Computerworld

NSA, Microsoft implore enterprises to patch Windows' 'BlueKeep' flaw before it's too late

Warnings refer to vulnerabilities in Windows' Remote Desktop Services that could be exploited by attackers; patches have been available since May 14

The U.S. National Security Agency (NSA) has called on IT administrators to apply security updates issued by Microsoft three weeks ago, adding to a chorus of voices urging haste.

"The National Security Agency is urging Microsoft Windows administrators and users to ensure they are using a patched and updated system in the face of growing threats," the NSA said in a June 4 advisory.

The agency's advice followed by several days that of Microsoft itself. On Thursday, May 30, a company official reminded users of the updates - which the company released May 14 - and implied that time is short.

"We strongly advise that all affected systems should be updated as soon as possible," Simon Pope, the director of incident response at the Microsoft Security Response Center (MSRC), wrote in a blog post.

Microsoft's plea, at least, was unusual. Once the developer has released a fix it has rarely circled back to remind customers to install a patch, instead assuming that they have done what they were supposed to.

The NSA and Microsoft warnings were about flaws in Windows' Remote Desktop Services that could be exploited by attackers in ways that made the bugs especially dangerous. The vulnerabilities have been stickered with the "BlueKeep" label.

"We warned that the vulnerability is 'wormable,' and that future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017," Pope said.

The vulnerabilities were so serious that Microsoft made the unprecedented decision to deliver patches not only to still-supported versions of Windows, including Windows 7, but to the outdated Windows XP, which was retired more than five years ago.

WannaCry, a ransomware attack that surged across the globe in May 2017, was cited several times by Pope to drive home his point.

"There has been no sign of a worm yet ((but)) this does not mean that we're out of the woods," he said. "If we look at the events leading up to the start of the WannaCry attacks, they serve to inform the risks of not applying fixes for this vulnerability in a timely manner.

"It is possible that we won't see this vulnerability incorporated into malware," concluded Pope. "But that's not the way to bet."

On that score, in fact, Pope intimated that Microsoft knows more than it's saying. "Microsoft is confident that an exploit exists for this vulnerability," he said in last week's blog post. Then on Twitter this week after the NSA issued its bulletin, Pope tweeted, "I cannot urge you enough to patch your systems as soon as possible."

The NSA was almost as sure that doom was on the horizon. "It is likely only a matter of time before remote exploitation code is widely available for this vulnerability.

NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.

It's unclear what, exactly, drove Microsoft's Pope, then the NSA, to issue their patch-now alerts. It may have been the results of an Internet-wide scan by Robert Graham of Errata Security. According to Graham, as of a week ago, almost a million public-facing Windows systems were vulnerable to attack.

"This will likely lead to an event as damaging as WannaCry and notPetya from 2017," Graham wrote in a post. "Hackers are likely to figure out a robust exploit in the next month or two and cause havoc with these machines."

Pope cited Graham's survey when he told Windows users to patch pronto, adding that, "Many more within corporate networks may also be vulnerable. ((And)) it only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks."

Microsoft has provided links to patches for Windows XP, Windows Vista Windows Server 2003 here; fixes for Windows 7, Windows Server 2008 and Windows Server 2008 R2 can be found here.