Why Patching BlueKeep is Such a Big Deal

Here's why it's important to patch your systems as quickly as possible when a new vulnerability emerges: several people have already developed proof of concept exploits for the recently-announced BlueKeep flaw, according to reports. 

Concern over BlueKeep - officially named CVE-2019-0708 - is running high because attackers could use it to create a worm. This could connect to other machines and infect them without user intervention. 

The flaw, which Microsoft has already patched, exploits a remote code execution vulnerability in Windows Remote Desktop Services enabling an attacker to take complete control of a machine. It only affects pre-Windows 8 machines, but there are enough of them out there (around 35% of desktop Windows installations) that it's a big deal. 

Since Microsoft announced it, several security vendors have developed code to exploit it or at least confirmed that it's exploitable. These include zero-day market Zerodium, which cracked it on May 15, Kaspersky (May 20), CheckPoint, and McAfee, which announced its implementation on May 21.

Those companies are keeping the code to themselves for obvious reasons but there are also at least two partial exploits in the wild, according to cybersecurity training company SANs in a May 22 blog post. It points to two GitHub repositories containing proof of concept code that triggers the vulnerability without doing anything nasty to the target machine. 

"It does appear non-trivial to develop a reliable remote code execution exploit for this vulnerability, which will hopefully get us a few more days until one is publicly available," SANS says. "However, exploit development is active, and I don't think you have more than a week." 

WannaCry hit two months after Microsoft patched the flaw that it exploited. This time, people are sounding the alarm about the flaw even louder and longer. 

One of the problems with WannaCry was that many companies couldn't easily patch old machines if they were supporting critical processes. In addition to Microsoft's own patch, though, BlueKeep has a 'micropatch' courtesy of 0Patch. This runs in memory and so doesn't require any changes to the binary. Micropatches are good fix-me-ups until you're able to apply the official fix.

What’s Hot on Infosecurity Magazine?