Microsoft has issued an emergency out of band Windows security update designed to address privilege escalation bugs found to impact the Windows Remote Access service.

“An out of band security update has been released for Windows 8.1 and Windows Server 2012 R2,” Microsoft says. “We recommend that you install these updates promptly.”

The KB4578013 security update fixes two Windows Remote Access elevation of privilege vulnerabilities affecting all supported versions of Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2.

The security issues tracked as CVE-2020-1530 and CVE-2020-1537 could allow attackers to gain elevated privileges after successful exploitation. For the vulnerabilities to be exploited, attackers would first need to code execution privileges on victims’ devices to run a specially crafted application. KB4578013 addresses the vulnerabilities by correcting how Windows Remote Access handles memory and file operations.

Users urged to promptly install KB4578013

Customers running Windows 8.1 or Server 2012 R2 should install the update as soon as possible to be protected from attacks that could exploit this vulnerability.

“Customers running other versions of Microsoft Windows or Windows Server do not need to take any action” Microsoft added since “[t]hese vulnerabilities were already addressed for all other supported OSs in the August 11, 2020 release,” as the company further explained in the Windows Message Center.

To download and install the standalone packages for this out of band Windows update, you have to go to the Microsoft Update Catalog website.

Once installed, the KB4578013 security update does not require a device restart to fully address the Windows Remote Access elevation of privilege vulnerabilities.

Last week, Microsoft also fixed 120 security vulnerabilities in Microsoft products as part of this month’s Patch Tuesday, 17 classified as Critical and 103 as Important severity.

August 2020 Patch Tuesday also addressed two zero-day vulnerabilities actively exploited in attacks:

• a remote code execution vulnerability in Internet Explorer 11 tracked as CVE-2020-1380
• a Windows spoofing vulnerability tracked as CVE-2020-1464 allowing attackers to spoof other companies when digitally signing executables

The information contained in this website is for general information purposes only. The information is gathered from BLEEPING COMPUTER, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.