1. Home
  2. IT specialists
  3. Advisories
  4. Critical vulnerability in Microsoft remote desktop services

Advisories

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates above to be notified as soon as we publish an advisory.

4:40pm, 5 November 2019

TLP Rating: Clear

Critical vulnerability in Microsoft remote desktop services

Updated from 15 May 2019  

Earlier this year, Microsoft published patches for a critical vulnerability in remote desktop services. This vulnerability affects older versions of Windows, including versions that are out of support. 

Security researchers report that this vulnerability is now being actively exploited. Reports state attackers are using the Bluekeep exploit to compromise unpatched systems and install a cryptocurrency miner. 

CERT NZ strongly recommends users of the affected Microsoft products to follow the mitigation advice in this advisory. 

What's happening

Systems affected

Microsoft has published information about a critical vulnerability affecting older versions of Windows. They have released patches for the following versions:

  • Windows 7
  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows Server 2003
  • Windows XP.

Patches for supported versions of Windows External Link

Microsoft have taken the unusual step of releasing patches for legacy systems:

Patches for unsupported versions of Windows External Link

The following versions of Windows are not affected:

  • Windows 8
  • Windows 10
  • versions of Windows Server since Server 2012.

What this means

Microsoft has released information about, as well as patches for, a critical remote code execution vulnerability. This affects remote desktop services for older versions of Windows.

The vulnerability is wormable, occurs pre-authentication and requires no user interaction.

While this vulnerability isn’t being actively exploited at this point, any future malware that exploits this vulnerability could propagate between vulnerable networks, as we observed in the 2017 WannaCry attacks.

CVE-2019-0708 Microsoft security advisory External Link

What to look for

How to tell if you're at risk

You are at risk if you are running:

  • Windows 7 or older, or
  • Windows Server 2008 R2 or older,

and haven’t applied the latest security patches.

What to do

Prevention

CERT NZ strongly recommends that Windows users ensure that their systems are currently patched and up-to-date.

Currently supported versions are:

  • Windows 7
  • Windows Server 2008 R2
  • Windows Server 2008.

Patches for supported versions of Windows External Link .  

Unsupported versions are:

  • Windows Server 2003
  • Windows XP.

Patches for unsupported versions of Windows External Link .

It’s important users of these systems apply these patches immediately, if they have not already been applied. Due to its critical nature, CERT NZ recommends patching as soon as possible.

For users of the following systems, there is no action to take as these systems are not affected:

  • Windows 8
  • Windows 10
  • Server 2012 or newer.

Mitigation

CERT NZ recommends disallowing RDP access from the internet if you don’t need it. If you need remote access, configure a VPN with multi-factor authentication, rather than expose RDP to the internet

A partial mitigation is to enable network-level authentication. However, as this is not a complete mitigation, patching is still required.

More information

CERT NZ's multi-factor authentication advice

Windows Security Support External Link

CVE-2019-0708 Microsoft security vulnerability advisory External Link

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ

For media enquiries, email our media desk at media@mbie.govt.nz or call the MBIE media team on 027 442 2141.