Microsoft is urging customers to patch a pair of critical vulnerabilities in Windows that were fixed today, both of which could be used to spawn a worm, like the BlueKeep vulnerability disclosed in May.
The two weaknesses affect all supported versions of Windows 10, along with Windows 7 SP1, Windows 8.1, Windows Server 2008 R2 SP1, Windows Server 2012, and Windows Server 2012 R2. Like the BlueKeep vulnerability, these two new bugs are in the Remote Desktop Services component in Windows and both are exploitable remotely without any authentication. Because of the pre-authentication exploitability and the fact that the bugs are in RDS, Microsoft researchers are worried about the potential of a worm emerging to exploit large numbers of vulnerable machines.
Microsoft discovered the flaws internally while reviewing the security of the RDS component.
“These vulnerabilities were discovered by Microsoft during hardening of Remote Desktop Services as part of our continual focus on strengthening the security of our products. At this time, we have no evidence that these vulnerabilities were known to any third party,” Simon Pope, director of incident response at the Microsoft Security Response Center, said.
“It is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these.”
“It is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these.”
RDS is the Windows implementation of the Remote Desktop Protocol and used to be known as Terminal Services in previous versions of Windows. In May, Microsoft released a patch for a similar vulnerability known as BlueKeep and even published fixes for older versions of Windows that were no longer supported because of concerns that a worm might emerge to take advantage of the flaw. In July, Immunity Inc. released an exploit for the BlueKeep vulnerability in its CANVAS penetration testing platform, heightening those concerns. However, so far no large-scale worms have appeared.
While it’s too soon to know how things will play out for these two new vulnerabilities, Pope said some systems are protected against the possibility of a worm exploiting the bugs.
“There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled. The affected systems are mitigated against ‘wormable’ malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate,” Pope said.