BlueKeep patching isn’t progressing fast enough

As of early July, more than 805,000 internet-facing systems remained susceptible to the BlueKeep security vulnerability, the news of which spooked the internet two months ago and prompted a flurry of alerts urging users and organizations to patch the critical flaw post-haste.

The tally, released today by cybersecurity ratings company BitSight, also shows that the number of vulnerable public-facing machines fell by 17 percent between May 31^st and July 2^nd, after the firm’s previous scan from the end of May put their number at almost 973,000. That said, neither figure includes computers that are within networks and are hidden from view, but may still be susceptible to lateral attacks.

In addition, BitSight looked at mitigation progress in various industries. While “progress has been made across the board”, legal, non-profit/NGOs and Aerospace/Defense have been the most responsive industries addressing BlueKeep. Meanwhile, the list of laggards includes consumer goods, utilities, and technology industries. Telecom and education are deemed to be the most exposed overall.

When it comes to countries, organizations in China and the United States remain the most exposed, although both of them have also made the biggest strides in patching the flaw.

Why worry?

As discussed in greater length in one of our recent articles, the BlueKeep vulnerability resides in a Windows component known as Remote Desktop Services. The flaw, designated CVE-2019-0708, affects Windows XP, Windows 7, Windows Server 2003 and Windows Server 2008. By contrast, Windows 8 and Windows 10 are not affected.

Worries abound that an exploit targeting the Remote Code Execution (RCE) vulnerability could soon be let loose on the internet and cause untold damage, providing attackers with access to a system via a backdoor and without requiring user credentials or interaction. Additionally, the flaw is ‘wormable’, meaning that exploits might use it to spread malware within or outside of networks much like WannaCryptor, also known as WannaCry, did in May 2017.

Since rolling out the patch on May 14^th, Microsoft has issued two alerts urging users and admins to install the fix. The United States’ National Security Agency (NSA) and, most recently, also the Cybersecurity and Infrastructure Security Agency (CISA) of the US Department of Homeland Security (DHS) have both issued rare warnings of their own.

Security researchers have been able to create several proof-of-concept exploits, but none of them are publicly available. Fortunately, there is no evidence of BlueKeep being exploited in the wild, although it is widely believed that it won’t take long before cybercriminals deploy a working exploit of their own.