Microsoft issues second BlueKeep warning urging users to patch
Microsoft again urged users to patch against the BlueKeep vulnerability as more potential exploits surface and one researcher discovered almost 1 million vulnerable systems.
If issuing patches for unsupported systems wasn't enough evidence that users should take notice of BlueKeep, Microsoft published a second alert urging users to take action.
BlueKeep, a Windows Remote Desktop vulnerability that could spread in the same worm-like fashion as WannaCry, was patched on May 14 as part of Microsoft's Patch Tuesday release, including patches for supported systems, as well as Windows XP and Server 2003. At the time, Simon Pope, Microsoft Security Response Center's director of incident response, wrote in an advisory explaining why the BlueKeep patch was so important and on May 30 Pope posted a reminder alert urging users to patch.
The second BlueKeep patch alert came following a report by Robert Graham, owner of Errata Security in Portland, Ore., claiming he had found "nearly 1 million devices on the public internet that are vulnerable to the bug."
"It has the potential to be as bad [as] notPetya. On the other hand, maybe some good Samaritan will first use a DoS PoC and take down all the Internet-exposed RDP, preventing a worm from doing anything special," Graham quipped on Twitter.
Pope noted in his BlueKeep patch advisory that "it is possible that we won't see this vulnerability incorporated into malware. But that's not the way to bet.
"It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise," Pope wrote. "This scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed."
While Pope admitted "there has been no sign of a worm yet," he said Microsoft was "confident that an exploit exists for this vulnerability." And, there is good reason to have that confidence. Security researchers have already created proof of concept (PoC) code as early as May 20 and in the time since more potential exploits have surfaced on GitHub, including alleged weaponized PoC code being sold for $50,000, according to Christiaan Beek, lead scientist and senior principal engineer at McAfee.
Making the need for users to install the BlueKeep patch even more urgent, Cisco Talos researcher Brandon Stultz noted in a blog post that it would be possible for an attacker to bypass security measures with a BlueKeep attack if the remote desktop protocol (RDP) traffic were encrypted, "essentially sneaking past users and remaining undetected."
"Over the last several years we have seen several high profile vulnerabilities affecting services associated with various Windows services. Some, if not all, of these services should not be exposed to the internet," Stultz wrote. "To reduce external exposure organizations need to take additional steps to ensure that services like RDP and SMB are not exposed unless explicitly required, but does not eliminate the need for patching. This is yet another example of why patching is one of the core fundamental concepts in information security."