Microsoft has patched four serious vulnerabilities that could allow a malicious actor to take control of Windows computers remotely.
The four remote code execution defects, addressed as part of the company's monthly Patch Tuesday updates, affect all versions of Windows support and refer to the Windows Remote Desktop Services (RDS) component, which allows attackers to take over a computer and then spread malware to other computers without any user intervention.
"An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system," Microsoft said in its security bulletin. “An attacker could install programs; view, change or delete data; or create new accounts with full user rights. ”
CVE-2019-1181 and CVE-2019-1182 exist in RDS (previously called Terminal Services), and like the BlueKeep vulnerability (CVE-2019-0708) that Microsoft fixed earlier this year, both are & # 39; wormable & # 39; and allow remote code execution.
"These vulnerabilities were discovered by Microsoft during the tightening of remote desktop services as part of our continuous focus on strengthening the security of our products," said Simon Pope, Director of Incident Response at Microsoft. "At this time, we have no evidence that these vulnerabilities were known to third parties."
The August 2019 security update includes solutions for RCE vulnerabilities that can be used in Remote Desktop Services (RDS), which affect all versions of Windows support. These should be repaired quickly. For more information, see https://t.co/VxstoaChTF[19659002▪—SecurityResponse(@msftsecresponse) August 13, 2019
To exploit the failures, an attacker would have to use the Microsoft Remote Desktop Protocol to send a specially designed request to the destination system.
Fortunately, the remote desktop feature is disabled by default in Windows 10. Therefore, these vulnerabilities are expected to be a major threat to companies that have activated it to establish connections to remote devices.
The Windows manufacturer's August patch also corrects a separate security vulnerability in CTF, a service that handles input methods, keyboard layouts and text processing, revealed by Google Project Zero researcher Tavis Ormandy (CVE- 2019-1162) that affects all versions of Windows from XP.
In total, Microsoft has patched 93 vulnerabilities, with 29 of them marked Critical and 64 rated as Important in severity.
If you are a Windows user, you should not waste time installing security updates. Also, make sure you have a backup so you don't lose data in case something goes wrong.