Microsoft patches two critical vulnerabilities comparable to BlueKeep

Like BlueKeep and the bug involved in WannaCry, the new vulnerabilities are "wormable."
Microsoft Windows

Microsoft on Tuesday released fixes for multiple critical vulnerabilities in a popular Windows program that could allow hackers to remotely execute code on machines that would let them install their own programs, delete or alter data, or set up their own user accounts.

At least two of the vulnerabilities are “wormable,” meaning that malware exploiting them could be used to move between vulnerable computers without user interaction. That puts them in the same category as another serious Windows flaw, BlueKeep, which was announced in May, and the vulnerability exploited in the 2017 WannaCry ransomware outbreak.

Like BlueKeep, which many users have not patched, the latest vulnerabilities are in Remote Desktop Services, a Windows program that grants remote access to computers for administrative purposes.

WannaCry, which the U.S. government says was the work of North Korean hackers, caused billions of dollars in damage while infecting computers in 150 countries. There is no public documentation of BlueKeep being exploited in the wild, but researchers have created proof-of-concept exploits to warn of the potential damage.


“It is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these,” Simon Pope, director of incident response at the Microsoft Security Response Center, wrote in announcing the new vulnerabilities.

Security experts advised users to enable a setting called “Network Level Authentication,” which serves as a partial mitigation until a patch is applied.

The affected operating systems include Windows 10, Windows Server 2012, and Windows 8.1, among other versions. There is no evidence that the vulnerabilities have been exploited in the wild, according to Microsoft.

They were not the only vulnerabilities involving Remote Desktop Protocol that Microsoft announced patches for on Tuesday. Cybersecurity researcher Kevin Beaumont flagged five other RDP-related bugs included in this round of “Patch Tuesday,” the tech giant’s monthly cleansing of security weaknesses.

“It appears these are a collection of many different and serious vulnerabilities,” Beaumont wrote in a blog. “BlueKeep was one vulnerability in near legacy versions of Windows; these are different vulnerabilities in modern Windows.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts