Microsoft today took the unusual step of issuing security fixes for out-of-support systems to patch a vulnerability it fears could be wormable if exploited. CVE-2019-0708 affects in-support systems Windows 7, Server 2008, and 2008 R2 and out-of-support Windows 2003 and XP.
This is a critical remote code execution flaw in Remote Desktop Services, formerly known as Terminal Services, which affects some older versions of Windows. Remote Desktop Protocol (RDP) is not vulnerable. CVE-2019-0708 is pre-authentication and requires no user interaction, meaning any future malware could propagate from vulnerable machine to vulnerable machine.
Authenticated attackers could exploit this vulnerability by connecting to a target system via RDP and sending specially crafted ..