this week that they ’ ve releasedVulnerability-related.PatchVulnerabilitya preliminary fix for a vulnerability rated important , and present inVulnerability-related.DiscoverVulnerabilityall supported versions of Windows in circulation ( basically any client or server version of Windows from 2008 onward ) . The flaw affectsVulnerability-related.DiscoverVulnerabilitythe Credential Security Support Provider ( CredSSP ) protocol , which is used in all instances of Windows ’ Remote Desktop Protocol ( RDP ) and Remote Management ( WinRM ) . The vulnerability , CVE-2018-0886 , could allow remote code execution via a physical or wifi-based Man-in-the-Middle attack , where the attacker stealsAttack.Databreachsession data , including local user credentials , during the CredSSP authentication process . Although Microsoft saysVulnerability-related.DiscoverVulnerabilitythe bug has not yet been exploitedVulnerability-related.DiscoverVulnerability, it could cause serious damage if left unpatched . RDP is widely used in enterprise environments and an attacker who successfully exploitsVulnerability-related.DiscoverVulnerabilitythis bug could use it to gain a foothold from which to pivot and escalate . It ’ s also popular with small businesses who outsource their IT administration and , needless to say , an attacker with an admin account has all the aces . Security researchers at Preempt sayVulnerability-related.DiscoverVulnerabilitythey discovered and disclosedVulnerability-related.DiscoverVulnerabilitythis vulnerability to Microsoft last August , and Microsoft has been working since then to createVulnerability-related.PatchVulnerabilitythe patch releasedVulnerability-related.PatchVulnerabilitythis week . Now it ’ s out there , it ’ s a race against time to make sure you aren ’ t an easy target for an attacker who wants to try and kick the tires on this vulnerability . Obviously , patch as soon as possible and please follow Microsoft ’ s guidance carefully : Mitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers . We recommend that administrators apply the policy and set it to “ Force updated clients ” or “ Mitigated ” on client and server computers as soon as possible . These changes will require a reboot of the affected systems . Pay close attention to Group Policy or registry settings pairs that result in “ Blocked ” interactions between clients and servers in the compatibility table later in this article . Both the “ Force updated clients ” and “ Mitigated ” settings prevent RDP clients from falling back to insecure versions of CredSSP . The “ Force updated clients ” setting will not allow services that use CredSSP to accept unpatched clients but “ Mitigated ” will .
11th December was Microsoft ’ s December 2018 Patch Tuesday , which means users had to updateVulnerability-related.PatchVulnerabilitytheir computers to be protected from the latest threats to Windows and Microsoft products . Microsoft has fixedVulnerability-related.PatchVulnerability39 vulnerabilities , with 10 of them being labeled as Critical . Keeping up with its December 2018 Patch Tuesday , Microsoft announcedVulnerability-related.DiscoverVulnerabilityon its blog that a vulnerability exists inVulnerability-related.DiscoverVulnerabilityWindows Domain Name System ( DNS ) . There was not much information provided to the customers about how and when this vulnerability was discoveredVulnerability-related.DiscoverVulnerability. The following details were released by Microsoft : The Exploit Microsoft Windows is proneVulnerability-related.DiscoverVulnerabilityto a heap-based buffer-overflow vulnerability . A remote code execution vulnerability exists inVulnerability-related.DiscoverVulnerabilityWindows Domain Name System ( DNS ) servers when they fail to properly handle requests . An attacker who successfully exploitsVulnerability-related.DiscoverVulnerabilitythis issue may execute arbitrary code within the context of the affected application . Microsoft states that failed exploit attempts will result in a denial-of-service condition . Windows servers that are configured as DNS servers are at risk from this vulnerability . Affected Systems Find a list of the affected systems on Microsoft ’ s Blog . The company has also providedVulnerability-related.PatchVulnerabilityusers with security updates for the affected systems . Workarounds and Mitigations As of today , Microsoft has not identified any workarounds or mitigations for the affected systems . Jake Williams , the founder of Rendition Security and Rally security , posted an update on Twitter about the issue , questioning why there is no sufficient discussion among the infosec community about the matter .
Businesses that failed to update Windows-based computer systems that were hit by a massive cyber attack over the weekend could be sued over their lax cyber security , but Microsoft itself enjoys strong protection from lawsuits , legal experts said . The WannaCry worm has affected more than 200,000 Windows computers around the world since Friday , disruptingAttack.Ransomcar factories , global shipper FedEx Corp and Britain 's National Health Service , among others . The hacking tool spreads silently between computers , shutting them down by encrypting data and then demanding a ransomAttack.Ransomof US $ 300 to unlock them . According to Microsoft , computers affected by the ransomware did not have security patches for various Windows versions installed or were running Windows XP , which the company no longer supports . `` Using outdated versions of Windows that are no longer supported raises a lot of questions , '' said Christopher Dore , a lawyer specializing in digital privacy law at Edelson PC . `` It would arguably be knowingly negligent to let those systems stay in place. ” Businesses could face legal claims if they failed to deliver services because of the attack , said Edward McAndrew , a data privacy lawyer at Ballard Spahr . `` There is this stream of liability that flows from the ransomware attackAttack.Ransom, '' he said `` That 's liability to individuals , consumers and patients , '' WannaCry exploitsVulnerability-related.DiscoverVulnerabilitya vulnerability in older versions of Windows , including Windows 7 and Windows XP . Microsoft issuedVulnerability-related.PatchVulnerabilitya security update in March that stops WannaCry and other malware in Windows 7 . Over the weekend the company took the unusual step of releasingVulnerability-related.PatchVulnerabilitya similar patch for Windows XP , which the company announced in 2014 it would no longer support . Dore said companies that faced disruptions because they did not run the Microsoft update or because they were using older versions of Windows could face lawsuits if they publicly touted their cyber security . His law firm sued LinkedIn after a 2012 data breachAttack.Databreach, alleging individuals paid for premium accounts because the company falsely stated it had top-quality cyber security measures . LinkedIn settled for US $ 1.25 million in 2014 . But Scott Vernick , a data security lawyer at Fox Rothschild that represents companies , said he was sceptical that WannaCry would produce a flood of consumer lawsuits . He noted there was no indication the cyber attack had resulted in widespread disclosure of personal data . `` It isn ’ t clear that there has been a harm to consumers , '' he said . Vernick said businesses that failed to update their software could face scrutiny from the US Federal Trade Commission , which has previously sued companies for misrepresenting their data privacy measures . Microsoft itself is unlikely to face legal trouble over the flaw in Windows being exploitedVulnerability-related.DiscoverVulnerabilityby WannaCry , according to legal experts . When Microsoft sells software it does so through a licensing agreement that states the company is not liable for any security breaches , said Michael Scott , a professor at Southwestern Law School . Courts have consistently upheld those agreements , he said . Alex Abdo , a staff attorney at the Knight First Amendment Institute at Columbia University , said Microsoft and other software companies have strategically settled lawsuits that could lead to court rulings weakening their licensing agreements . `` This area of law has been stunted in its growth , '' he said . `` It is very difficult to hold software manufacturers accountable for flaws in their products . '' Also enjoying strong protection from liability over the cyber attack is the US National Security Agency , whose stolen hacking tool is believed to be the basis for WannaCry . The NSA did not immediately return a request for comment . Jonathan Zittrain , a professor specializing in internet law at Harvard Law School , said courts have frequently dismissed lawsuits against the agency on the grounds they might result in the disclosure of top secret information . On top of that , the NSA would likely be able to claim that it is shielded from liability under the doctrine of sovereign immunity , which says that the government can not be sued over carrying out its official duties . `` I doubt there can be any liability that stems back to the NSA , '' Dore said .