When news appeared in May of the security vulnerability in Windows that would come to be known as BlueKeep, security researchers almost immediately cautioned that the flaw looked like the central ingredient for a destructive worm sure to rampage through the internet. Microsoft issued a series of stark warnings to patch the flaw, which persisted in roughly a million computers. Even the NSA took the rare step of noting the bug's severity.

But two months later, the dreaded BlueKeep doomsday has yet to materialize. In fact, its apparent absence has made clear that in an age of hardened operating systems with built-in protections against easy exploitation, the mere existence of a known flaw in software no longer means an immediate open season for hackers. State-sponsored groups may already be using it for quiet intrusions, but low-skilled criminals have yet to use it for wide-scale calamity. But that doesn't mean that a larger wave of BlueKeep exploitation isn't in store if—or when—the secret details of exploiting the Windows vulnerability leak out to a wider audience.

"I would bet money that it's already being exploited quietly," says Marcus Hutchins, a malware researcher for security firm Kryptos Logic who has privately coded a working BlueKeep exploitation proof-of-concept. Like others who have tested the bug, Hutchins hasn't released his code for fear of enabling malicious use.

If the timeline of BlueKeep's exploitation follows three stages—white hat hacker testing, sophisticated targeted attacks, and then a wider free-for-all, "we're on stage two," Hutchins says. "To get to a worm right now, there would need to be someone with the skills to write an exploit and the motive to make a worm—until some asshole makes a proof-of-concept public, and then all the people who don’t know any better will make it into a worm."

Do the Worm

On Wednesday, security firm BitSight released the results of a new round of scanning for the BlueKeep flaw, which affects unpatched Windows machines running Windows 7 or earlier. The company found that about 800,000 computers remain vulnerable to the attack—a significant drop from the nearly 1 million unpatched machines BitSight counted in late May, but still enough to cause mayhem if a worm were unleashed. Security researcher Rob Graham, the founder of Errata Security, found 730,000 unpatched machines in his own scans, down from his May count of just over 920,000. (You can download the patch here.)

"You don't want to be the country that triggered WannaCry 2.0." Jake Williams, Rendition Infosec

According to BitSight's analysis of the IP addresses of those vulnerable computers, individual PCs connected to the internet via consumer ISPs remain the most vulnerable, with more than 30 percent unpatched. But other sectors like education, government, utilities, and tech firms comprise close to 5 percent of exposed machines. That's likely due to sprawling, uncounted inventories of servers and legacy software that's tough to patch without breaking applications, says BitSight director of security research Dan Dahlberg. And that's just the machines that are visible to the public internet, rather than hidden behind a firewall.

"There have been very few of these situations over the years where a vulnerability has lined itself to be so wormable," Dahlberg says. "It’s still just a function of time until someone with more nefarious end goals might develop something."

The obvious point of comparison is EternalBlue, a hacking tool that was stolen from the NSA by mysterious hackers known as the Shadow Brokers. Publicly leaked in 2017, EternalBlue was integrated into the WannaCry and NotPetya worms, both of which caused worldwide harm. But thanks to the Shadow Brokers, EternalBlue was readily available to anyone who wanted it. Any hacker who wants to exploit BlueKeep has to build their hacking tool from scratch. That requires reverse engineering information about the vulnerability from Microsoft's patch for the bug, which affects a Windows screen-sharing feature known as Remote Desktop Protocol, or RDP. And that task has proven to be beyond the technical skills of the average cybercriminal or watch-the-world-burn internet vandal, says Marcus Hutchins.