<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">Hello IT Partners, SecuritySIG, and IST-Security-FYI,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">This week Microsoft released fixes for a critical Remote Code Execution vulnerability,
<a href="https://krebsonsecurity.com/2019/05/microsoft-patches-wormable-flaw-in-windows-xp-7-and-windows-2003/">
CVE-2019-0708</a> [1], in Remote Desktop Services (RDS) that affects some older versions of Windows. This vulnerability is pre-authentication and requires no user interaction, meaning that
<a href="https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/">
exploits could propagate</a> [2] from vulnerable computer to vulnerable computer in a way similar to the spread of the WannaCry malware across the globe in 2017.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">Vulnerable in-support systems:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">Windows 7<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">Windows Server 2008 R2<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">Windows Server 2008<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">Vulnerable out-of-support systems:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">Windows 2003<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">Windows XP<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">Recommendations:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">Please verify that your systems have the appropriate patch installed (it may require a reboot) and communicate the severity of this vulnerability within your DLCs.<br>
<br>
The patch has been released to <a href="https://ist.mit.edu/waus">IS&T’s WAUS service</a> [3], and IS&T-managed devices are being patched. In-support versions of Windows with automatic updates enabled are automatically protected.</span><span style="font-family:"Cambria Math",serif"> </span><span style="font-family:"Times New Roman",serif">
For all other computers, downloads for in-support versions of Windows can be found in the
<a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708">
Microsoft Security Update Guide</a> [4]. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">If you are on an out-of-support version, the best way to address this vulnerability is to upgrade to the
<a href="https://ist.mit.edu/windows">latest version of Windows</a> [5]. Microsoft has also released fixes for these out-of-support versions of Windows in
<a href="https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708">
KB4500705</a> [6].<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">Windows 8 and Windows 10 and later versions are not affected by this vulnerability. Please note that the Windows 7 and Windows Server 2008 end-of-support date is January 14, 2020. After
that date Microsoft will no longer provide regular security updates.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">Wherever possible, restrict remote access to trusted IPs (the MIT VPN ranges are 18.100.0.0/16 and 18.101.0.0/16).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">Workarounds:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">If affected systems are not capable of being upgraded or patched at this time, then one of the following should be done:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif"> - Disable Remote Desktop Services on the system.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif"> - If RDS needs to remain enabled, ensure that firewall rules allow access only from trusted hosts (including those internal to the network) to the RDS port.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif"> - Remove the system from the network.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">Enabling Network Level Authentication (NLA) will prevent unauthenticated attacks, but the system will still be vulnerable to attackers with valid credentials. Microsoft strongly advises
that all affected systems be updated as soon as possible, whether or not NLA is enabled. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">For assistance, please contact the
<a href="http://ist.mit.edu/help">IS&T Service Desk</a> [7] at 617-253-1101 or <a href="mailto:servicedesk@mit.edu">
servicedesk@mit.edu</a>.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">Best,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">Jessica<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">-- <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">Jessica Murray<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">Information Security Officer<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">Information Systems & Technology<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">Massachusetts Institute of Technology<o:p></o:p></span></p>
<p class="MsoNormal"><a href="mailto:jlmurray@mit.edu" target="_blank"><span style="font-family:"Times New Roman",serif">jlmurray@mit.edu</span></a><span style="font-family:"Times New Roman",serif"><o:p></o:p></span></p>
<p class="MsoNormal"><a href="mailto:security@mit.edu" target="_blank"><span style="font-family:"Times New Roman",serif">security@mit.edu</span></a><span style="font-family:"Times New Roman",serif"> |
</span><a href="http://ist.mit.edu/secure" target="_blank"><span style="font-family:"Times New Roman",serif">http://ist.mit.edu/secure</span></a><span style="font-family:"Times New Roman",serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">[1] </span>
<a href="https://krebsonsecurity.com/2019/05/microsoft-patches-wormable-flaw-in-windows-xp-7-and-windows-2003/" target="_blank"><span style="font-family:"Times New Roman",serif">https://krebsonsecurity.com/2019/05/microsoft-patches-wormable-flaw-in-windows-xp-7-and-windows-2003/</span></a><span style="font-family:"Times New Roman",serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">[2] </span>
<a href="https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/" target="_blank"><span style="font-family:"Times New Roman",serif">https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/</span></a><span style="font-family:"Times New Roman",serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">[3] </span>
<a href="https://ist.mit.edu/waus" target="_blank"><span style="font-family:"Times New Roman",serif">https://ist.mit.edu/waus</span></a><span style="font-family:"Times New Roman",serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">[4] </span>
<a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708" target="_blank"><span style="font-family:"Times New Roman",serif">https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708</span></a><span style="font-family:"Times New Roman",serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">[5] </span>
<a href="https://ist.mit.edu/windows" target="_blank"><span style="font-family:"Times New Roman",serif">https://ist.mit.edu/windows</span></a><span style="font-family:"Times New Roman",serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">[6] </span>
<a href="https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708" target="_blank"><span style="font-family:"Times New Roman",serif">https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708</span></a><span style="font-family:"Times New Roman",serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">[7] </span>
<a href="http://ist.mit.edu/help" target="_blank"><span style="font-family:"Times New Roman",serif">http://ist.mit.edu/help</span></a><span style="font-family:"Times New Roman",serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
</div>
</body>
</html>