Microsoft warns against BlueKeep II & III. The publisher considers them “wormable” just like the original BlueKeep vulnerability.
Microsoft announced today that it has fixed two new major security vulnerabilities in the Windows Desktop Services package.
These two vulnerabilities are similar to the vulnerability known as BlueKeep (CVE-2019-0708). Microsoft corrected BlueKeep in May and warned that attackers could abuse it to create “wormable” attacks, ie able to spread from one computer to another without user interaction.
Microsoft announced today that it has corrected two other security vulnerabilities similar to BlueKeep, namely CVE-2019-1181 and CVE-2019-1182.
Just like BlueKeep, these two new bugs are “wormable” and also reside in the Windows Remote Desktop Services (RDS) package.
Unlike BlueKeep, these two vulnerabilities can not be exploited via the Remote Desktop Protocol (RDP), which is normally part of the RDS package
“The affected versions of Windows are Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2 and all versions of Windows 10 currently maintained, including server versions,” said Simon Pope, Director of Incident Response at Microsoft Security Response Center (MSRC).
“Windows XP, Windows Server 2003, and Windows Server 2008 are not affected,” he said.
Pope said Microsoft had discovered these vulnerabilities internally, while trying to strengthen and improve the security of the RDS package.
Remote Desktop Services (RDS) is the Windows component that allows a user to take control of a remote computer or virtual machine over a network connection. In some earlier versions of Windows, RDS was called Terminal Services.
A race to the patch
As with the BlueKeep vulnerability, Pope advises users and businesses to apply patches to their systems as quickly as possible to prevent exploitation.
Although BlueKeep was revealed three months ago, no attack was detected at the time of writing this article, although exploits of BlueKeep have already been created and shared.
However, prevention is better than cure: CVE-2019-1181 and CVE-2019-1182 should be at the top of the list of all system administrators this week and this Patch Tuesday.
“There are partial mitigation measures on affected systems for which Network Level Authentication (NLA) is enabled,” said Pope. “Affected systems are protected from” wormables “or advanced malware that could exploit this vulnerability because the NLA requires authentication before the vulnerability can be triggered. “
“However, affected systems remain vulnerable to remote code execution (RCE) exploitation if the attacker has valid credentials that can be used to authenticate successfully,” said Pope.