Microsoft issued a second warning for users of older Windows releases to patch their systems to block potential attackers from abusing the critical Remote Desktop Services (RDS) remote code execution vulnerability dubbed BlueKeep.
The first time, Microsoft issued a security fix designed to protect Windows computers running vulnerable RDS installations and block any malware capable of exploiting the flaw tracked as CVE-2019-0708 and of propagating between unpatched machines.
Comparison to EternalBlue and WannaCry
This second time, Redmond's "recommendation remains the same. We strongly advise that all affected systems should be updated as soon as possible. It is possible that we won’t see this vulnerability incorporated into malware. But that’s not the way to bet."
To show just how fast a serious vulnerability could lead to very serious consequences, Simon Pope, Microsoft Security Response Center (MSRC) Director of Incident Response, drew a parallel to the exploitation timeline of the EternalBlue vulnerability.
According to Pope, even though users had almost 60 days to patch after Microsoft issued a security update for the SMBv1 vulnerabilities a lot of machines were left unpatched which led to them getting infected with ransomware after the ShadowBrokers publicly released the EternalBlue wormable exploit during April 2017.
One month later, in May 2017, hundreds of thousands of exposed Windows machines were compromised using the EternalBlue exploit and subsequently infected with the WannaCry ransomware.
Finally implemented enough of the RDP protocol to make a standalone CVE-2019-0708 POC in python :D pic.twitter.com/wvfoOStiGk
— MalwareTech (@MalwareTechBlog) May 24, 2019
As part of the initial warning, Microsoft said that "the vulnerability is ‘wormable’, and that future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017."
Microsoft now is now reminding all users of older releases of Windows impacted by the vulnerability — in-support versions (Windows 7, Windows Server 2008 R2, and Windows Server 2008) and out-of-support ones (Windows XP and Windows 2003) — to patch their systems as soon as possible.
"Microsoft is confident that an exploit exists for this vulnerability, and if recent reports are accurate, nearly one million computers connected directly to the internet are still vulnerable to CVE-2019-0708. Many more within corporate networks may also be vulnerable," says Pope.
Security patch download links for all vulnerable systems are available below:
Download BlueKeep security patches for Windows 7, Windows 2008 R2, and Windows 2008
Download BlueKeep security patches for Windows Vista, Windows 2003 and Windows XP
The 0patch platform also issued a fix for BlueKeep, in the form of a 22 instructions micropatch which can be used to protect always-on servers against exploitation attempts without having to reboot the machines.
BlueKeep can also be partially mitigated by enabling Network Level Authentication (NLA) for Remote Desktop Services Connections on vulnerable systems. Despite this, attackers could still abuse the RCE flaw if they already have the credentials needed to authenticate on a vulnerable system where RDS is enabled.
A security update addressing CVE-2019-0708 was released on May 14 2019, but recent public reports indicate nearly one million computers are still vulnerable.
— Security Response (@msftsecresponse) May 31, 2019
Microsoft strongly advises that all affected systems should be updated as soon as possible. https://t.co/lRaCfWgivs
PoC exploits already available
Patching all vulnerable machines is a must seeing that more and more PoC exploits are surfacing although, just as Pope states, "It's been only two weeks since the fix was released and there has been no sign of a worm yet. This does not mean that we’re out of the woods."
Multiple security researchers have already created proof-of-concept exploits although none of them have publicly released the code, choosing to only show video proof to make sure that malicious actors don't get their hands on an easy to weaponize PoC code for the BlueKeep flaw.
For instance, researchers from Check Point and Kaspersky have developed DoS proofs-of-concept code that leads to Blue Screens of Death (BSODs), with the latter also having "developed detection strategies for attempts to exploit it" which will be shared "with trusted industry partners."
Additionally, Zerodium confirmed that BlueKeep is remotely exploitable without needing authentication one day after Microsoft issued their patch.
Just three days later, security researcher Valthek also announced that he created his own version of BlueKeep PoC exploit, which was later confirmed as a working PoC by McAfee senior principal engineer Christiaan Beek.
Comments
Bullwinkle-J-Moose - 4 years ago
"We strongly advise that all affected systems should be updated as soon as possible. It is possible that we won’t see this vulnerability incorporated into malware. But that’s not the way to bet."
-------------------------------------------
It's not a bet.
I'd LOVE to see it incorporated into malware
In fact, I bet all the Lame Hackers out there will Fail to wreck my unpatched Windows XP box with this new threat