Vulnerabilities / Threats

5/24/2017
12:00 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

enSilo Launches Independent Patch for 'ESTEEMAUDIT' RDP Exploit

Patch protects users from malware campaigns increasingly fueled by shadow brokers' exploit disclosures.

SAN FRANCISCO, CA – enSilo, the company that has redefined endpoint security, today announced that it has issued a patch for Windows XP and Windows Server 2003 to fix a critical remote desktop protocol (RDP) vulnerability, ESTEEMAUDIT, that leaves users exposed to ransomware, espionage campaigns and other malicious code in the enterprise. ESTEEMAUDIT is another reputed National Security Agency (NSA)-developed exploit leaked by the Shadow Brokers that could be used to drive attacks similar to WannaCry ransomware. WannaCry exposed the sheer volume of Windows XP and Server 2003 users who have been left vulnerable to such attacks following Microsoft’s discontinuation of support in 2014. It is estimated that Windows XP continues to be used by hundreds of millions of connected devices worldwide, from ATMs and sensitive control systems to medical gear.  enSilo’s free patch helps ensure that these systems, many of which support critical infrastructure, are another tool to keep enterprises safe.

"In the face of escalating ransomware attacks, enSilo wanted to fill a market gap to support and address the needs of users who rely on vulnerable legacy systems such as Windows XP and Server 2003," said Udi Yavo, CTO and co-founder, enSilo. "When Microsoft discontinued support for XP, they created a major security problem, leaving users exposed and leading to the WannaCry crisis. While the original OS developers ignore pressing threats, enSilo is ensuring that susceptible systems stay protected."

Alarmed at Microsoft’s discontinuation of technical support for legacy systems and devices, Yavo and the researchers and developers at enSilo are filling critical gaps left by major operating system providers in recent years. With his background in cyber defense R&D, Yavo has a strong history of disclosing software vulnerabilities along with exploitation methods coupled with a patch.  

Windows XP-based systems currently account for more than 7 percent of desktop operating systems still in use today in addition to supporting a countless number of systems relied on by foreign governments, the US military, law enforcement agencies and the healthcare industry. Moreover, research estimates that more than 600,000 web-facing computers, which host upwards of 175 million websites, still run Windows Server 2003 accounting for roughly 18 percent of global market share. Despite Microsoft’s work to quickly patch the ETERNALBLUE exploit in the wake of WannaCry, since Microsoft’s support for both Windows XP and Windows Server 2003 ended many systems have continued to go unpatched leaving them vulnerable to significant attacks. enSilo’s agnostic endpoint security approach protects against attacks independent of the OS, including WannaCry.

Recognizing the challenge of protecting the millions of users that still rely on Windows XP and Windows Server 2003, enSilo’s patch protects vulnerable users from ESTEEMAUDIT, a remote desktop protocol exploit that enables attackers to gain lateral movement within an unpatched system and/or device. When this kind of access is coupled with a malware attack, it has the ability to shut down entire systems and services.

enSilo’s patch for Windows XP and Windows Server 2003 is available via an installation program here.

The patch supports silent installation and does not require a reboot, which helps users and embedded systems avoid the required downtime typically associated with patch installations.  Upon patching, any attempt to deliver malware using the ESTEEMAUDIT exploit fails.

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
FrankUnderwood2020
50%
50%
FrankUnderwood2020,
User Rank: Apprentice
5/25/2017 | 9:19:52 AM
Is a patch necessary?
Given Fortinet's analysis, wouldnt it be enough to unregister the vulnerable CSP Provider?

Like 'regsvr32 /s /u gpkcsp.dll'

https://blog.fortinet.com/2017/05/11/deep-analysis-of-esteemaudit

 
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7682
PUBLISHED: 2018-06-22
Micro Focus Solutions Business Manager versions prior to 11.4 allows a user to invoke SBM RESTful services across domains.
CVE-2018-12689
PUBLISHED: 2018-06-22
phpLDAPadmin 1.2.2 allows LDAP injection via a crafted server_id parameter in a cmd.php?cmd=login_form request, or a crafted username and password in the login panel.
CVE-2018-12538
PUBLISHED: 2018-06-22
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage...
CVE-2018-12684
PUBLISHED: 2018-06-22
Out-of-bounds Read in the send_ssi_file function in civetweb.c in CivetWeb through 1.10 allows attackers to cause a Denial of Service or Information Disclosure via a crafted SSI file.
CVE-2018-12687
PUBLISHED: 2018-06-22
tinyexr 0.9.5 has an assertion failure in DecodePixelData in tinyexr.h.