Cyber-security firm enSilo has released a patch for Windows XP and Windows Server 2003 that will protect against attacks via ESTEEMAUDIT, a hacking tool dumped online by the Shadow Brokers last month, and allegedly developed by the NSA.
At the technical level, ESTEEMAUDIT is a zero-day in the RDP protocol used by Windows to open desktop sessions on remote computers.
An analysis of this exploit reveals its usability for breaking into computers with open RDP ports, or for moving laterally inside a network that features PCs with open RDP connections.
Microsoft didn’t patch against ESTEEMAUDIT attacks
enSilo researchers developed a patch for ESTEEMAUDIT because Microsoft has not provided security updates to protect against this zero-day.
This is because ESTEEMAUDIT only works on Windows XP and Windows 2003, two operating system that Microsoft stopped supporting in 2014, and 2015, respectively.
After the Shadow Brokers dumped a collection of NSA hacking tools on April 14, a day later, Microsoft announced that its engineers had secretly patched Windows against most exploits a month earlier, in March.
ESTEEMAUDIT is one of the exploits that didn’t receive a patch, along with ENGLISHMANSDENTIST and EXPLODINGCAN.
Does Microsoft have an ESTEEMAUDIT patch laying around?
After the WannaCry ransomware outbreak, Microsoft did something uncharacteristic and issued an update for Windows XP, Windows 8, and Windows Server 2003, all unsupported versions of its OS. This out-of-band security update patched the older OS versions against the ETERNALBLUE exploit, used by the WannaCry ransomware.
Later it was discovered that Microsoft had created the ETERNALBLUE patch in February, but didn’t release it, for unknown reasons.
Furthermore, the Washington Post found out that the NSA had reached out to Microsoft earlier in the year, to tell the company about the stolen exploits and their capabilities. This is the reason why Microsoft had released patches since March, a month before the actual Shadow Brokers dump.
If Microsoft has a patch for the ESTEEMAUDIT exploit stockpiled on one of its servers, we’ll never know. In the meantime, XP and Windows Server 2003 users can utilize enSilo’s patch to protect against attacks with ESTEEMAUDIT.
enSilo hotpatch available for download
The security company says the patch — which can be downloaded from here — works on Windows XP SP3 x86, Windows XP SP3 x64, and Windows Server 2003 R2.
Upon login for each session, Windows will create a new instance of winlogon. The patch will be loaded into winlogon.exe (only if it is an RDP session) to perform in memory patching (hotpatching) of ESTEEMAUDIT. Any attempt to use ESTEEMAUDIT to infect the patched machine will inevitably fail.
The patch is installed by an installation program after accepting the terms of usage. The installation program will support uninstallation by signaling an event (which will remove the patch in memory) and then unregistering the patch from loading into all subsequent RDP sessions.
The patch is direly needed. Despite the advanced age of both operating systems, both are still very popular. For example, Windows XP remains the third most popular OS on the market today, accounting for 7% of all operating systems in use today.
Similarly, Windows Server 2003 is currently used by 18% of all organizations today, accounting for more than 600,000 web-facing computers, which host upwards of 175 million websites.
Besides applying the enSilo patch, users can disable RDP as an alternative method of protecting their systems.