Microsoft Windows administrators and users are being urged by the National Security Agency (NSA) to verify that they are using a patched and updated system in order to protect against cyber-threats.
In a June 4 advisory, the NSA referenced recent warnings by Microsoft of a potentially 'wormable' remote code execution vulnerability (CVE-2019-0708), dubbed “BlueKeep,” that could spread across the internet without user interaction.
Despite Microsoft having issued a patch, the NSA said that potentially millions of users remain vulnerable.
“We have seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw...in Remote Desktop Services (RDS) on legacy versions of the Windows® operating system,” the advisory stated.
“This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability. For example, the vulnerability could be exploited to conduct denial of service attacks. It is likely only a matter of time before remote exploitation tools are widely available for this vulnerability. NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.”
While newer versions of Windows are reportedly protected against this vulnerability, several versions remain at risk if not patched, including: Windows XP, Windows 7, Windows Vista, Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2.
In a May 14 blog post, Microsoft noted that it has not yet observed any exploitation of this vulnerability, though there is a high likelihood that “malicious actors will write an exploit for this vulnerability and incorporate it into their malware.” However, an anonymous researcher has already published a proof-of-concept (PoC).
“Businesses who fail to heed the NSA's warning ignore it at their peril. Anyone looking for evidence to justify patching or moving off of legacy systems need only look at the damage left in the wake of NotPetya and WannaCry,” said Rick Holland, CISO, vice president of strategy at Digital Shadows.
“Maersk's financial statements clearly show the potential costs of 'wormable' vulnerabilities. In the short term, businesses should isolate the systems that must run legacy software. More strategically, companies must have a plan to retire unsupported systems, even if it takes several years.”