Despite the Microsoft-issued patch for BlueKeep, attackers are still exploiting the infamous vulnerability, underlining a problem with the way patches are applied in organizations and by individual users.
The SANS Institute observed exploitation of BlueKeep vulnerability in real time for a few months. The researchers use a tool named Shodan to monitor honeypots intentionally exposed to the Internet without the BlueKeep patch installed.
BlueKeep, tracked as CVE-2019-0708, is a vulnerability in the Remote Desktop Protocol (RDP) service affecting Windows XP, Windows 7, Windows Server 2003, and Windows Server 2008. The vulnerability could allow remote code execution without triggering any alarms on the targeted endpoint. The problem was so bad that Microsoft quickly issued a patch even for operating systems that were no longer officially supported.
“This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system,” said Microsoft in the initial advisory. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
An estimated 1 million computers were running exploitable operating systems when the patch was issued in May, but SANS researchers discovered that many of them remained unpatched. Simply put, Microsoft’s patch was mostly ignored by individuals and companies alike.
“As we may see, the percentage of vulnerable systems seems to be falling more or less steadily for the last couple of months and it appears that media coverage of the recent campaign didn’t do much to help it,” according to SANS researchers. “And since there still appear to be hundreds of thousands of vulnerable systems out there, we have to hope that the worm everyone expects doesn’t arrive any time soon.”
The number of systems vulnerable to BlueKeep is dropping, but not fast enough. A workaround for the exploit without installing the patch requires disabling the RDP feature altogether if it’s not used.