Threat Advisory: Remote Desktop Services Vulnerability

May 15, 2019

This week, Microsoft released a critical update for their Remote Desktop Services (formerly Terminal Services) impacting multiple Windows versions. It is critical that organizations apply the patch as soon as possible because this vulnerability is “wormable”, meaning it is pre-authentication and requires no user interaction. An exploit for this weakness could be used to create malware that would spread similarly to WannaCry and other recent worms. 

Microsoft has released patches for both in- and out-of-support operating systems (including Windows 2003). Patches being released for these legacy operating systems is a rare occurrence and speaks to the importance of the update. 

Affected operating systems include:

  • Windows Server 2003 and XP
  • Windows 7, Windows 2008 R2, and Windows 2008

If it is not possible to apply the patches, other partial mitigations can be implemented, including:

  • Enabling Network Level Authentication (NLA) for Windows 7 and Windows Server 2008 (and 2008 R2) systems (preventing the spread of malware leveraging this vulnerability)
  • Blocking TCP port 3389 at the border (preventing unauthorized requests or access from the Internet)
  • Disabling Remote Desktop Services (only if not required)

No malware has been observed that exploits this weakness to date, but we expect malware authors will quickly move to incorporate it.

Downloads for in-support systems can be found in the Microsoft Security Update Guide and in KB4500705 for out-of-support systems.

Herjavec Group has comprehensive expertise in incident response, vulnerability scanning, and intrusion detection to help identify and remedy potential issues. If you are unsure whether you have exposed Remote Desktop Services or legacy systems in your environment, contact an HG Security Specialist for further support. 

For HG Managed Services customers, our team will engage with the appropriate technical contacts in your respective organizations to provide alerts, escalations, actions and or reports based on our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.


About Herjavec Group

Dynamic entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. We have been recognized as one of the world’s most innovative cybersecurity operations leaders, and excel in complex, multi-technology environments. Our service expertise includes Advisory Services, Technology Architecture & Implementation, Identity Services, Managed Security Services, Threat Management and Incident Response. Herjavec Group has offices and Security Operations Centers across the United States, United Kingdom and Canada.

Stay Informed

Follow us on Twitter

Connect with us on LinkedIn