Microsoft today took the unusual step of issuing security fixes for out-of-support systems to patch a vulnerability it fears could be wormable if exploited. CVE-2019-0708 affects in-support systems Windows 7, Server 2008, and 2008 R2 and out-of-support Windows 2003 and XP.
This is a critical remote code execution flaw in Remote Desktop Services, formerly known as Terminal Services, which affects some older versions of Windows. Remote Desktop Protocol (RDP) is not vulnerable. CVE-2019-0708 is pre-authentication and requires no user interaction, meaning any future malware could propagate from vulnerable machine to vulnerable machine.
Authenticated attackers could exploit this vulnerability by connecting to a target system via RDP and sending specially crafted requests. If successful, they could execute code on the target system; install programs; view, edit, or delete data; or create new accounts with full user rights. Today's security fix corrects the way Remote Desktop Services handles connection requests.
Simon Pope, director of incident response for the Microsoft Security Response Center, says it's "highly likely" malicious actors will write an exploit for this vulnerability and build it into malware. Microsoft has not seen any evidence of CVE-2019-0708 being exploited in the wild, but it urges companies to update immediately, warning the bug could be weaponized as a worm.
The impact is limited to older versions of Windows that are either out of support or approaching the end-of-support life cycle. Vulnerable in-support systems with automatic updates enabled are protected. Vulnerable out-of-support versions can find guidance ..