BlueKeep vulnerability: Microsoft warns about a wormable malware epedemia

[German]Microsoft warns of the danger that the critical Remote Desktop Services vulnerability CVE-2019-0708 will soon lead to a major malware outbreak on up to one million Windows computers.


In a Technet blog post titled A Reminder to Update Your Systems to Prevent a Worm Microsoft reminds users to patch their vulnerable Windows systems against the CVE-2019-0708 vulnerability, aka BlueKeep. 

Vulnerability CVE-2019-0708, some background

Remote Desktop Services – formerly known as Terminal Services – has a serious vulnerability called CVE-2019-0708 in older Windows versions. An unauthenticated attacker can connect to a target system via RDP using special requests. The problem is that the attacker does not need to authenticate to gain access to the system.

An attacker who has successfully exploited this vulnerability could execute arbitrary code on the target system. This includes installing programs, viewing, modifying, or deleting data, and creating new accounts with full user privileges. This critical vulnerability exists in the following versions of Windows:

  • Windows XP
  • Windows Server 2003
  • Windows Vista
  • Windows 7
  • Windows Server 2008
  • Windows Server 2008 R2

    Starting with Windows 8, the vulnerability no longer exists in the Remote Desktop service. On May 14, 2019, Microsoft released a security update for older versions of Windows, from Windows XP to Windows 7, that closes the critical CVE-2019-0708 vulnerability in Remote Desktop Services. I had warned about that vulnerability within my blog post Critical update for Windows XP up to Windows 7 (May 2019).

    Patches are available

    On Mai 14, 2019, Microsoft released updates for Windows XP up to Windows 7 and its Server pendants, to mitigate CVE-2019-070. I’ve reported about that within my blog post Critical update for Windows XP up to Windows 7 (May 2019). Microsoft has published also the article Customer guidance for CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability: May 14, 2019, where links to the related updates may be found. And here are the downloads for distinct Windows versions:


    Links to downloads for Windows 7, Windows 2008 R2, and Windows 2008
    Links to downloads for Windows Vista, Windows 2003 and Windows XP

    Exploits exists or will come

    Microsoft is confident that an exploit exists for this vulnerability. My summary about exploits from 10 days ago may be read within the blog post BlueKeep: Windows Remote Desktop Services vulnerability exploits status. Security researchers reported a week ago, that a thread actor scans the Internet for Windows systems vulnerable to BlueKeep vulnerabilities. I’ve addressed this within my blog post A threat actor scans Windows systems for BlueKeep vulnerability. So it’s a question of time, until attackers are able to use a working exploit to infect unpatched Windows systems.

    One million machines unpatched

    Robert Graham, head of security research firm Errata Security, has also conducted an Internet scan for the BlueKeep vulnerability. As he writes here, he came across almost 1 million unpatched systems connected directly to the internet, that are still vulnerable to CVE-2019-0708. Many more within corporate networks may also be vulnerable.

    Microsoft warns: It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise. This scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed.

    Will we see infections like WannaCry or NotPetya soon?

    Currently there are no signs for an attack or of a worm yet. But this may change daily. A look at the events leading up to the start of the WannaCry attacks, may indicate the risk of unpatched systems. There was a vulnerability called EternalBlue, that became public. Although Microsoft released patches in time, many users didn’t install those security updates.

    Almost two months passed between the release of fixes for the EternalBlue vulnerability and when ransomware attacks began. Despite having nearly 60 days to patch their systems, many customers had not. A significant number of these customers were infected by the ransomware. Here is the timeline of the WannaCry outbreak, Microsoft has compiled within its Technet article.

    March 14, 2017: Microsoft releases security bulletin MS17-010 which includes fixes for a set of SMBv1 vulnerabilities.

    April 14 2017: ShadowBrokers publicly releases a set of exploits, including a wormable exploit known as ‘EternalBlue’ that leverage these SMBv1 vulnerabilities.

    May 12, 2017: The EternalBlue exploit is used in ransomware attacks known as WannaCry. Hundreds of thousands of vulnerable computers across the globe are infected.

    And we have had isolated WannaCry outbreaks months later at German car manufacturer Mercedes, at taiwanese chip maker TMC and other companies, caused by unpatched Windows systems. So it’s likely, that we will see sooner or later a similar scenario with BlueKeep. So be smart and patch your systems.

    Similar articles
    A threat actor scans Windows systems for BlueKeep vulnerability
    BlueKeep: Windows Remote Desktop Services vulnerability exploits status
    Critical update for Windows XP up to Windows 7 (May 2019)
    Nearly 1 million Windows machines with BlueKeep vulnerability

  • Cookies helps to fund this blog: Cookie settings

    This entry was posted in Security, Update, Windows and tagged , , . Bookmark the permalink.

    Leave a Reply

    Your email address will not be published. Required fields are marked *