Microsoft said today it patched two new major security flaws in the Windows Desktop Services package.
These two vulnerabilities are similar to the vulnerability known as BlueKeep (CVE-2019-0708). Microsoft patched BlueKeep in May and warned that attackers could abuse it to create "wormable" attacks that spread from one computer to another without user interaction.
Just like BlueKeep, these two new bugs are wormable, and they also reside in the Windows Remote Desktop Services (RDS) package.
"The affected versions of Windows are Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions," said Simon Pope, Director of Incident Response at the Microsoft Security Response Center (MSRC).
"Windows XP, Windows Server 2003, and Windows Server 2008 are not affected," he said.
Pope said Microsoft found these vulnerabilities internally, while trying to harden and improve the security posture of the RDS package.
Remote Desktop Services (RDS) is the Windows component that allows a user to take control of a remote computer or virtual machine over a network connection. In some earlier Windows versions, RDS was known as Terminal Services.
A race to patch before attacks get underway
Just like it did with the BlueKeep flaw, Pope is advising users and companies to patch their systems as quickly as possible, to prevent exploitation.
Although BlueKeep was disclosed three months ago, no attacks have been detected at the time of writing, although BlueKeep exploits have been created and shared around.
Nevertheless, it's better to be safe than sorry, so patching CVE-2019-1181 and CVE-2019-1182 should be at the top of every system administrator's list this week and this Patch Tuesday.
"There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled," Pope said. "The affected systems are mitigated against "wormable" malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered.
"However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate," Pope said.
Updated on August 23, 5:30am ET, to add the "DejaBlue" moniker and remove a statement that the flaws couldn't be exploited via RDP due to contrary evidence, and despite Microsoft's initial claims.
More vulnerability reports:
- Microsoft names top security researchers, zero-day contributors
- Apple expands bug bounty to macOS, raises bug rewards
- Clever attack uses SQLite databases to hack other apps, malware servers
- Researchers find security flaws in 40 kernel drivers from 20 vendors
- Unpatched KDE vulnerability disclosed on Twitter
- Vulnerability in Microsoft CTF protocol goes back to Windows XP
- Google will now pay up to $30,000 for reporting a Chrome bug CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic