Microsoft patched 93 vulnerabilities, including two BlueKeep-like remote code execution (RCE) flaws.
The two flaws, CVE-2019-1181 and CVE-2019-1182, in Remote Desktop Services, are “wormable,” Simon Pope, director of incident response at the Microsoft Security Response Center (MSRC), wrote in a blog post, “meaning that any future malware that exploits these could propagate from vulnerable computer to vulnerable computer without user interaction.”
The flaws affect Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1 and Windows Server 2012 R2, as well as supported Windows 10 versions, but not Windows XP, Windows Server 2003 and Windows Server 2008.
None of the vulnerabilities have been exploited or likely known to third parties; rather, they “were discovered by Microsoft during hardening of Remote Desktop Services as part of our continual focus on strengthening the security of our products,” Pope wrote.
He urged users to patch affected systems quickly “because of the elevated risks associated with wormable vulnerabilities like these.” Fixes are available for bluekeep flaws among vulnerabilities patched microsoft media
