On Tuesday 14 May 2019, Microsoft released a critical patch for systems running Windows XP, Windows 7, Windows 2003 and Windows Server 2008 which is geared towards addressing a flaw in the Remote Desktop Services component of Windows (security vulnerability CVE-2019-0708).

This flaw could potentially allow hackers access to systems powered by these versions of the Windows operating system, allowing for the injection of malware, control of the file system and the ability to view, and modify file system data with full user privileges. The severity of this flaw could result in a mass malware infection like that of the fast moving, global wide threat of the WannaCry ransomware attack of 2017.

The fact that Microsoft has released patches for this vulnerability for Windows XP and Windows 2003, both operating systems versions which have long been at end of life, speaks volumes to the severity of this threat.

According to Microsoft, it is important that systems running the aforementioned operating systems be patched as quickly as possible to prevent a widespread attack. They also point out that Windows 8 and Windows 10 users are not affected by this vulnerability, and that later versions of the Windows operating system will not be affected.

The Security Updates

For a list of all operating systems and the available patch, presented as a monthly rollup update, or a stand-alone security patch, visit the Microsoft MSRC website for this vulnerability here:  CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability

Mitigation

In the event that processing the patch for this vulnerability is not immediately an option, then the following mitigation may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave Remote Desktop Services disabled:

1. Disable Remote Desktop Services if they are not required.

If you no longer need these services on your system, consider disabling them as a security best practice. Disabling unused and unneeded services helps reduce your exposure to security vulnerabilities.

Workarounds

The following workarounds may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave these workarounds in place:

1. Enable Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2

You can enable Network Level Authentication to block unauthenticated attackers from exploiting this vulnerability. With NLA turned on, an attacker would first need to authenticate to Remote Desktop Services using a valid account on the target system before the attacker could exploit the vulnerability.

2. Block TCP port 3389 at the enterprise perimeter firewall

TCP port 3389 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.