Microsoft warns of two new ‘wormable’ flaws in Windows Remote Desktop Services


Today, Microsoft has patched two fresh significant Windows Desktop Services safety faults.

Both vulnerabilities are comparable to the BlueKeep vulnerability (CVE-2019-0708). In May, Microsoft patched BlueKeep to warn that an attacker could use it to produce “wormable” attacks without user interaction that extend from one computer to another.

Microsoft today said two other BlueKeep-like safety defects have been patched, namely CVE-2019-1181 and CVE-2019-1182.

These two fresh bugs are, like BlueKeep, wormable and they are part of the Windows Remote Desktop Services (RDS) set.

These two can’t be used through a Remote Desktop Protocol (RDP) that usually forms part of the larger RDS package, unlike BlueKeep.

Affected versions

Affected versions “Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012 Windows 8.2, Windows Server 2012 R2, and all endorsed Windows 10 variants, including server variants,” said Simon Pope, Microsoft Security Response Center (MSRC) Incident Reaction Director.

“They don’t affect Windows XP, Windows Server 2003 or Windows Server 2008,” he said.

Pope said Microsoft internally discovered these vulnerabilities while attempting to harden the safety position of the RDS package and enhance it.

Remote Desktop Services (RDS) is the Windows component that enables a user over a network connection to take control of a remote or virtual machine. RDS was recognized as Terminal Services in some previous versions of Windows.

A patching race before attacks start.

Just like with the BlueKeep bug, Pope recommends that consumers and businesses change their systems to avoid exploitation as rapidly as possible.

Even though BlueKeep was reported three months ago, at the time of writing no attacks were detected, although BlueKeep exploits were created and distributed.

However, it’s better to be secure than sorry, so this week and Tuesday, patching CVE-2019-1181, CVE-2019-1182 should be at the top of every system administrator list.

“There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled,” Pope said. The systems concerned are mitigated against’ worming’ malware or advanced malware threats that could exploit the vulnerability, since NLA needs authentication in order to trigger the vulnerability.

“However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate,” Pope said.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.