Microsoft's out of band security update fixes flaw in Windows Remote Access service

The vulnerabilities could allow threat actors to gain elevated privileges on a victim's machine

Microsoft has issued an emergency out of band security update to address two privilege escalation vulnerabilities in the Windows Remote Access service.

Tracked as CVE-2020-1530 and CVE-2020-1537, the bugs could allow threat actors to gain elevated privileges after a successful attack. They impact all supported versions of Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2 (the bugs have already been covered in Microsoft's August Patch Tuesday security updates for other versions of Windows).

CVE-2020-1530 arises due to improper memory handling by the Windows Remote Access service. To exploit the flaw, a hacker first needs to gain code execution privileges on the victim system; following this, they could execute a specially crafted application to elevate their privileges.

The KB4578013 security update fixes the bug by correcting the way in which the Windows Remote Access service handles memory.

CVE-2020-1537 works in the same way as CVE-2020-1530, but is down to a flaw in file handling rather than memory.

Microsoft has recommended users immediately install the updates to protect their devices from attacks by cyber criminals.

Users can download and install the standalone packages from the Microsoft Update Catalogue website. Users do not need to restart after installing the KB4578013 security update, and the update does not replace any previously released update installed on the system.

This out of band security update from Microsoft has arrived nearly a week after the release of August Patch Tuesday update, in which Microsoft patched 120 security vulnerabilities across a suite of its products and platforms.

Of the bugs addressed in that update, 17 were rated as 'critical' while 103 were 'important' vulnerabilities.

The company also fixed two zero-day bugs that were previously unknown to Microsoft and were being exploited in the wild.

One of the two zero-days, CVE-2020-1380, existed in the Internet Explorer (IE) scripting engine, and enabled hackers to compromise a system when a user browsed to a malicious website with IE, or opened booby-trapped Office files sent by hackers.

Another zero-day, CVE-2020-1464, was described as a spoofing bug, which enabled hackers to bypass Windows security features and have the OS incorrectly validate file signatures.