Earlier in May, Microsoft disclosed that it has patched a “wormable” bug, dubbed BlueKeep, in the Remote Desktop Protocol (RDP).
With an estimation of exposing over 1 million Windows devices, BlueKeep (CVE-2019-0708) could be exploited by an attacker to perform remote code execution. Even the US agency NSA came forward and urged users to update their systems.
Now, as part of the August Patch Tuesday update, Microsoft has disclosed that it has discovered and patched two more BlueKeep-style critical vulnerabilities (CVE-2019-1181, CVE-2019-1182) that are wormable and require no user interaction.
For the systems that have Network Level Authentication (NLA) enabled, it acts as an extra layer of defense as login credentials are required. But if the attacker already has access to the credentials, they can perform remote code execution.
The vulnerabilities exist in the Remote Desktop Services (RDS) and can be used to perform remote code execution. But they do not affect the Remote Desktop Protocol (RDP) as it was the case with BlueKeep.
RDS is a Windows component that lets a remote computer take control of a user’s device during a remote desktop connection.
Microsoft says that it’s not aware of any instances where the vulnerability is being actively exploited in the wild. But users should immediately safeguard themselves against these wormable bugs.
The following Windows versions are affected because of the two vulnerabilities:
- Windows 7 SP1
- Windows Server 2008 R2 SP1
- Windows Server 2012
- Windows 8.1
- Windows Server 2012 R2
- Windows 10 (all versions including Server versions)
As mentioned, the security patches for the said bugs are already available. So, in case, you don’t have updated Windows updates enabled, you can download them using this link.