Microsoft has released a fix for two vulnerabilities discovered for Remote Desktop Services in Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server R2 and all of Windows 10 versions including servers.
Both the fixed vulnerabilities are wormable, which means that any malware can share itself from one vulnerable computer to the other without the user doing anything.
Users running Windows XP, Windows Server 2003, and Windows Server 2008, as well as the Remote Desktop Protocol (RDP), are not affected by this vulnerability.
At the time of writing, Microsoft is unsure if this vulnerability was known or exploited by a third-party. However, the company urges users to update their systems as soon as possible so that the vulnerability can be patched.
According to Microsoft’s security advisory, “A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
To exploit the wormable vulnerability, hackers would have to send a special request to the RDP on a target system. This update has corrected the way RDP responds to connection requests.
“These vulnerabilities were discovered by Microsoft during hardening of Remote Desktop Services. It is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these,” Simon Pope, director of incident response, Microsoft Security Response Center said in an announcement.
If a user can’t update their systems currently or don’t want to, it’s recommended that they disable Remote Desktop Services. In any case, users who don’t require the RDP should disable it.
Users can find all the security updates for download here.