The company said four serious flaws could be weaponized to automatically spread malware to computers around the world. It said users should patch affected systems immediately.
“An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft said.
Simon Pope, the director of incident response at the Microsoft Security Response Center, said the affected versions are Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions. Windows XP, Windows Server 2003, and Windows Server 2008 are not affected. The Remote Desktop Protocol was not itself affected.
The “wormable” vulnerabilities, meaning that any future malware that exploits these could propagate from vulnerable computers without user interaction, were discovered while Microsoft was hardening its Remote Desktop Services as part of its regular security process. Pope said they are similar to the BlueKeep vulnerability that was discovered in May.
“It is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these, and downloads for these can be found in the Microsoft Security Update Guide,” he said. “Like the previously-fixed ‘BlueKeep’ vulnerability (CVE-2019-0708), these two vulnerabilities are also wormable.”
Microsoft has put the number of Windows 10 users at 800 million. Net Marketshare said it is the most popular desktop operating system.
“At this time, we have no evidence that these vulnerabilities were known to any third party,” the company said.
JUNG YEON-JE/AFP/Getty Images