Microsoft revealed that it has discovered two new security flaws in its Windows Desktop Services package. However, the technology giant clarified that it has fixed both the vulnerabilities.
Security officials at Microsoft stated that the two vulnerabilities, dubbed CVE-2019-1181 and CVE-2019-1182, can be exploited by attackers to launch “Wormable Attacks” that spread across different network systems without a user’s knowledge. Microsoft also stated the present flaws are similar to the vulnerability known as BlueKeep (CVE-2019-0708), which was patched in May 2019.
According to Microsoft, the infected versions of Windows due to the flaws included, Windows 7 SP1, Windows 8.1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows Server 2012 R2, and other versions of Windows 10. However, Windows Server 2003, Windows XP and Windows Server 2008 are not affected due to the flaws.
“These vulnerabilities were discovered by Microsoft during hardening of Remote Desktop Services as part of our continual focus on strengthening the security of our products. At this time, we have no evidence that these vulnerabilities were known to any third party,” Microsoft said in a statement.
“There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled. The affected systems are mitigated against ‘Wormable’ malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate,” the statement added.
Recently, Microsoft issued an alert to several users about its mail platform Outlook hack. In a wordy notification, it stated hackers may have accessed data sent by several users on the platform between January 1, 2019, and March 28, 2019.
According to Microsoft, apart from the contents of the emails which includes attachments, hackers may have also accessed email addresses, folder names, subject lines–from both senders and recipients.
It is still unclear what the hackers target and why they launched an attack like this.
“We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access,” the report quoted a Microsoft spokesperson as saying. The tech giant also pointed out that email login credentials were not directly impacted by the incident, however, it has cautioned the users to reset their passwords.