Microsoft has once again warned companies to patch older versions of Windows against a severe vulnerability in the Remote Desktop Protocol (RDP) service that can be abused remotely, and which the company has likened to the EternalBlue exploit that fueled the WannaCry, NotPetya, and Bad Rabbit ransomware outbreaks.
To make matters worse, limited proof-of-concept code for exploiting this vulnerability (known as BlueKeep, or CVE-2019-0708) has surfaced online over the last two days.
"Microsoft is confident that an exploit exists for this vulnerability, and if recent reports are accurate, nearly one million computers connected directly to the internet are still vulnerable to CVE-2019-0708," said Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC).
Patches are currently available for Windows XP, Windows Vista, Windows 7, Windows Server 2003, and Windows Server 2008 -- the Windows versions vulnerable to BlueKeep attacks.
Microsoft issues second warning
Microsoft first warned about this vulnerability on May 14, when it released this month's Patch Tuesday updates train. At the time, it said the flaw was dangerous because it not only allowed remote execution, but the bug was also wormable (having the ability to self-replicate).
The Microsoft exec also warns companies about the danger of thinking that workstations not connected to the Internet are safe.
"It only takes one vulnerable computer connected to the internet to provide a potential gateway into [...] corporate networks, where advanced malware could spread, infecting computers across the enterprise," he said.
Pope also warns companies about thinking they're safe just because attacks haven't been seen, so far.
"It's been only two weeks since the fix was released and there has been no sign of a worm yet. This does not mean that we're out of the woods," he said."
"It is possible that we won't see this vulnerability incorporated into malware. But that's not the way to bet."
He likened this relative calm to the two months between the publication of the EternalBlue exploit and the WannaCry outbreak, which also saw limited attacks in the beginning.
For now, the BlueKeep demo exploit code published on GitHub is not as dangerous as people think, as it can only crash a remote vulnerable system, but not execute code on it.
However, skilled reverse engineers have been able to achieve remote code execution for proof-of-concept exploits they refused to release for fear of triggering the next major ransomware outbreak. The list includes Zerodium, McAfee, Kaspersky, Check Point, MalwareTech, and Valthek.
Many of 2018's most dangerous Android and iOS security flaws still threaten your mobile security