Microsoft fixes two wormable vulnerabilities as part of massive Patch Tuesday release

[Shawn Knight]

Why it matters: Microsoft's latest Patch Tuesday release was a real doozy, addressing just shy of 100 flaws. Of particular interest are two "wormable" remote code execution vulnerabilities which are particularly dangerous because they can spread without the user even lifting a finger.

Microsoft has patched two critical remote code execution vulnerabilities that exist in Remote Desktop Services (formerly known as Terminal Services) as part of a much larger bundle of 93 security updates.

The vulnerabilities, dubbed CVE-2019-1181 and CVE-2019-1182, affect Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2 and all supported versions of Windows 10 (including server versions). They’re especially dangerous as they are wormable, meaning they can spread from system to system without any user interaction.

Windows XP, Windows Server 2003 and Windows Server 2008 are not affected, nor is the Remote Desktop Protocol (RDP) itself. That’s different from the BlueKeep vulnerability from earlier this year which, if you recall, could be exploited via the RDP.

Simon Pope, Director of Incident Response at Microsoft Security Response Center (MSRC), said the vulnerabilities were discovered while working to harden Remote Desktop Services (RDS). Reassuringly, there’s no evidence that the vulnerabilities were known to any third party or exploited in the wild.

Naturally, you’ll want to patch these vulnerabilities as quickly as possible. For most, that simply involves letting Windows do its thing via automatic updates (which means you’ve probably already been patched by the time you read this). Should for some reason you need to grab them manually, you can do so over on Microsoft’s website.

Masthead credit: worm attack by wk1003mike

Permalink to story.

https://www.techspot.com/news/81448-microsoft-fixes-two-wormable-vulnerabilities-part-massive-patch.html

 

[VitalyT]

How noble of Microsoft, to let us know post factum they have just patched another critical security issue. I do not see much information from them telling what is being done to counter the issues existing in the first place. For the OS that has this much market share, and little to no trust without having to install an anti-virus, a VPN, get behind a Firewall, and still not being sure you won't get hacked. So if you are not a pro-user, this just doesn't seem like a good proposition.

 

[seeprime]

How noble of Microsoft, to let us know post factum they have just patched another critical security issue. I do not see much information from them telling what is being done to counter the issues existing in the first place. For the OS that has this much market share, and little to no trust without having to install an anti-virus, a VPN, get behind a Firewall, and still not being sure you won't get hacked. So if you are not a pro-user, this just doesn't seem like a good proposition.

With buried crusty spaghetti code, some thirty years old, still in Windows 10, I don't expect there is much they can do other than rewrite the entire code base with security in mind. That's not likely to happen. So, patching will continue forever. It wasn't until 2002 when Bill Gates finally realized that security in their code base was mostly overlooked. So, he started the Trusted Computing thingy. Windows has been mostly secure since then. But, as long as they keep piling new code on the old code, like a fresh coat of paint applied over 30 layers of old peeling paint. security holes will be found by those looking for them. Even with all new compartmentalized code, some issues would be found. So, scrape as needed and patch the newly exposed areas.