Threat Advisory: Remote Desktop Services Vulnerability

May 15, 2019

This week, Microsoft released a critical update for their Remote Desktop Services (formerly Terminal Services) impacting multiple Windows versions. It is critical that organizations apply the patch as soon as possible because this vulnerability is “wormable”, meaning it is pre-authentication and requires no user interaction. An exploit for this weakness could be used to create malware that would spread similarly to WannaCry and other recent worms. 

Microsoft has released patches for both in- and out-of-support operating systems (including Windows 2003). Patches being released for these legacy operating systems is a rare occurrence and speaks to the importance of the update. 

Affected operating systems include:

  • Windows Server 2003 and XP
  • Windows 7, Windows 2008 R2, and Windows 2008

If it is not possible to apply the patches, other partial mitigations can be implemented, including:

  • Enabling Network Level Authentication (NLA) for Windows 7 and Windows Server 2008 (and 2008 R2) systems (preventing the spread of malware leveraging this vulnerability)
  • Blocking TCP port 3389 at the border (preventing unauthorized requests or access from the Internet)
  • Disabling Remote Desktop Services (only if not required)

No malware has been observed that exploits this weakness to date, but we expect malware authors will quickly move to incorporate it.

Downloads for in-support systems can be found in the Microsoft Security Update Guide and in KB4500705 for out-of-support systems.

Herjavec Group has comprehensive expertise in incident response, vulnerability scanning, and intrusion detection to help identify and remedy potential issues. If you are unsure whether you have exposed Remote Desktop Services or legacy systems in your environment, contact an HG Security Specialist for further support. 

For HG Managed Services customers, our team will engage with the appropriate technical contacts in your respective organizations to provide alerts, escalations, actions and or reports based on our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.


Take the First Step
In Transforming Your Cybersecurity Program

Enterprise security teams are adapting to meet evolving business needs. With 5 global Security Operations Centers, emerging technology partners and a dedicated team of security specialists, Herjavec Group is well-positioned to be your organization’s trusted advisor in cybersecurity. We’ll help you understand your risk exposure, increase your visibility and ROI, and proactively hunt for the latest threats.

Book a Free Consultation

Stay Informed

Follow us on Twitter
Connect with us on LinkedIn