Microsoft has reminded users to patch the Windows vulnerability tracked as BlueKeep and CVE-2019-0708 due to the high risk of exploitation.
The vulnerability affects Windows Remote Desktop Services (RDS) and it was addressed by Microsoft with its May 2019 Patch Tuesday updates. The flaw has been described by the company as wormable and it can be leveraged by malware to spread similar to the way the notorious WannaCry ransomware did back in 2017 through the EternalBlue exploit.
An unauthenticated attacker can use the weakness to execute arbitrary code and take control of a device without any user interaction. Microsoft has released patches for Windows 7, Server 2008, XP and Server 2003.
The company on Thursday reminded users to update their systems after a researcher reported detecting nearly one million vulnerable devices exposed to the internet.
“Many more within corporate networks may also be vulnerable,” Simon Pope, Director of Incident Response at Microsoft Security Response Center (MSRC), said in a blog post. “It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise. This scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed.”
The company says it’s “confident that an exploit exists for this vulnerability” and that even though a worm has yet to be seen, it does not mean that a piece of malware will not eventually incorporate an exploit for CVE-2019-0708.
“Our recommendation remains the same. We strongly advise that all affected systems should be updated as soon as possible,” Pope said. “It is possible that we won’t see this vulnerability incorporated into malware. But that’s not the way to bet.”
Microsoft has pointed out that the WannaCry ransomware, which caused significant damage to organizations worldwide, successfully used the EternalBlue exploit nearly two months after the company released a patch.
Several cybersecurity firms and researchers claim to have already developed proof-of-concept (PoC) exploits for the BlueKeep vulnerability, including ones that achieve remote code execution. Some partial PoC exploits have been made public and at least two organizations reported seeing scanning activity targeting CVE-2019-0708.
Organizations have been warned that the vulnerability poses a risk not only to IT networks, but also to industrial and healthcare environments.