In the latest “Patch Tuesday” security fixes bundle, Microsoft included patches for two new critical Remote Code Execution (RCE) vulnerabilities (CVE-2019-1181 and CVE-2019-1182) in the Windows Remote Desktop Services.
Following the May disclosure of BlueKeep, after the company’s security team attempted to harden the Remote Desktop Services feature in Windows, Microsoft’s engineers found two other wormable bugs that attackers could exploit.
The two vulnerabilities are part of 93 security vulnerabilities Microsoft and affect Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, as well as all versions of Windows 10, including the server ones. According to Microsoft, Windows XP, Windows Server 2003 and Windows Server 2008 and Remote Desktop Protocol itself are not affected by the vulnerabilities.
In a blog post this week, Microsoft said that it doesn’t believe that the vulnerabilities were being exploited in the wild by attackers. However, the company still urges everyone to update their systems immediately, as the bugs are every bit as dangerous as BlueKeep.
Microsoft Patches 93 Vulnerabilities In Latest Windows Update
System administrators will have their hands full in the second part of this month, as Microsoft has released a batch of 93 security fixes, covering software, including Windows operating systems, Internet Explorer, Edge, ChakraCore, Microsoft Office, Microsoft Office Services and Web Apps, Azure DevOps Server, Visual Studio, Online Services and Microsoft Dynamics. Of the 93 bugs, about a third (29) are critical, while the other 64 are rated Important in severity.
Microsoft has recently complained that more than two-thirds of its Windows bugs are due to memory safety issues. The company said that it will experiment with replacing some parts of Windows code with code written in the Mozilla-sponsored Rust memory-safe programming language. In the meantime, the Microsoft Defender solution seems to be doing quite well in antivirus tests lately.
This week's news comes on the heels of the revelation of BlueKeep, a pre-authentication wormable RCE into the Windows Remote Desktop Protocol (RDP), Microsoft issued multiple warnings to users and organizations to patch immediately, as attackers could wreak havoc with such a security flaw. At the time, Microsoft believed that over 1 million systems were vulnerable to the BlueKeep bug. Due to the nature of a how a worm (a type of malicious software that can replicate itself) jumps from one computer network to the next, computers inside private networks not normally exposed to the Internet could have also been compromised.