Despite the Microsoft-issued patch for BlueKeep, attackers
are still exploiting the infamous vulnerability, underlining a problem with the
way patches are applied in organizations and by individual users.
The SANS Institute observed exploitation of BlueKeep
vulnerability in real time for a few months. The researchers use a tool named
Shodan to monitor honeypots intentionally exposed to the Internet without the
BlueKeep patch installed.
BlueKeep, tracked as CVE-2019-0708, is a vulnerability in
the Remote Desktop Protocol (RDP) service affecting Windows XP, Windows 7,
Windows Server 2003, and Windows Server 2008. The vulnerability could allow
remote code execution without triggering any alarms on the targeted endpoint.
The problem was so bad that Microsoft quickly issued a patch even for operating
systems that were no longer officially supported.
“This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system,” said Microsoft in the initial advisory. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
An estimated 1 million computers were running exploitable
operating systems when the patch was issued in May, but SANS researchers
discovered that many of them remained unpatched. Simply put, Microsoft’s patch
was mostly ignored by individuals and companies alike.
“As we may see, the percentage of vulnerable systems seems to be falling more or less steadily for the last couple of months and it appears that media coverage of the recent campaign didn’t do much to help it,” according to SANS researchers. “And since there still appear to be hundreds of thousands of vulnerable systems out there, we have to hope that the worm everyone expects doesn’t arrive any time soon.”
The number of systems vulnerable to BlueKeep is dropping,
but not fast enough. A workaround for the exploit without installing the patch
requires disabling the RDP feature altogether if it’s not used.