Microsoft and NCSC warn of two serious vulnerabilities in Windows

Microsoft has released security updates for two vulnerabilities in Windows’ Remote Desktop Services. The National Cyber ​​Security Center expects the vulnerabilities to be exploited by attackers within a very short period of time and describes the updates as ‘urgent’.

The vulnerabilities in Windows’ Remote Desktop Services allow remote code execution without the need for a username or password, according to the NCSC. Malicious persons could therefore completely take over the computer if the system is not updated. The NCSC further states that such a leak can be exploited on a large scale.

Like the BlueKeep vulnerability discovered earlier this year, the two vulnerabilities are in the Remote Desktop Services. However, unlike BlueKeep, the security vulnerabilities, labeled as CVE-2019-1181 and CVE-2019-1182, are also present in Windows 10, including the server versions, and Windows Server 2012 and 2012 R2. Other vulnerable systems include Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows 8.1. According to Microsoft, computers running Windows XP, Windows Server 2003, and Windows Server 2008 are not at risk, nor are the Remote Desktop Protocol itself vulnerable.

Users can download the necessary security patches since Tuesday evening via the Windows Update function or via this Microsoft webpage. Microsoft says it has no evidence that the vulnerabilities were known to third parties at the time they were discovered and patched.