Microsoft’s August Patch Tuesday cumulative updates were rolled out yesterday. Included alongside the updates were fixes for two vulnerabilities related to Windows Remote Desktop Services. Microsoft has previously described the flaws as wormable, meaning malware could infect machines and networks without user interaction.
In its update for CVE-2019-1181 and CVE-2019-1182, Microsoft says the vulnerabilities are similar to BlueKeep. If you are unfamiliar with BlueKeep, it is a dangerous vulnerability because it can be executed by bad actors remotely. It is located in Remote Desktop Services on older Windows legacy builds such as Windows 7, Windows XP, AND Server 2003 and 2008.
However, the pair of flaws patched this week are slightly different to BlueKeep because they affect Remote Desktop Services (RDS) and not Remote Desktop Protocol (RDP).
Microsoft discovered the flaws in-house during a review of Remote Desktop Services security. The company says no exploits have been observed in the wild.
The updates are available for users running Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2 and all versions of Windows 10. Other Windows versions, such as XP, are not affected.
“There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled. The affected systems are mitigated against ‘wormable’ malware or advanced malware threats that could exploit the vulnerability. As NLA requires authentication before the vulnerability can be triggered. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate.”
In its notes, Microsoft says users and organizations should update immediately to protect against attacks. Those updates are available from the company’s Security Update Guide here.