Microsoft patches abundance of "critical" and "wormable" Windows vulnerabilities

Microsoft's flagship OS Windows 10 on a purple graphic

Microsoft has released fixes for a smorgasbord of issues on the second 'Patch Tuesday' of the month, including multiple remote code execution flaws.

A total of 93 bugs were reported in total, 29 of which were rated "critical" in severity and 64 as "important". However, none of these were zero-days or publicly disclosed vulnerabilities.

Simon Pope, director of incident response at Microsoft has also said two of the four remote code execution (RCE) issues are "wormable", bearing some resemblance to the (now patched) BlueKeep vulnerabilities discovered in May.

However, security researcher Kevin Beaumont tweeted that, in fact, "3 of the vulnerabilities are wormable, unless I'm missing something (as CVE-2019-1226)".

"By the way, this looks like it is much more serious than BlueKeep as there are so many different issues," Beaumont added. "Do not disable NLA."

Wormable vulnerabilities are cause for concern because, unlike normal malware infections, these issues can spread between computers without user interaction - like by visiting a dodgy link or downloading a suspicious email attachment.

The four RCEs were found in the Windows Remote Desktop Services (RDS) component and affected all modern versions of Windows going back to Windows 7. An attacker could abuse the Windows Remote Desktop Protocol (RDP), which is used to operate one computer from another over a network connection, by sending specially crafted requests without the need for authentication or user interaction.

"Once exploited, an attacker would be able to gain arbitrary code execution on the system, allowing them to perform a variety of actions, such as creating a new account with full user rights, installing programs, and viewing, changing or deleting data," said Satnam Narang, senior research engineer at Tenable.

"These vulnerabilities were discovered by Microsoft during hardening of Remote Desktop Services as part of our continual focus on strengthening the security of our products," said Pope. "At this time, we have no evidence that these vulnerabilities were known to any third party.

Justin Campbell, security research and exploit mitigations at Microsoft tweeted "the team successfully built a full exploit chain using some of these [RCEs], so it's likely someone else will as well", highlighting the necessity of applying Microsoft's patches expeditiously.

One of the other patched flaws of note was the one concerning the encryption key negotiation of Bluetooth which allowed attackers within Bluetooth range to manipulate legitimate wireless signals and gain access to a victim's machine.

With a CVSS score of 9.3, it was one of the issues rated "important" and required specialised hardware and close proximity to the victim to exploit.

All users have been recommended to ensure Network Level Authentication (NLA) is enabled inside RDP as it provides an extra layer of defence by raising exploitation requirements for some flaws to require credentials.

Although NLA protects against the wormability of the aforementioned RCEs, it's believed that some of the other vulnerabilities are still exploitable even with NLA enabled which means patching is of vital importance, as is taking all other methods of mitigation.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.