• ES2


Updated: May 26, 2019

Microsoft has issued a fix in remote desktop services for a major vulnerability. For the first time since the WannaCry worm this patch also covers older unsupported versions of Windows, XP and Windows 2003. This unusual move by Microsoft demonstrates how seriously they are taking this issue.

The remote code execution vulnerability also affects in-support systems including Windows 7, Windows Server 2008 R2, and Windows Server 2008. The Remote Desktop Protocol (RDP) itself is not vulnerable, Microsoft says, and customers running Windows 8 and Windows 10 are not affected.

The vulnerability, CVE-2019-0708 is pre-authentication and requires no user interaction. This means that this vulnerability is “wormable” meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.

While Microsoft says it does not believe that this vulnerability was exploited before the patch was released. Given the impact of this vulnerability, it is highly likely that Cyber Crime groups will write an exploit for this vulnerability and incorporate it into their malware soon.

Microsoft has advised that applying Network Level Authentication (NLA) to affected systems, partially mitigates against this vulnerability, as on these systems an attacker must first authenticate before they can reach the vulnerable functionality. However, it should be noted that if an attacker has managed to obtain valid credentials that can be used to successfully authenticate and exploit the vulnerability. As a result, Microsoft is urging that affected systems are patched “as quickly as possible”, even those which have NLA enabled.

Those who have automatic updates enabled on their in-support version of Windows are already protected. For those who do not downloads for in-support versions of Windows can be found in the Microsoft Security Update Guide. Meanwhile, people using out of support systems such as Windows 2003 and Windows XP really should upgrade the latest version of Windows, says Microsoft. But it is also making fixes available for these out-of-support versions of Windows in KB4500705.

In short, now is a great time to ensure all your windows instances are fully patched.


Published: May 2019