First Patch Tuesday of 2022 Brings Fix for a Critical 'Wormable' Windows Vulnerability

The number of Internet-connected devices is expected to approach 40 billion. This is significant in light of a new vulnerability affecting Windows 7 and Windows Server 2008 (or later), which was disclosed today by the Zero Day Initiative (ZDI). According to ZDI's advisory, this vulnerability could be used in a wormable exploit, meaning it could spread from one vulnerable computer to the next. Microsoft has 'highly recommended' that all Windows users install a patch as soon as possible.

"Everyone is on urgent patch," said Dustin Childs, communications manager for ZDI. "This vulnerability allows code execution without any user interaction and is the definition of wormable."

The vulnerability exists in Windows' Remote Desktop Services, which allows users to remotely access other networked systems. An unauthenticated attacker who successfully exploits this vulnerability can execute arbitrary code on a target system, leading to full compromise. Since this is an SMB-related flaw, it may aid in propagation across networks.

Microsoft has issued a patch for this vulnerability via MS2022-1, which should be applied as soon as possible. All other Windows updates are considered optional.

Childs added that, although exploitation of this vulnerability is not yet widespread, it has begun to see some use in the wild. While ZDI does not have reports of active exploitation on their network, this zero-day is of concern for several reasons.

"Zero days are starting to be used more commonly in certain groups, Childs said. "One reason of course is because they work. They get the job done. But also, some actors don't want attribution so they use zero days to get in and out before they are detected. That is why we always recommend full patching regardless of if it's a zero day or not."

The Zero Day Initiative is part of Tipping Point, which HP acquired in 2010 for $325 million. ZDI buys vulnerabilities from researchers and brokers them to companies who can fix them before they are published. They make their money through a subscription model with the companies.

In related news, Microsoft recently purchased Cybereason for $200 million [19 October 2020], a move that reflects the software giant's growing interest in security. "Microsoft continues to invest in security," said Childs, "and with the recent purchase of Cybereason, one has to wonder what they have up their sleeves."

According to Trend Micro's 2018 Security Roundup Report, remote desktop protocol (RDP) vulnerabilities were increasingly exploited by threat actors in the wild. "In the first half of 2017, we saw a spike in attacks against RDP and Windows Server Message Block (SMB), both of which are used for file sharing and accessing network drives. Attackers aim to compromise systems and gain access to data, which puts businesses at risk of data theft and ransomware infections," the report said.

Microsoft has not yet released a patch for the vulnerability but Trend Micro recommends disabling RDP as a temporary workaround until patches can be installed. To do this, one must open the command prompt and type "cmd.exe" before typing "shutdown / r". This will open a window to select a reason for the shutdown. Select number 2, which says 'Disallow new Remote Desktop connections'.