Microsoft has patched four serious vulnerabilities that could allow a malicious actor to remotely take control of Windows computers.
The four remote code execution flaws — addressed as part of the company’s monthly Patch Tuesday updates — affect all in-support versions of Windows and concern the Windows Remote Desktop Services (RDS) component, enabling attackers to take over a computer and then propagate malware to other computers without any user intervention.
“An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system,” Microsoft noted in its security bulletin. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
CVE-2019-1181 and CVE-2019-1182 exist in RDS (previously called Terminal Services), and like the BlueKeep vulnerability (CVE-2019-0708) that Microsoft fixed earlier this year, they are both ‘wormable’ and allow for remote code execution.
“These vulnerabilities were discovered by Microsoft during hardening of Remote Desktop Services as part of our continual focus on strengthening the security of our products,” said Simon Pope, Microsoft‘s Director of Incident Response. “At this time, we have no evidence that these vulnerabilities were known to any third party.”
August 2019 Security Update includes fixes for wormable RCE vulnerabilities in Remote Desktop Services (RDS), affecting all in-support versions of Windows. These should be patched quickly. For more information, see https://t.co/VxstoaChTF
— Security Response (@msftsecresponse) August 13, 2019
In order to exploit the flaws, an attacker would have to use Microsoft‘s Remote Desktop Protocol to send a specially crafted request to the target system.
Luckily, the remote desktop feature is disabled by default in Windows 10. So, these vulnerabilities are expected to be more of a threat for enterprises that have turned it on for establishing connections to remote devices.
The Windows maker’s August patch also fixes a separate security vulnerability in CTF — a service that handles input methods, keyboard layouts, and text processing — disclosed by Google Project Zero researcher Tavis Ormandy (CVE-2019-1162) that impacts all Windows versions since XP.
In all, Microsoft has patched 93 vulnerabilities, with 29 of them marked as Critical and 64 rated Important in severity.
If you’re a Windows user, you should waste no time installing the security updates. Also, ensure you have a backup in place so that you don’t lose data in case something goes wrong.