Microsoft has broken from its usual monthly patch schedule to deliver an emergency Windows security update.
The out of band patch delivers a fix for vulnerabilities discovered in the Windows Remote Access service, used by remote workers to dial into computers at a distance using separate connected devices.
The two flaws are classified as elevation of privileges vulnerabilities – meaning they could be exploited to gain administrative permissions – and are present in Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2.
Windows Remote Access bugs
Fixes for Windows bugs are usually reserved for the monthly Patch Tuesday rollout, but Microsoft sometimes deems it necessary to make an exception, which usually indicates a level of urgency.
The two Windows Remote Access bugs have been handed a severity score of 7.8/10, as per the Common Vulnerability Scoring System (CVSS), which ranks them as “important” but not “critical”.
According to the firm, the vulnerabilities arose as a result of the way Windows Remote Access handles file operations and memory.
“To exploit [the bugs], an attacker would first need code execution on a victim system. An attacker could then run a specially crafted application to escalate privileges,” explained the firm.
Having obtained administrative privileges, hackers could install software on the device, edit or delete data and create new accounts at will.
Microsoft has advised customers using the affected operating systems to install the necessary updates as soon as possible, to shield against attack.
“Customers running other versions of Microsoft Windows or Windows Server do not need to take any action. These vulnerabilities were already addressed for all other supported OSs in the August 11 2020 release,” Microsoft added.