News

Microsoft Urges Patching Windows RDS Vulnerability Yet Again

Microsoft on Thursday again issued advice that its May security patches should be installed to prevent a "wormable" vulnerability (CVE-2019-0708) in Remote Desktop Services (RDS) from getting exploited by attackers.

The vulnerability, which could enable remote code execution by attackers, is only present in older systems, such as Windows 7, Windows Server 2008 and Windows Server 2008 R2. However, Microsoft took a rare action and also issued downloadable patches for unsupported Windows systems, namely Windows XP and Windows 2003.

In its Thursday announcement, Microsoft suggested that an RDS exploit likely exists, and it could spread rapidly across networks, much like the infamous WannaCry wiper malware.

Here's the current state of the threat, as described by Simon Pope, director of incident response at the Microsoft Security Response Center:

Microsoft is confident that an exploit exists for this vulnerability, and if recent reports are accurate, nearly one million computers connected directly to the internet are still vulnerable to CVE-2019-0708. Many more within corporate networks may also be vulnerable. It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise.

Security researcher Kevin Beaumont has been tracking attempts to exploit the vulnerability, which he called "BlueKeep." In a Wednesday Twitter post, he suggested that no public exploit had been found in the wild at that time. However, he also noted that security researchers at McAfee had shown a proof-of-concept that ran the Calculator program (a common test for executing code).  

McAfee researchers confirmed that Microsoft's RDS patches will ward off the exploits. They recommended disabling the Remote Desktop Protocol entirely if it's not needed, but it should at least be disabled "from outside of your network and limit it internally." McAfee also recommended blocking MS_T120 client requests "on any channel other than 31." It's possible to change the Remote Desktop Protocol default port, but unpatched systems would still be vulnerable, according to McAfee.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.

Featured

  • Windows Server 20H1 Getting Smaller Containers and Faster PowerShell

    Microsoft is promising to deliver a smaller container size and improved PowerShell performance with its next release of Windows Server.

  • Microsoft Previews Microsoft Teams for Linux

    Microsoft on Tuesday announced a "limited preview" release of Microsoft Teams for certain Linux desktop operating systems.

  • Hyper-V Architecture: Some Clarifications

    Brien answers two thought-provoking reader questions. First, do Hyper-V VMs have direct hardware access? And second, how is it possible to monitor VM resource consumption from the host operating system?

  • Old Stone Wall Graphic

    Microsoft Addressing 36 Vulnerabilities in December Security Patch Release

    Microsoft on Tuesday delivered its December bundle of security patches, which affect Windows, Internet Explorer, Office, Skype for Business, SQL Server and Visual Studio.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.