Alongside the Patch Tuesday updates for this month, Microsoft has made available fixes for two vulnerabilities in the Remote Desktop Services component of Windows that the company says are 'wormable'. This means malware using these vulnerabilities could transfer between computers on a network without any input from users, like the WannaCry attack two years ago, making these patches critical.
CVE-2019-1181 and CVE-2019-1182 are both of the same breed of exploit as the Bluekeep vulnerability the company revealed back in May and has advised users to innoculate their systems against. Though they make Remote Desktop Services (RDS) vulnerable, they do not affect the Remote Desktop Protocol (RDP) itself.
Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2 and all versions of Windows 10, including server variants, are affected by the exploits. Only older versions of Windows, such as Windows XP, Windows Server 2003 and Windows Server 2008 are immune to the pair.
In terms of mitigation, the company suggests those who have Network Level Authentication (NLA) enabled would have a partial defence against the vulnerabilities:
"There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled. The affected systems are mitigated against ‘wormable’ malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate."
And, of course, the company recommends you immediately update your machine and your network with the relevant patches given the high risk of the exploits. These can be downloaded from the Microsoft Security Update Guide here.
Microsoft noted that the vulnerabilities were discovered by the company's engineers in-house, as part of an attempt to shore up the security of RDS. It also noted that it had not yet come across any evidence that the vulnerabilities had already been exploited by any malicious actors, though that may only be a matter of time now that they have been publicised, making it all the more important to patch your systems immediately.