Just as exploits for Microsoft‘s BlueKeep bug make it into the wild, the company has announced another set of vulnerabilities in Windows that is equally dangerous – and this time, it also affects Windows 10 systems.
Microsoft announced the bugs, along with an associated set of patches, as part of its monthly Patch Tuesday release. The vulnerabilities lie in Remote Desktop Services (RDS), the Windows service that enables users to use a computer from a different location. RDS uses the remote desktop protocol (RDP), and an attacker can get full access to a system by sending a malicious RDP request to the victim’s computer.
These new vulnerabilities can compromise a computer without the user doing anything, which means that they can spread quickly and autonomously. Attackers can use them to create worms that spread like wildfire online.
This makes the new vulnerabilities very similar to Bluekeep, the existing RDP-based worm that Microsoft announced and patched on May 14, 2019. However, that vulnerability (CVE-2019-0708) didn’t affect Windows 10. These flaws (CVE-2019-1181, 1182, 1222 and 1226) do.
“At this time, we have no evidence that these vulnerabilities were known to any third party,” said Microsoft in a blog post announcing the move, but it also sent a clear message: Patch now.
The announcement comes just a day after the Australian Signals Directorate’s Cyber Security Centre warned that someone had published a way to exploit BlueKeep. It said: “A security researcher under the Twitter handle @zerosum0x0 has recently disclosed his Remote Desktop Protocol (RDP) exploit for the BlueKeep vulnerability to Metasploit. The disclosure, once made available to the public, is anticipated to increase the amount of RDP scanning actively, increasing the chances of attempted exploitation of unpatched systems.”
The researcher in question made that submission at least two weeks ago:
RE: #BlueKeep @Metasploit. I performed a full knowledge transfer of my notes/code to the MSF core team. The release timeline is out of my hands and up to Rapid7 discretion. I’ve been too busy to work on it for over a month anyways; fresh eyes and polish. Thanks for understanding. pic.twitter.com/hXvpqbUYam
— @zerosum0x0 July 31, 2019
Microsoft had also warned people repeatedly to patch those vulnerabilities, most recently on August 8, when it said that some 400,000 endpoints remained unprotected.
BlueKeep had been a difficult bug to exploit, although several security companies said that they had successfully produced proof of concept code internally. It isn’t yet clear how difficult it will be to exploit the latest flaws or how quickly someone will produce and publish workable code.