Microsoft has issued patches for a serious Remote Code Execution vulnerability known as CVE-2019-0708. Windows 8 and Windows 10 don't suffer from the bug, but older Windows releases contain the vulnerability.
Microsoft is advising partners and customers to update affected systems as soon as possible, according to Simon Pope, director of incident response, Microsoft Security Response Center (MSRC)
MSSPs and MSPs that don't patch the bug for customers risk giving hackers a "wormable" exploit.
In other words, any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017, Microsoft warned.
Microsoft considers the bug extremely serious, and has therefore issued patches for Windows releases that the company otherwise no longer supports.
Microsoft Remote Code Execution Patch: Windows Options
Patches for out-of-support systems include Windows 2003 and Windows XP are available in KB4500705 -- though Microsoft is urging MSSPs to upgrade end-customers to newer versions of Windows.
Patches for in-support systems such as Windows 7, Windows Server 2008 R2, and Windows Server 2008 are available from the Microsoft Security Update Guide. Customers who use an in-support version of Windows and have automatic updates enabled are automatically protected, the company indicated.
After MSSPs and MSPs apply the patches, it's a prime opportunity for partners to reinforce the value of proactive patch management as part of a comprehensive managed services contract.
