Microsoft has issued patches for a pair of critical vulnerabilities which are ‘wormable’ and present in all recent versions of Windows, with the software giant advising that you should download these as soon as possible due to the risk involved here.
The vulnerabilities in Remote Desktop Services, which allow for remote code execution – meaning the attacker can pretty much pull off anything, such as installing malware or plundering your data – are codenamed CVE-2019-1181 and CVE-2019-1182.
They affect Windows 7 SP1, Windows 8.1, and all supported versions of Windows 10 (as well as Windows Server 2008 R2 SP1, Windows Server 2012/R2, and Windows 10 server versions).
The fact that they are wormable means that malware built to exploit these security flaws could spread from computer to computer without any user interaction, assuming those PCs are vulnerable of course. And naturally, that’s the most worrying kind of malware, where you don’t have to be tricked into clicking some dodgy link or downloading something with a payload inside.
Microsoft stressed: “It is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these.”
You can check here to download the security patches manually, but if you have automatic updates switched on, your OS will grab the relevant fixes for you (or you could head to Windows Update, and check for new updates).
If all this is ringing a bell or three, that’s probably because we recently witnessed BlueKeep emerging, another wormable vulnerability in Remote Desktop Services, although that particular flaw didn’t affect Windows 8 or Windows 10.
This time around, all versions of Windows are under threat – except for Windows XP – so you should patch up pronto (and if you’re still on XP, well, that’s a far more worrying state of security affairs in itself).
Microsoft does observe, however, that there is no evidence the vulnerabilities were known to any third-parties before this announcement.
Of course, hackers may have previously found the flaws without Microsoft realizing, and at any rate, now the vulnerabilities have been publicly detailed, there’s an obvious danger of a weaponized exploit turning up – and possibly in quite a rapid timeframe.