Patch/Configuration Management, Vulnerability Management

Microsoft remote assistance tool threat patched, danger remains


Microsoft has just patched a vulnerability in the primary tool the company uses to help provide remote assistance to its users, but until all devices are updated there is still some danger.

The vulnerability in the Windows Remote Assistance Tool (CVE-2018-0878) can be exploited in Windows XP, 7 and 8 variants, according to a Bleeping Computer report. The problem was disclosed by security researcher Nabeel Ahmed to Microsoft in October and the patch was included in the March Patch Tuesday release. If left unpatched an attacker could remove any data from the target's computer.

The good news is the attack methodology is rather convoluted and can only be used against a potential victim who is accustomed to helping others remotely. That is because the victim actually has to use the remote assistance tool to contact the attacker. This is done accomplished using a phishing email sent to the victim that requests assistance.

The email will contain a note asking for help and then offer up two links for the victim. One says to click here if you need help, the other if you want to help someone else. The trap is then sprung if the target falls for the scam and clicks to open a remote help session which is in fact an XML file containing configuration data that gives the attacker access to the target computer, Bleeping Computer said.

At this point files can be removed without the victim's knowledge.

There are some steps an organization can take to stop this and other remote access attacks, said Bob Noel, director of strategic relationships and marketing for Plixer.

“Network traffic analysis allows organizations to know when a remote access session is initiated. As a best practice, remote access sessions should not be allowed to occur with a device that is either not on the company's network or pre-approved (such as from a managed service provider). This ensures that even if a user is tricked through social engineering, the session cannot be established,” he said.

Traffic analysis can also help an IT department see if any unwanted remote sessions in the past, Noel added.

The patch pushed last week will fix the problem for those not using Windows 10. For its latest operating system Microsoft dropped the remote assistant and replaced it with a tool called Quick Assist that does not require an invitation to make a connection.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.