Microsoft issues second warning about patching BlueKeep as PoC code goes public

Time's running out on patching older systems against the BlueKeep vulnerability.

BlueKeep

Microsoft has once again warned companies to patch older versions of Windows against a severe vulnerability in the Remote Desktop Protocol (RDP) service that can be abused remotely, and which the company has likened to the EternalBlue exploit that fueled the WannaCry, NotPetya, and Bad Rabbit ransomware outbreaks.

To make matters worse, limited proof-of-concept code for exploiting this vulnerability (known as BlueKeep, or CVE-2019-0708) has surfaced online over the last two days.

"Microsoft is confident that an exploit exists for this vulnerability, and if recent reports are accurate, nearly one million computers connected directly to the internet are still vulnerable to CVE-2019-0708," said Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC).

Scans for computers vulnerable to BlueKeep have been going on for almost a week at an ever-increasing pace. The OS maker is now sounding the last alarm before actual attacks get underway.

Patches are currently available for Windows XP, Windows Vista, Windows 7, Windows Server 2003, and Windows Server 2008 -- the Windows versions vulnerable to BlueKeep attacks.

Microsoft issues second warning

Microsoft first warned about this vulnerability on May 14, when it released this month's Patch Tuesday updates train. At the time, it said the flaw was dangerous because it not only allowed remote execution, but the bug was also wormable (having the ability to self-replicate).

"Our recommendation remains the same. We strongly advise that all affected systems should be updated as soon as possible," Pope said.

The Microsoft exec also warns companies about the danger of thinking that workstations not connected to the Internet are safe.

"It only takes one vulnerable computer connected to the internet to provide a potential gateway into [...] corporate networks, where advanced malware could spread, infecting computers across the enterprise," he said.

Pope also warns companies about thinking they're safe just because attacks haven't been seen, so far.

"It's been only two weeks since the fix was released and there has been no sign of a worm yet. This does not mean that we're out of the woods," he said."

"It is possible that we won't see this vulnerability incorporated into malware. But that's not the way to bet."

He likened this relative calm to the two months between the publication of the EternalBlue exploit and the WannaCry outbreak, which also saw limited attacks in the beginning.

Those infrequent attacks later steamrolled, and EternalBlue became one of the most popular exploits on the market, as more demo code became available and as hacker groups started to learn how to weaponize the exploit at its full capacity.

Working demo code is available on GitHub

For now, the BlueKeep demo exploit code published on GitHub is not as dangerous as people think, as it can only crash a remote vulnerable system, but not execute code on it.

However, skilled reverse engineers have been able to achieve remote code execution for proof-of-concept exploits they refused to release for fear of triggering the next major ransomware outbreak. The list includes Zerodium, McAfee, Kaspersky, Check Point, MalwareTech, and Valthek.

More vulnerability reports: