Microsoft issued fixes for four critical vulnerabilities in Remote Desktop Services (RDS) this week, likening two of them to ‘BlueKeep’, another critical flaw in the same Windows component.
All four Remote Code Execution (RCE) flaws – tracked as CVE‑2019‑1181, CVE‑2019‑1182, CVE‑2019‑1222 and CVE‑2019‑1226 – can be exploited by attackers sending a specially-crafted remote desktop protocol (RDP) message to RDS.
“An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” reads the advisory that is common to all four flaws.
What’s more, the first two holes are wormable and so bear a strong resemblance to BlueKeep, as well as to a flaw in an old version of Microsoft’s Server Message Block (SMB) implementation that enabled WannaCryptor, also known as WannaCry, in 2017.
As a result, exploits might use either of the new vulnerabilities to spread malware from one unpatched system to another without any user interaction. This is ultimately what prompted the Microsoft Security Response Center (MSRC) to issue a patch alert.
“It is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these,” said Microsoft. The company noted that computers with automatic updates enabled are automatically protected by these fixes. The threat, which looms large especially over organizations, can also be partially mitigated, specifically by enabling Network Level Authentication.
Unlike BlueKeep, these bugs affect more recent Windows versions – Windows 10, including server versions, together with Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1 and Windows Server 2012 R2. By contrast, Windows XP, Windows Server 2003 and Windows Server 2008 are not affected this time.
Also unlike BlueKeep, which was discovered by the United Kingdom's National Cyber Security Centre (NCSC), the two new wormable vulnerabilities were identified by Microsoft itself while the company was shoring up RDS’s security.
“At this time, we have no evidence that these vulnerabilities were known to any third party,” said the company.
All four fixes were released as part of this month’s Patch Tuesday. By Qualys’s count, 93 security holes, including 29 rated as critical, were addressed in this batch of security updates. Edge, Internet Explorer, Outlook and Office are all among products where the fixes should be applied sooner rather than later.
This month’s crop of patches is neatly summarized in this table drawn up by the SANS Technology Institute.