"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights", Microsoft said in the vulnerability advisory. Normally, you need to provide a username and password to access a machine over Remote Desktop Services.
The vulnerability causing all the fuss is a flaw in Remote Desktop Services, which as the name implies lets you remotely control a far-off PC from a second PC.
Patch Tuesday It's that time of the month again, and Microsoft has released a bumper bundle of security fixes for Patch Tuesday, including one for out-of-support operating systems Windows XP and Server 2003.
Specifically, this vulnerability is "wormable", or able to propagate from one vulnerable PC to another, and without user interaction.
THe affected operating system builds include: Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows XP.
"Customers running Windows 8 and Windows 10 are not affected by this vulnerability, and it is no coincidence that later versions of Windows are unaffected". But this flaw is so serious that Microsoft has also issued a patch for Windows XP and its server brethren, which officially died five years ago. "This is a more secure authentication method that can help protect the remote computer from malicious users and malicious software".
Partial mitigation against the RDS vulnerability is possible with network-level authentication (NLA).
Despite this, potential attackers could still abuse the RCE vulnerability if they already have the credentials needed to authenticate on a system where RDS is enabled.
This is particularly risky since many servers make remote desktop services publicly accessible on the Internet for remote workers to connect to even though this is extremely unsafe as it exposes the service to ransomware attacks, hackers, and now threats like this "wormable" Remote Desktop Services security flaw.
Microsoft said the vulnerability is "wormable", which means attackers could use it to spread malware across devices in a similar manner to the way WannaCry spread in 2017. "The security update addresses the vulnerability by correcting how Skype for Android answers incoming calls", Microsoft says, adding that exploitation is less likely. "It is for these reasons that we strongly advise that all affected systems - irrespective of whether NLA is enabled or not - should be updated as soon as possible", Pope said.
Microsoft is trying to prevent the outbreak of a computer worm by urging owners of older Windows systems to patch their machines.
More information on how to download and deploy the update for CVE-2019-0708 is here.