Microsoft has discovered four serious flaws in Windows 10 that the company fears could be weaponized to launch a computer worm targeting PCs and servers across the world.

The four flaws are "wormable," meaning they could pave the way for malware that automatically spreads from one vulnerable machine to the next, without any action from the user. Two of the flaws affect older operating systems including Windows 7 SP1, Windows 8.1, Windows Server 2008 R2 SP1, and Windows Server 2012. (Windows XP and Windows Server 2003 and 2008 are immune to the threat.)

"It is important that affected systems are patched as quickly as possible," company security manager Simon Pope wrote in a Tuesday blog post.

August 2019 Security Update includes fixes for wormable RCE vulnerabilities in Remote Desktop Services (RDS), affecting all in-support versions of Windows. These should be patched quickly. For more information, see https://t.co/VxstoaChTF — Security Response (@msftsecresponse) August 13, 2019

The vulnerabilities deal with the Remote Desktop Service (RDS) feature in Windows, which IT administrators and users can activate to gain remote control of a Windows machine on a network. Normally, such access requires the correct login credentials. But Microsoft's researchers discovered an unauthenticated attacker can break into an RDS-enabled computer by sending specially crafted data requests.

"An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft says in its security advisories.

The good news is that Microsoft has patched the flaws. The company is rolling out the fixes to customers who have automatic updates turned on. You can also download the patches for the flaws on on Microsoft's website.

CVE-2019-1181 and CVE-2019-1182 affects Windows 10 and Windows Server 2019, in addition to the older Window 7 SP1 and Windows 8.1 operating systems. "At this time, we have no evidence that these vulnerabilities were known to any third party," Pope said in today's blog post.

CVE-2019-1222 and CVE-2019-1226, on the other hand, threaten only Windows 10 and Windows Server 2019.

Windows systems that have disabled RDS will also remain immune to the threat, Pope tweeted. "But these can be activated in multiple ways, so it's best to check in Services if it's enabled before assuming it isn't," he said. Another way to mitigate the threat is to enable "Network Level Authentication" on the RDS-enabled machine.

"NLA requires authentication before the vulnerability can be triggered. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate," Pope said.

In May, Microsoft disclosed a separate wormable flaw for the RDS feature that affected Windows 7 and Windows XP. But despite the company's warnings, many older Windows machines that have RDS activated remain vulnerable to the threat.

Editor's Note: This story has been updated to include two other flaws that Microsoft's Pope says are also wormable.

Further Reading