While much of the interest in Microsoft’s latest Windows security patch was directed to a bug in Windows 10 and Windows Server that could falsify a certificate for secure web sessions or signature code, the latest version 48 fixed other vulnerabilities, update package. Five of them concerned Microsoft’s Remote Desktop Protocol (RDP) service, which is used by thousands of organizations to remotely access computers on their networks. And two of them are errors in the Windows Remote Desktop Gateway that could allow attackers to access networks without having to log in.

These two separate bugs, called CVE-2020-0609 and CVE-2020-0610, are considered by Microsoft to be more dangerous than the crypto-bugs because they are not yet exploited, but can be used to execute code remotely on target basis. RDP- Server before the gateway tries to authenticate them.

“An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights,” warned the Microsoft Security Response Center summary of both vulnerabilities. And there is no way to work around the vulnerability without applying a software update. Both attacks are based on specially designed requirements for the Remote Desktop Gateway using the RDP protocol.

Remote Desktop Pwnable

These new vulnerabilities are related to the Remote Desktop Service vulnerability, which was disclosed in May last year and also classified as critical by Microsoft. The “Bluekeep” bug was quickly identified as proof-of-concept exploits. The exploit was potentially “wormable,” meaning that it could be used to infect systems that could then search for other vulnerable systems. According to some researchers, an exploit for the vulnerability has been available on criminal web marketplaces since September 2018. A casual search in the Shodan security search engine found hundreds of systems that may still be affected by this vulnerability.

The other vulnerabilities addressed in the latest version of Microsoft related to RDP include a Remote Desktop Web Access bug that could allow an attacker to obtain legitimate user credentials using Web requests, a denial of service vulnerability in RDP Gateway and an error in the Windows Remote Desktop Client for all supported versions of Windows (including Windows 7) that allow a remote malicious RDP server to execute code remotely on the client computer.

Given the slower patch rate that typically occurs on servers, especially older servers, these new vulnerabilities can also have a long life. Depending on how deeply rooted their roots are, Microsoft may be forced to extend the patches to older operating systems. The effects of the bug in May 2019 were classified as so severe that Microsoft released updates even for Windows XP, Vista and Server 2003.