BlueKeep Bug Still Threatens Windows Systems
For the past two months, security researchers have been warning us about BlueKeep, a critical remote code-execution vulnerability in Microsoft Windows that researchers said could lead to a global infection. As of the beginning of July, about 805,000 systems still remain online that are vulnerable to BlueKeep, according to a status update. The number of vulnerable systems represents a decrease of 17 percent compared to the end of May, including about 92,000 systems which remain externally exposed that have been patched. This translates to an average decrease of about 5,000 exposed vulnerable exposed systems per day, between patching, taking them offline and replacing them.
The BlueKeep vulnerability, CVE-2019-0708, RCE flaw exists in Remote Desktop Services and affects older version of Windows, including Windows 7, Windows XP, Server 2003, Server 2008 and Server 2008 R2. The main thing that sets BlueKeep apart is the fact that it's wormable and so it can self-propagate from machine to machine, setting up the scene for a WannaCry-level, fast-moving infection.
The concern is big enough that Microsoft even took the unusual step of deploying patches to Windows XP and Windows 2003, which are at the end of life and no longer supported. It has also issued multiple follow on advisories urging administrators to patch. BitSight found that the most responsive industries in mitigating BlueKeep have been legal, nonprofit / NGO and aerospace / defense with a 32.9 percent, 27.1 percent and 24.1 percent respective reduction in the number of organizations affected. On the other side, consumer goods, utilities and technology industries have been the least responsive, with only 5.3 percent, 9.5 percent and 11.7 percent of organizations respectively reduction in the number of organizations affected.
In terms of geography, China and the United States still have the highest number exposed systems. China showed the highest improvement by reducing the number of exposed vulnerable systems by almost 110,000 which represents a 24 percent decrease. The United States followed suit by showing almost 27,000 fewer vulnerable systems exposed as of July, representing a 20 percent decrease. On the other side, South Korea showed an 14.5 percent increase in the time period of 3,430 vulnerable exposed systems, and Estonia with 146, a 32.2 percent increase.
In June, a working exploit for the flaw showed how an unauthenticated attacker could achieve full run of a victim machine in about 20 seconds. An earlier proof-of-concept from McAfee showed a successful RCE exploit, but didn't include the credential harvesting so a mitigating factor in that exploit would be the need for a hacker by passed network-level authentication protections. The exploit is significant given the number of affected systems, which gives a hacker the ability not only of hijacking these machines, but using them to further infect other systems and services inside the organization.