[German]On May 14, 2019, Microsoft released an urgend security update for older Windows versions up to Windows 7 that closes a critical vulnerability CVE-2019-0708 in Remote Desktop Services. The vulnerability is considered to be so critical that Windows XP and Windows Server 2003 as well as Windows Vista will also receive the update. Systems with Windows 8 or higher are not affected.
If you still run systems with Windows XP or Windows Server 2003 or Windows Vista as well as Windows 7, Windows Server 2008 and 2008 R2, which are still in support, in network environments, you should read the following information carefully. Because in these Windows versions there is a critical vulnerability CVE-2019-0708 in the remote desktop service. Microsoft estimates the potential threat as critically as the vulnerability that made WannaCry infection with Ransomware possible at the time.
CVE-2019-0708 in Remote Desktop Services
Microsoft has published details of the vulnerability in security advisory CVE-2019-0708. In Remote Desktop Services – formerly known as Terminal Services – there is a serious vulnerability. An unauthenticated attacker can connect to the target system via RDP by sending specially crafted requests. Then the attacker does not need to authenticate to gain access to the system.
An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. This includes installing programs, viewing, modifying, or deleting data, and creating new accounts with full user privileges. To exploit this vulnerability, it is sufficient for an attacker to send a specially crafted request via RDP to the Remote Desktop Service of the target system. This critical vulnerability exists in the following Windows versions:
- Windows XP
- Windows Server 2003
- Windows Vista
- Windows 7
- Windows Server 2008
- Windows Server 2008 R2
Starting with Windows 8, the vulnerability no longer exists in the Remote Desktop service. Windows 7, Windows Server 2008, and Windows Server 2008 R2 receive a patch to close the vulnerability with regular Monthly Rollup or Security Online updates.
For Windows versions that have already dropped out of support, the user must download the update himself. Users of Windows Vista can download the updates (Monthly Rollup or Security Online) of Windows Server 2008 from the Update Catalog and install them manually. Users of Windows XP and Windows Server 2003 can find the corresponding variants for the update KB4500331in Microsoft Update Catalog for manual download. KB article KB4500331 provides information about these operating system versions. In the Security Advisory, Microsoft also suggests workarounds if you cannot install the security update on Windows 7, Windows Server 2008, and Windows Server 2008 R2.
Cookies helps to fund this blog: Cookie settings
Is it safe to download and install the Security patches for 2008 on Vista?
Im afraid installing those would bork the system
I haven't tested it personally – so create a backup. The link you posted, doesn't show Updates for Windows Server 2008 (w/o R2). So have a look at KB4499180 or KB4499149.
See also my blog post Unofficial Windows Vista updates (February 2018) for background information.
That's a good question. I wonder why Microsoft didn't mention Windows Vista in the security updates.