Microsoft’s CVE-2019-0708 guidance notes for the remote desktop services remote code execution vulnerability are here.
This is a critical vulnerability affecting older versions of the Windows operating system, many of which have ceased to be part of mainstream support or even extended support arrangements for quite some time.
You might be wondering who is still using such out of date software? The answer is more than you may think. Building control systems, ATMs, medical devices, and even military systems can still contain digital relics. Because these complex systems take time to design, integrate, test and certify for their intended application, their software environments can often lag behind the mainstream. The time and expense taken to re-certify with new hardware or software components is one factor, while the possibility that other components simply won’t work with newer devices or operating systems is another.
To their credit, Microsoft has been very vocal about the end-of-life plans for obsolete versions of their software. Even more to their credit, recognizing the need for a patch and releasing it free of charge is a sign of a socially responsible and security-minded company. The very fact that what is normally released to premium customers who have paid serious money for the privilege is being widely distributed, should tell us everything we need to know about the scale of the vulnerability.
But – and it’s a big but – the danger here is that the owners of vulnerable systems will think all the talk of ‘’end of life’’ is a bluff, or a marketing ploy, and continue to rely on Microsoft’s goodwill to bail them out. That is a very dangerous assumption to make, verging on reckless. Yes, the lifespan of complex systems in which Windows XP, Windows CE, or another flavor of the OS might be little more than a convenient platform for a user interface can be ten, fifteen or twenty years plus and mechanical or electrical components are expected to last that long. Software is a different beast. System owners and architects need to recognize that the lifespan of commercial software is often much shorter than that of the overall system, and ensure they build regular technology evaluation and refreshes into the in-service management regime for these environments.
This time around, everyone got lucky. A patch is available, and the threat can be mitigated. Next time, who knows what the consequences might be?