changing landscape, and Windows 7 end-of-life only adds to the inherent weaknesses of hospital networks. If a device responsible for critical care is vulnerable, patients are at risk. It’s more important now than ever for hospitals to know their risk and to take educated measures to secure their networks and patients.”