Microsoft on Tuesday released fixes for multiple critical vulnerabilities in a popular Windows program that could allow hackers to remotely execute code on machines that would let them install their own programs, delete or alter data, or set up their own user accounts.
At least two of the vulnerabilities are “wormable,” meaning that malware exploiting them could be used to move between vulnerable computers without user interaction. That puts them in the same category as another serious Windows flaw, BlueKeep, which was announced in May, and the vulnerability exploited in the 2017 WannaCry ransomware outbreak.
Like BlueKeep, which many users have not patched, the latest vulnerabilities are in Remote Desktop Services, a Windows program that grants remote access to computers for administrative purposes.
WannaCry, which the U.S. government says was the work of North Korean hackers, caused billions of dollars in damage while infecting computers in 150 countries. There is no public documentation of BlueKeep being exploited in the wild, but researchers have created proof-of-concept exploits to warn of the potential damage.
“It is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these,” Simon Pope, director of incident response at the Microsoft Security Response Center, wrote in announcing the new vulnerabilities.
Security experts advised users to enable a setting called “Network Level Authentication,” which serves as a partial mitigation until a patch is applied.
The affected operating systems include Windows 10, Windows Server 2012, and Windows 8.1, among other versions. There is no evidence that the vulnerabilities have been exploited in the wild, according to Microsoft.
They were not the only vulnerabilities involving Remote Desktop Protocol that Microsoft announced patches for on Tuesday. Cybersecurity researcher Kevin Beaumont flagged five other RDP-related bugs included in this round of “Patch Tuesday,” the tech giant’s monthly cleansing of security weaknesses.
“It appears these are a collection of many different and serious vulnerabilities,” Beaumont wrote in a blog. “BlueKeep was one vulnerability in near legacy versions of Windows; these are different vulnerabilities in modern Windows.”