With August’s Patch Tuesday going out Microsoft is warning Windows admins about four critical remote code execution flaws that share similarities with BlueKeep, but this time also affect Windows 10.
The four bugs bear a striking resemblance to BlueKeep, a bug Microsoft offered patches for May that similarly affect Windows Remote Desktop Services (RDS).
Just like BlueKeep, attackers can execute malicious code on affected Windows systems by sending specially crafted Remote Desktop Protocol (RDP) packets to an RDS server, according to Zero Day Initiative’s Dustin Childs who recommended any organization with an RDS server that’s exposed to the internet to patch immediately.
Microsoft however has only drawn attention to two of the bugs as as being wormable, meaning malware that exploits them could hop from machine to machine if they haven’t been patched. These are CVE-2019-1181, CVE-2019-1182. However, Microsoft still rates all four bugs as “critical” and “likely to be exploited”.
There are a few key difference between BlueKeep (CVE-2019-0708) and the two new wormable flaws. BlueKeep affected older versions of Windows, including unsupported Windows XP and Windows Vista, but not Windows 10.
The four newly disclosed flaws affected all versions of Windows 10 and their server versions, as well as Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2.
Additionally, Simon Pope, director of incident response at the Microsoft Security Response Center (MSRC) noted that the bugs were discovered internally during efforts at shoring up or "hardening" Remote Desktop Services, suggesting the discovery of BlueKeep prompted a review of other potentially affected products.
BlueKeep by contrast was reported by the cyber security arm within UK spy agency, GCHQ.
“At this time, we have no evidence that these vulnerabilities were known to any third party,” said Pope.
Microsoft patched Windows XP and Vista in response to BlueKeep in May, hoping to avoid a repeat of WannaCry in May 2017, which exploited a wormable Windows vulnerability and crippled several hundred thousand machines over a few hours.
Microsoft recommends disabling Remote Desktop Services if they are not required and recommends disabling them as security best practice.
Earlier this week the Australian Signals Directorate (ASD) urged all Australian organizations to patch Windows systems affected by BlueKeep after a researcher disclosed exploit code for the flaws to the popular penetration-testing framework, Metasploit. ASD estimates as many as 50,000 devices in Australia are vulnerable to BlueKeep.
So far BlueKeep isn't known to have been exploited however it is widely expected the flaw will be exploited by malicious actors soon.
As with BlueKeep, Microsoft also recommends enabling Network Level Authentication (NLA) on Windows 7, Windows Server 2008, and Windows Server 2008 R2 as this would require an attacker to authenticate with valid credentials to Remote Desktop Services. However this is only a partial mitigation, Pope notes.
If the attacker has valid credentials to authenticate to these services, a remote attacker would be able to execute code on an affected and un-patched machine.
Microsoft’s August Patch Tuesday includes patches for 93 vulnerabilities, of which 29 are critical. There are security updates available for Microsoft Windows, Internet Explorer, Microsoft Edge, ChakraCore, Office and Office Services and Web Apps, Visual Studio, Online Services, Active Directory, and Microsoft Dynamics.