Today Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows. The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware. 

Now that I have your attention, it is important that affected systems are patched as quickly as possible to prevent such a scenario from happening. In response, we are taking the unusual step of providing a security update for all customers to protect Windows platforms, including some out-of-support versions of Windows. 

Vulnerable in-support systems include Windows 7, Windows Server 2008 R2, and Windows Server 2008. Downloads for in-support versions of Windows can be found in the Microsoft Security Update Guide. Customers who use an in-support version of Windows and have automatic updates enabled are automatically protected.  

Out-of-support systems include Windows 2003 and Windows XP. If you are on an out-of-support version, the best way to address this vulnerability is to upgrade to the latest version of Windows. Even so, we are making fixes available for these out-of-support versions of Windows in KB4500705. 

Customers running Windows 8 and Windows 10 are not affected by this vulnerability, and it is no coincidence that later versions of Windows are unaffected. Microsoft invests heavily in strengthening the security of its products, often through major architectural improvements that are not possible to backport to earlier versions of Windows.  

There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled. The affected systems are mitigated against ‘wormable’ malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate. 

It is for these reasons that we strongly advise that all affected systems – irrespective of whether NLA is enabled or not – should be updated as soon as possible.  

Resources
Links to downloads for Windows 7, Windows 2008 R2, and Windows 2008
Links to downloads for Windows 2003 and Windows XP 

今日凌晨，微软紧急发布修复补丁，修复RDP服务漏洞。据称此漏洞堪比WannaCry。

远程桌面协议（RDP, Remote Desktop Protocol）是一个多通道（multi-channel）的协议，让用户（客户端或称“本地电脑”）连上提供微软终端机服务的电脑（服务器端或称“远程电脑”）。大部分的Windows都有客户端所需软件。

还记得当年被 WannaCry 支配的恐惧吗？电脑被锁，文件被锁，医院、公司、政府机构的电脑通通中招，整个世界都被 WannaCry 席卷。

为什么说这个漏洞堪比 WannaCry 呢？接下来我们一起来看看它究竟是何方神圣吧.....

根据编号为CVE-2019-0708的安全公告，黑客可以通过Remote Desktop Service（远程桌面服务）向目标设备发送特制的请求，可以在不需要用户干预的情况下远程执行任意代码，最终可能会像野火一样蔓延至整个系统，从而让整个系统瘫痪。

微软表示这个问题并非出在RDP协议上，而是服务本身。在Microsoft Security Response Center (MSRC)博客中写道：“The Remote Desktop Protocol (RDP) 协议本身并不存在漏洞。这个漏洞是预身份认证且不需要用户交互。换言之这个漏洞是‘可疑的’，意味着未来任何利用这个漏洞的恶意程序都可以像2017年WannaCry这样在全球范围内传播，大面积感染设备。”

如果你依然在使用联网的Windows XP或者Windows Server 2003系统，同时也包括Windows 7、Windows Server 2008以及2008 R2系统，那么应该立即安装微软刚刚推出的紧急修复补丁。为了修复不亚于Wannacry的RDP服务漏洞，微软于今天面向包括XP在内的上述系统发布了紧急修复补丁，要求用户尽快完成安装。 

2019年5月14日微软官方发布安全补丁，修复了Windows远程桌面服务的远程代码执行漏洞，此漏洞是预身份验证且无需用户交互，这就意味着这个漏洞可以通过网络蠕虫的方式被利用。最终可能会像野火一样蔓延至整个系统，从而让整个系统瘫痪。

利用此漏洞的任何恶意软件都可能从被感染的计算机传播到其他易受攻击的计算机，其方式与2017年WannaCry恶意软件的传播方式类似。

影响范围

该漏洞影响了某些旧版本的Windows系统，如下：

Windows 7

Windows Server 2008 R2

Windows Server 2008

Windows 2003

Windows XP

需要注意的是：Windows 8和Windows 10及之后版本的用户不受此漏洞影响。

修复建议

1、及时安装更新

对于Windows 7及Windows Server 2008的用户，及时安装Windows发布的安全更新。可以在Microsoft安全更新指南中找到支持Windows版本的安全更新进行下载。

2、升级到最新版本

对于Windows 2003及Windows XP的用户，请及时更新到最新系统版本。微软在KB4500705中为这些不支持的Windows版本提供了修复程序。

3、开启网络身份验证（NLA）

因为NLA要求的身份验证在漏洞触发点之前，所以受影响的系统可以利用NLA防御此漏洞的“蠕虫”恶意软件或高级恶意软件威胁。但是，如果攻击者具有可用于成功进行身份验证的有效凭据，则受影响的系统仍然容易受到远程执行代码执行（RCE）的攻击。

4、下载链接：

Windows 7, Windows 2008 R2, and Windows 2008：

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

Windows 2003 and Windows XP：

https://support.microsoft.com/zh-cn/help/4500705/customer-guidance-for-cve-2019-0708