Microsoft security officials say they have confidence and exploit BlueKeep, the recently patched vulnerability that has the potential to trigger self-replicating attacks as destructive as the 2017 WannaCry attack that turns off computers around the world.
In a blog post published Thursday night, members of the Microsoft Security Response Center cited findings published on Tuesday by Rob Graham, CEO of Errata Security, that almost 1 million computers connected to the Internet remain vulnerable to attacks That indicates that those machines have yet to install an update that Microsoft published two weeks ago patching against the so-called BlueKeep vulnerability, which is formally tracked as CVE-2019-0708. Exploits can reliably execute malicious code without interaction by the end user. The severity caused Microsoft to take the unusual step of issuing patches for Windows 2003, XP and Vista, which have been admitted in four, five and two years, respectively.
The publication on Thursday warned, once again, that inaction could unleash another magnitude of WannaCry, which caused hospitals to reject patients and paralyzed banks, shipping docks and transportation hubs around the world. In the post on Thursday, the MSRC officers wrote:
Microsoft is confident that a vulnerability exists for this vulnerability, and if the recent reports are accurate, One million computers connected directly to the Internet are still vulnerable to CVE-2019-0708. Many more within corporate networks can also be vulnerable. Only one vulnerable computer connected to the Internet is needed to provide a potential gateway to these corporate networks, where advanced malware could spread and infect computers throughout the company. This scenario could be even worse for those who have not updated their internal systems with the latest fixes, since any future malware can also try to exploit more vulnerabilities that have already been fixed.
Microsoft reminded people that WannaCry was unleashed until two months after the release of MS17-010, the update that solved the vulnerability exploited by WannaCry. Resided in SMBv1, an earlier version of the server's message blocking protocol that allows a computer to share files and directories with other computers. Security experts use the word "wormable" to describe the vulnerability due to its ability to trigger worms, which are self-replicating attacks that do not require interaction by end users. By contrast, the BlueKeep failure that can be used as a worm comes from a "hanging pointer" error in Remote Desktop Protocol, which provides a graphical interface to connect to another computer over the Internet.
Of course, the big difference two years ago was the public launch of Eternal Blue, an exploit that was developed and then stolen by the National Security Agency, which is possibly the most advanced piracy organization in the world. An as-yet-unidentified group calling itself Shadow Brokers published Eternal Blue in April 2017. The launch offered inexperienced hackers around the world an easy way to force vulnerable computers to execute the code of their choice. A month later, the WannaCry worm reused Eternal Blue and ended up infecting computers around the world in a matter of hours.
This time, there has not been a public release of the code that exploits BlueKeep, although some white hackers have reported that they are developing attacks that are so susceptible to worm if Microsoft has warned. It is unclear exactly what the MSRC officials mean when they wrote that they are "confident that a vulnerability exists for this vulnerability". They may refer to the same hackers described above. Or, they may be referring to more infamous actors. Ars asked Microsoft for more details and will update this publication if their representatives provide them.
Microsoft is urging anyone who is running a vulnerable computer to upgrade at the same time. Defective versions of Windows XP through Server 2008 R2. Anyone who uses these versions should make sure there is a patch in place. RDP is not exposed to the Internet unless absolutely necessary. Enabling network level authentication for remote desktop services is a useful measure, but it is not effective against attackers that have network pbadwords, which is a common occurrence in ransomware infections. Windows 8 and 10 are not affected.