Microsoft issued a new warning for users to update their systems to address the remote code execution vulnerability dubbed BlueKeep.

Microsoft issued a new warning for users of older Windows OS versions to update their systems in order to patch the remote code execution vulnerability dubbed BlueKeep.

The vulnerability, tracked as CVE-2019-0708, impacts the Windows Remote Desktop Services (RDS) and was addressed by Microsoft with May 2019 Patch Tuesday updates. BlueKeep is a wormable flaw that can be exploited by malware authors to create malicious code with WannaCry capabilities.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

Many security experts have already developed their own exploit code for this issue without publicly disclosing it for obvious reasons.

Microsoft has released patches for Windows 7, Server 2008, XP and Server 2003. Windows 7 and Server 2008 users can prevent unauthenticated attacks by enabling Network Level Authentication (NLA), and the threat can also be mitigated by blocking TCP port 3389.

Now Microsoft is warning again companies to patch older versions of Windows to avoid the exploitation of the flaw. Security experts fear a new massive attack that could affect millions of computers worldwide running still unpatched systems.

The availability of explot codes in the wild poses a severe risk for tne users. Experts at the SANS Institute observed two partial exploits that are publicly available. Chaouki Bekrar, the founder of zero-day broker firm Zerodium, explained that the flaw can be exploited remotely by an unauthenticated user to gain access to a device with SYSTEM privileges. Researchers at McAfee developed a PoC exploit that could be exploited to get remote code execution.

Other experts also announced to have successfully developed exploits for BlueKeep, including Kaspersky, Check Point, and MalwareTech.

Recently, the popular expert Robert Graham has scanned the Internet for vulnerable systems. He discovered more than 923,000 potentially vulnerable devices using the masscan port scanner and a modified version of rdpscan,

“Microsoft is confident that an exploit exists for this vulnerability, and if recent reports are accurate, nearly one million computers connected directly to the internet are still vulnerable to CVE-2019-0708. Many more within corporate networks may also be vulnerable. It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise.” reads the advisory published by Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC). “This scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed.”

Even if there has been no sign of attacks exploiting the flaw in the wild Microsoft recommends updating the vulnerable Windows versions as soon as possible.

“It’s been only two weeks since the fix was released and there has been no sign of a worm yet. This does not mean that we’re out of the woods. If we look at the events leading up to the start of the WannaCry attacks, they serve to inform the risks of not applying fixes for this vulnerability in a timely manner.” concludes the advisory.

“Our recommendation remains the same. We strongly advise that all affected systems should be updated as soon as possible.”

Microsoft also pointed out that workstations not connected to the Internet are also exposed to the risk of a hack.





If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – BlueKeep, hacking)