Microsoft warns Windows 10 users to update immediately

Lumia 950 running Windows 10 Mobile in Tokyo Japan

The monthly patch Tuesday security fixes was this week and Microsoft is warning Windows 10 users to update their operating system immediately because of two "critical" vulnerabilities.

CTF, a little-known Microsoft protocol used by all Windows operating system versions since Windows XP, is insecure and can be exploited easily.

It's extremely unfortunate when this sort of thing happens because it deters users from downloading patches of all sorts - not least of all security patches and Windows Updates from Microsoft.

Just as exploits for Microsoft's BlueKeep bug make it into the wild, the company has announced another set of vulnerabilities in Windows that is equally unsafe - and this time, it also affects Windows 10 systems.

"Customers who have automatic updates enabled are automatically protected by these fixes". These flaws (CVE-2019-1181, 1182, 1222 and 1226) do.

Earlier in May, Microsoft disclosed that it has patched a "wormable" bug, dubbed BlueKeep, in the Remote Desktop Protocol (RDP). Specifically, the component known as CTextFramework (CTF), which dates back all the way to the days of Windows XP.

Ormandy also published a video demo on YouTube to show the dangers behind the MSCTF flaws by exploiting the protocol to hijack the Windows LogonUI-program used by the system to show the login screen-to gain SYSTEM privileges in Windows 10.

This vulnerability now affects hundreds of millions of computers around the globe.

Windows Protector shared the leading bestow F-Secure SAFE, Kaspersky Web Security, and Norton Security, however, Microsoft's software has a substantial benefit over those 3: it comes cost-free with Windows 10, while the others are paid-for choices.

"There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled", Pope said. "Successful exploitation would allow an attacker to perform actions on the system using the same permissions as the current user". There are also some related denial-of-service (DoS) bugs patched in Hyper-V.

Enabling NLA adds a layer of protection against these kinds of attacks, but even then, an attacker could still exploit the vulnerabilities-it would just be more hard because they would need authentication credentials.

If you are working with Windows-based systems, you should download and install the August Security update.

Microsoft on Tuesday released August security updates, addressing about 93 common vulnerabilities and exposures (CVEs).

Related:

Comments

Latest news

July 2019 was Earth's hottest month ever recorded
The July peaks came hot on the heels of a sizzling June, which ended up being the hottest June recorded over the past 140 years. And Antarctic sea-ice coverage dipped below average, NOAA said, "making it the smallest for July in the 41-year record".

Israel Grants Rashida Tlaib Permission to Visit West Bank
She was responding to a tweet in which Ocasio-Cortez implied that Israel was sexist or Islamophobic when it banned Reps. Deri said he made the decision with the support of Netanyahu and other Israeli officials.

Hong Kong braces for more protests as world leaders urge calm
The U.S. and China, the world's two biggest economies, are in the midst of contentious, drawn-out trade negotiations. Hong Kong's protesters have been gearing up with increasingly protective equipment as clashes become more violent.

Here’s What the ‘CRAZY INVERTED YIELD CURVE’ Means for You
The president has steadily ratcheted up pressure on China to make a trade deal with ever-higher tariffs on Chinese imported goods. The last inversion of this part of the yield curve came in December 2005, or two years before the Great Recession hit in 2008.

Other news