Microsoft has informed Windows 10 users that it has uncovered two “critical” Remote Code Execution (RCE) vulnerabilities, which it termed as “wormable”. The announcement was made through Microsoft’s Security Response Center.
The vulnerabilities could be used to shoot malware that moves automatically from one PC to another, mushrooming across the globe despite no action from the user. This also means that this could easily target hundreds of millions of vulnerable systems.
Director of Incident Response, Microsoft, Simon Pope confirmed in a statement that the susceptibility affects all supported versions of Windows 10, which includes server versions as well.
In March 2019, the tech giant estimated Windows 10 numbers at 800 million. Apart from this, Simon Pope also confirmed that the other affected versions of Windows including Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2". However, these are the platforms of value but with significant less market share.
He, however, admitted that the leaks have to be plugged before it all goes astray. He said that it was important that systems that have been affected are repaired as soon as possible.”
Microsoft’s security advisory, mentioned in a Forbes report, has warned that an attacker who is able to successfully exploit this malware, could administer arbitrary code on the targeted system. He or she could then install programs; change, delete data; view or create new accounts “with full user rights.”
It is being advised that in order to mend the susceptibilities for CVE-2019-1181 and CVE-2019-1182, users must find their Windows version in the ‘Security Updates’ section and then download the suitable patch.
Microsoft is now sending these updates to Windows Update however, Simon Pope has warned that it was better to act immediately then to wait for the update.
Nevertheless, these vulnerabilities have brought memories of BlueKeep which, Microsoft has reportedly admitted, are similar to these vulnerabilities. In June 2019, the BlueKeep issue had led to government warnings while ZDNet is already terming them BlueKeep II and BlueKeep III.