Earlier this week, Microsoft released a patch for two major security flaws which it detected in the Windows Desktop Services package (RDS). The Redmond software giant said these new vulnerabilities are similar to BlueKeep, which was patched in May, in a way that they are also “wormable”.
What that means is that these could spread from one computer to another, without the need for users to do anything. The difference between BlueKeep and the two new vulnerabilities is that the latter can’t be exploited through the Remote Desktop Protocol.
"The affected versions of Windows are Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions," said Simon Pope, Director of Incident Response at the Microsoft Security Response Center (MSRC).
"Windows XP, Windows Server 2003, and Windows Server 2008 are not affected," he said.
Microsoft wasn’t tipped about the flaw by anyone, but instead stumbled upon the vulnerability by itself, as it was looking to improve the security of the RDS package.
Microsoft advises everyone to patch their systems up as soon as possible, to avoid becoming victim to this new vulnerability. Admins should look for patches for CVE-2019-1181 and CVE-2019-1182.
"There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled," Pope said. "The affected systems are mitigated against "wormable" malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered.
"However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate," Pope said.