Two “critical” vulnerabilities were exposed. All four Remote Code Execution (RCE) flaws – tracked as CVE‑2019‑1181, CVE‑2019‑1182, CVE‑2019‑1222 and CVE‑2019‑1226 – can be exploited by attackers sending a specially-crafted remote desktop protocol (RDP) message to RDS. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The new issues are described as “wormable,” meaning hackers could use them to spread malware from one machine to another without any interaction from the user. They were compared to the Bluekeep exploit that was discovered and patched out of older versions of Windows earlier this year.
However, there were not evidences that the vulnerabilities were known to any third parties. “Customers who have automatic updates enabled are automatically protected by these fixes,” said Simon Pope, Microsoft’s director of Incident Response. He also said there are “potentially hundreds of millions of vulnerable computers. Other operating systems, such as Windows XP, are not affected this time.