Microsoft almost begs Windows users to fix the BlueKeep bug

Microsoft security officials say they are confident that there is an exploit for BlueKeep, the newly-fixed vulnerability that could potentially trigger automatic replication attacks as destructive as the 2017 WannaCry attack that shut down computers in the world. whole world.

In a blog post released Thursday night, members of the Microsoft Security Response Center cited findings released Tuesday by Errata Security CEO Rob Graham that nearly one million connected computers Internet remain vulnerable to attack. This indicates that these machines still have to install an update released by Microsoft two weeks ago, correcting the so-called BlueKeep vulnerability, which is officially being tracked as CVE-2019-0708. The exploits can reliably execute malicious code without interaction from an end user. The severity of the situation prompted Microsoft to issue unusual fixes for Windows 2003, XP, and Vista, which were no longer supported for four, five, and two years, respectively.

Thursday's message once again announced that inaction could trigger another worm of WannaCry magnitude, which would have pushed hospitals to return paralyzed patients and banks, shipping docks. and transportation centers around the world. In his Thursday article, FRSC officials wrote:

Microsoft is convinced that there is an exploit for this vulnerability and, if recent reports are accurate, Nearly one million computers connected directly to the Internet are still vulnerable to CVE-2019-0708. Many others within business networks may also be vulnerable. A single vulnerable computer connected to the Internet is enough to create a gateway to these corporate networks, where advanced malware could spread and infect the company's computers. This scenario could be even worse for those who have not kept their internal systems up to date with the latest patches, as any future malware could also attempt to exploit more vulnerabilities that have already been fixed.

Microsoft reminded users that WannaCry was released only two months after the release of MS17-010, the update that corrected the vulnerability exploited by WannaCry. It resided in SMBv1, an older version of the server's message block protocol that allows a computer to share files and directories with other computers. Security experts use the term "vermifuge" to describe the vulnerability because of its ability to trigger worms, which are self-replicating attacks that require no interaction from end users. The BlueKeep flaw, on the other hand, comes from a "suspended pointer" bug in the Remote Desktop protocol, which provides a graphical interface for connecting to another computer over the Internet.

Of course, the big difference two years ago was the public release of Eternal Blue, a feat developed by the National Security Agency, and then stolen from the latter, which is undoubtedly the hacker organization the most advanced in the world. An unidentified group still calling Eternal Blue, published by Shadow Brokers in April 2017. This publication even offered inexperienced hackers around the world a simple way to reliably force vulnerable computers to execute the code of their choice . A month later, the WannaCry worm reused Eternal Blue and eventually infected computers around the world in a matter of hours.

This time, there was no public publication of code exploiting BlueKeep, although a handful of white hat hackers reported that independently developing exploits proved to be as worm-eaten as this that Microsoft had warned. It is unclear exactly what FRCC officials meant when they wrote that they were "convinced that there was a feat for this vulnerability". They could also refer to the same hackers that have been described above. Or, they can refer to more harmful actors. Ars asked Microsoft for more details and will update this message if their representatives provide it to them.

Microsoft is asking anyone using a vulnerable computer to update immediately. The flaw affects versions of Windows XP to Server 2008 R2. Anyone using any of these versions must ensure that a patch is in place. They must also verify that RDP is not exposed to the Internet unless it is absolutely necessary. Enabling network-level authentication for remote desktop services is a useful step, but it is inefficient against attackers with network passwords, which is common in ransomware infections. Windows 8 and 10 are not affected.