One million Windows systems still vulnerable to 'wormable' BlueKeep RDP security flaw

Microsoft deemed BlueKeep RDP flaw so serious it even supplied a patch for Windows XP

Almost one million Windows systems remain vulnerable to the "wormable" BlueKeep security flaw, almost two weeks after the release of a security patch by Microsoft.

BlueKeep, indexed as CVE-2019-0708, lies in the Remote Desktop Protocol (RDP) service and affects older versions of the Windows operating system.

It is considered so serious that the company produced patches for out-of-support operating systems, including Windows XP, in a bid to prevent another WannaCry-style exploit from emerging.

The bug came to prominence earlier this month when Microsoft issued a patch for it in its May 2019 Patch Tuesday. At that time, the company warned that the flaw is "wormable" and could be exploited by hackers to spread malware, as they did in 2017 to spread WannaCry and, later, NotPetya.

AI & Machine Learning Live is returning to London on 3rd July 2019. Hear from the Met Office's Charles Ewen, AutoTrader lead data scientist Dr David Hoyle and the BBC's Noriko Matsuoka, among many others. Attendance is free to qualifying IT leaders and senior IT pros, but places are limited, so reserve yours now.

The vulnerability is pre-authentication, meaning it requires no user interaction. Since it is wormable, it can make any malware exploiting the vulnerability to be able to spread from one vulnerable system to another, without requiring user interaction.

Robert Graham, head of security research firm Errata Security, recently performed new internet scans using "rdpscan" tool and found that about 950,000 publicly accessible machines on the internet are still vulnerable to the BlueKeep attacks.

"To scan the internet, I started with masscan, my Internet-scale port scanner, looking for port 3389, the one used by Remote Desktop. This takes a couple hours, and lists all the devices running Remote Desktop - in theory," Graham wrote in a blog post.

Initially, it was thought that around 7.6 million systems connected to the internet could be attacked using BlueKeep flaw. But, according to Graham, most of the 7.6 million systems that have (RDP) port 3389 exposed to the Internet are either non-Windows systems, or they are not running a RDP service on that port.

The BlueKeep bug is so dangerous that it forced Microsoft to release a new patch for some of its no longer supported operating systems, including Windows XP, Windows Vista and Windows Server 2003, in an attempt to prevent the potentially "wormable" flaw from spreading.

Graham has also released his scanning tool to the public domain to enable system administrators to scan their networks for vulnerable Windows machines.

He also advises large enterprises to fix issues related to PsExec - a command-line tool that can be used by IT admins to execute processes on remote systems. This command-line tool can enable a worm to spread throughout the entire network from one infected system.

"You may have only one old WinXP machine that's vulnerable, that you don't care if it gets infected with ransomware," Graham wrote.

"But that machine may have a Domain Admin logged in, so that when the worm breaks in, it [can] grab those credentials.

"Then, from the Domain Controller, the worm sends a copy of itself to all the desktop and servers in the organisation, using those credentials instead of the vuln."

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.