Microsoft releases emergency patches for serious RDS flaw

Share

Late last night, however, Microsoft announced it was releasing emergency security patches for both - alongside the still-in-support Windows 7, Windows Server 2008 R2, and Windows Server 2008 - to head off a worm which is targeting a hitherto undiscovered vulnerability in the company's Remote Desktop Services (RDS) functionality formerly known as Terminal Services.

Security updates for Microsoft Edge, Windows Scripting, Windows applications platform and Frameworks, Windows graphics, Windows Media, Windows wireless networks, Windows kernel.

Microsoft also patched CVE-2019-0953, a remote code vulnerability in Microsoft Office which lets an attacker run code as the targeted user by persuading them to open a malicious file. "Any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017".

Those running Microsoft XP or Server 2003 at an enterprise level can obtain a security patch here. Windows 8 and 10 are unaffected, but there's still a vast pool of older systems out there that could be hit if left unpatched. "It is for these reasons that we strongly advise that all affected systems - irrespective of whether NLA is enabled or not - should be updated as soon as possible", Pope said.

More news: Jose Berrios stellar as Twins blank Blue Jays for second straight game
More news: Antoine Griezmann transfer: France star confirms he is leaving Atletico Madrid
More news: Felicity Huffman makes guilty plea in college admissions scandal

The latter, CVE-2019-0725, is a particularly nasty memory corruption vulnerability, since all that is needed to exploit it is a well-crafted packet sent to a DHCP server and affects all now supported versions of Windows, client and server. But, in a sign of the severity of the bug, Microsoft released XP and Windows 2003 patches as well. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if any attacker somehow has valid credentials.

Of all those vulnerabilities, 18 are rated as 'critical' in severity; these are flaws that can be exploited by malicious programmes to steal sensitive data from vulnerable systems by attacking them remotely.

The patch came as part of Microsoft's monthly Patch Tuesday, which in May addressed 22 critical vulnerabilities.

Security researchers have shown it is possible to exploit MDS vulnerabilities with attacks such as rogue in-flight data load (RIDL) and Fallout to glean secrets and sensitive information such as password and digital keys on recent Intel processors. Referred to as the May 14, 2019-KB4500154 Update, this update brings the Windows 10 Mobile operating system to build number 15254.566.

Share