Skip to main content

Microsoft patches major Windows Remote Desktop flaws

(Image credit: Image source: Shutterstock/jijomathaidesigners)

Earlier this week, Microsoft released a patch for two major security flaws which it detected in the Windows Desktop Services package (RDS). The Redmond software giant said these new vulnerabilities are similar to BlueKeep (opens in new tab), which was patched in May, in a way that they are also “wormable”.

What that means is that these could spread from one computer to another, without the need for users to do anything. The difference between BlueKeep (opens in new tab) and the two new vulnerabilities is that the latter can’t be exploited through the Remote Desktop Protocol.

"The affected versions of Windows are Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions," said Simon Pope, Director of Incident Response at the Microsoft Security Response Center (MSRC).

"Windows XP, Windows Server 2003, and Windows Server 2008 are not affected," he said.

Microsoft wasn’t tipped about the flaw (opens in new tab) by anyone, but instead stumbled upon the vulnerability by itself, as it was looking to improve the security of the RDS package.

Microsoft advises everyone to patch their systems up as soon as possible, to avoid becoming victim to this new vulnerability. Admins should look for patches for CVE-2019-1181 and CVE-2019-1182.

"There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled," Pope said. "The affected systems are mitigated against "wormable" malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered.

"However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate," Pope said.

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.