For more information about service packs for these software releases, see Service Pack Lifecycle Support Policy.
For more information, see Microsoft Exploitability Index.
A remote code execution vulnerability exists when the Remote Desktop Active X control, mstscax.dll, attempts to access an object in memory that has been deleted.
How are Server Core installations affected by the vulnerability addressed in this bulletin?
The vulnerability addressed by this update do not affect supported editions of Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 as indicated in the Non-Affected Software table, when installed using the Server Core installation option.
Along with sharing the same modern settings UI, you may have noticed that we also use the same notification system.
For example, when updates are found and ready to be installed, depending on policies, we notify you with either a small toast notification at the bottom right corner of the desktop, in the Action Center, or a large modal notification like the one shown below.
For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.
For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.
In Windows Server 2016, we improved the desktop experience to provide a consistent experience by leveraging the same shell UI as the Windows 10 Client.
This greatly improves the Remote Desktop Services (RDS) experience and made it easier to find things. We leverage the modern settings user interface (UI) to access and interact in a consistent experience with the settings that control servicing Windows Server.
It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities.