Microsoft has released updates to resolve a critical vulnerability in Remote Desktop Services that affect a number of older versions of Windows. The vulnerability could spread in a similar way as WannaCry did in 2017, says the company in a blog post.
Specifically, it concerns a Remote Code Execution vulnerability called CVE-2019-0708. This makes it possible for an attacker to remotely access a computer and execute (malicious) code. Microsoft emphasizes that the Remote Desktop Protocol (RDP) itself is not vulnerable.
The error found is pre-authentication and does not require user interaction. This means that future malware that exploits the vulnerability can propagate from computer to computer in the same way as WannaCry did. Microsoft says it has not yet observed any exploitation of the vulnerability. However, it is “very likely that rogue actors will write an exploit for vulnerability and add it to their malware”.
Update
The vulnerability includes Windows 7, Windows Server 2008 R2 and Windows Server 2008. Microsoft encourages all users of these versions of the operating system to install the patch as soon as possible to avoid problems. The updates can be found in the blog of Microsoft. Users who have automatic updates on are automatically protected.
Various operating systems that are no longer supported by Microsoft are also vulnerable. It concerns Windows 2003 and Windows XP. Users running these versions are advised to upgrade to the latest version of Windows. The company also says it will make solutions available for these systems in KB4500705. This is quite unusual, as systems that are no longer supported do not normally receive patches for security problems either.
Users of Windows 8 and Windows 10 are not affected by the security error. According to Microsoft itself, this is no coincidence. “Microsoft is investing heavily in strengthening the security of its products, often through major architectural improvements that cannot be brought to older versions of Windows,” said the company.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.