ALMOST ONE MILLION Windows systems are still vulnerable to the "wormable" BlueKeep security flaw, almost two weeks after the release of a security patch by Microsoft.
BlueKeep, indexed as CVE-2019-0708, lies in the Remote Desktop Protocol (RDP) service and affects older versions of the Windows operating system.
It is considered so serious that the company produced patches for out-of-support operating systems, including Windows XP, in a bid to prevent another WannaCry-style exploit from emerging.
The bug came to prominence earlier this month when Microsoft issued a patch for it in its May 2019 Patch Tuesday. At that time, the company warned that the flaw is "wormable" and could be exploited by hackers to spread malware, as they did in 2017 to spread WannaCry and, later, NotPetya.
The vulnerability is pre-authentication, meaning it requires no user interaction. Since it is wormable, it can make any malware exploiting the vulnerability to be able to spread from one vulnerable system to another, without requiring user interaction.
Robert Graham, head of security research firm Errata Security, recently performed new internet scans using "rdpscan" tool and found that about 950,000 publicly accessible machines on the internet are still vulnerable to the BlueKeep attacks.
"To scan the internet, I started with masscan, my Internet-scale port scanner, looking for port 3389, the one used by Remote Desktop. This takes a couple hours, and lists all the devices running Remote Desktop - in theory," Graham wrote in a blog post.
Initially, it was thought that around 7.6 million systems connected to the internet could be attacked using BlueKeep flaw. But, according to Graham, most of the 7.6 million systems that have (RDP) port 3389 exposed to the Internet are either non-Windows systems, or they are not running an RDP service on that port.
The BlueKeep bug is so dangerous that it forced Microsoft to release a new patch for some of its no longer supported operating systems, including Windows XP, Windows Vista and Windows Server 2003, in an attempt to prevent the potentially "wormable" flaw from spreading.
Graham has also released his scanning tool to the public domain to enable system administrators to scan their networks for vulnerable Windows machines.
He also advises large enterprises to fix issues related to PsExec - a command-line tool that can be used by IT admins to execute processes on remote systems. This command-line tool can enable a worm to spread throughout the entire network from one infected system.
"You may have only one old WinXP machine that's vulnerable, that you don't care if it gets infected with ransomware," Graham wrote.
"But that machine may have a Domain Admin logged in, so that when the worm breaks in, it [can] grab those credentials.
"Then, from the Domain Controller, the worm sends a copy of itself to all the desktop and servers in the organisation, using those credentials instead of the vuln." µ
Slack, hack and crack
A flaw in the protocol affects iOS, macOS and Windows 10
Wig wearer has issue with non-wig-wearer