Microsoft announced CVE-2019-0708 a critical flaw in Remote Desktop Services that enables unauthenticated remote code execution. In their blog post on May 14, 2019, they report that a specially crafted request could allow an attacker to execute arbitrary code on the victim's system without any user interaction and prior to any authentication. Microsoft sees it as critical enough that they're issuing patches for non-supported versions of Windows XP and Windows Server 2003 to help prevent this spreading as wildly as WannaCry in 2017. Affected versions of Windows include:
- Windows 7
- Windows Server 2008 R2
- Windows Server 2008
- Windows Server 2003
- Windows XP
Links to the full list of affected operating systems, as well as links to the necessary patches, can be found in the same TechNet blog where the announcement was made.
The security of our customer's networks is of great importance to us as well. Because we still offer Windows 2008 R2 as an option, and many of our customers choose to use deploy with this option, we felt it necessary to proactively encourage our customers to perform this update immediately after testing in a non-production environment.
Ideally, we encourage our customers to limit services exposed to the public Internet, or whitelist specific sources, but realize some customers may not be aware of the risk associated with that decision, or are willing to accept it. Even if you're not exposing RDP to the public Internet, we still encourage you to deploy these patches, as well as any other critical patches, to your systems as soon as you can test them on a non-production system to asses potential impact. If you have automatic updates enabled, you may already be protected and should check your system updates to confirm that this patch has been applied.
The safety and security of the Internet is up to each of us to protect. Please help us be good stewards of this great resource.
If you have any other questions or concerns about this announcement or any of our other offerings, please contact us at firstname.lastname@example.org.