Image:Shodan

Nearly one million Windows PCs are vulnerable to BlueKeep, a vulnerability in the Remote Desktop Protocol (RDP) service impacting older versions of the Windows OS.

This number comes to put initial fears into context -- that over seven million devices were in danger--; although the danger remains present, as one million devices are still nothing to joke about.

The BlueKeep flaw

The BlueKeep vulnerability, tracked as CVE-2019-0708, has been the boogeyman of the IT and cyber-security communities for the past two weeks.

The issue came to light on the May 2019 Patch Tuesday, earlier this month. At the time, Microsoft released patches but also warned that the BlueKeep flaw is wormable, meaning that hackers and malware could potentially abuse it to self-replicate and spread on its own, similar to how hackers used the EnternalBlue SMB exploit during the WannaCry, NotPetya, and Bad Rabbit ransomware outbreaks of 2017.

But despite the vulnerability's danger level, no attacks have been recorded, mainly because there is no public demo code that threat actors can adapt and implement into their attacks.

Some aggressive scans are currently underway, and it is unclear who is behind them, according to cyber-security firm GreyNoise, who spotted this activity over the weekend.

The good news is that companies can apply patches to mitigate this risk. Patches are currently available for Windows XP, 7, Server 2003, and Server 2008, the Windows versions vulnerable to BlueKeep attacks.

One, not seven, million vulnerable systems

In research published today, Robert Graham, head of offensive security research firm Errata Security, and the author of the masscan Internet scanning utility has unveiled the most accurate statistic about the number of Windows systems that are still vulnerable to the BlueKeep attacks.

While initially it was believed that there are nearly 7.6 million Windows systems connected to the Internet that can be attacked, Graham said today that the number is actually closer to 950,000.

Most of the seven million systems that have (RDP) port 3389 exposed to the Internet, are not actually Windows systems, or they are not running an RDP service on that port, Graham discovered.

The researcher said the vast majority of Windows systems with an RDP service exposed online are safe -- with roughly around 1.5 million such devices answering scans in a way specific to already-patched systems.

Nonetheless, 950,000 is not a small number, even if it's inferior to the number of patched systems.

"Hackers are likely to figure out a robust exploit in the next month or two and cause havoc with these machines," Graham warned.

Furthermore, due to the limitations of his scans, Graham was not able to test Windows systems on internal networks, which most likely hide even more vulnerable machines.

The time companies have to patch older Windows systems against BlueKeep is starting to run out, and security researchers expect attacks to begin at any time.

The tool that Graham used during his research is available on GitHub under the name of rdpscan -- a mix between his own masscan tool and a BlueKeep scanner developed by RiskSense.

More vulnerability reports: