For months, systems administrators have been racing to patch their Windows systems against BlueKeep, a critical vulnerability in Microsoft’s Remote Desktop Protocol that could enable a global, internet-chewing worm if not fixed across hundreds of thousands of vulnerable computers. That worm has yet to arrive. But now, Microsoft has reset the clock in that race, revealing a collection of new RDP vulnerabilities, two of which could also result in the same sort of global worm—and this time in newer versions of Windows.
Microsoft today warned Windows users of seven new vulnerabilities in Windows that, like BlueKeep, can be exploited via RDP, a tool that lets administrators connect to other computers in a network. Of those seven bugs, Microsoft’s advisory emphasized that two are particularly serious; like BlueKeep, they could be used to code an automated worm that jumps from machine to machine, potentially infecting millions of computers. As Microsoft’s Security Response Center Director of Incident Response Simon Pope writes, “any future malware that exploits these could propagate from vulnerable computer to vulnerable computer without user interaction.”
“It’s starting all over again.”
Rob Graham, Errata Security
Unlike BlueKeep, however, the new bugs—half-jokingly named ‘DejaBlue’ by security researchers tracking it—don’t merely affect Windows 7 and earlier, as the earlier RDP vulnerability did. Instead, it affects Windows 7 and beyond, including all recent versions of the operating system.
Marcus Hutchins, a security researcher who has closely followed the RDP vulnerabilities and coded a proof-of-concept tool for exploiting BlueKeep, says that there may well be more machines vulnerable to DejaBlue than to BlueKeep. At this point, nearly every contemporary Windows computer needs to patch, before hackers can reverse engineer those fixes for clues that might help create exploits.
“People who haven’t upgraded since forever might be a little safer from this, but there’s a much larger pool of computers vulnerable to it, I imagine,” Hutchins says. “Of course, if you’re taking account of BlueKeep as well, then this just compounds the problem.”
Unlike BlueKeep, whose discovery Microsoft credited to the British intelligence agency GCHQ, Microsoft says that it found and patched these new bugs itself. “These vulnerabilities were discovered by Microsoft during hardening of Remote Desktop Services as part of our continual focus on strengthening the security of our products,” Microsoft says. “At this time, we have no evidence that these vulnerabilities were known to any third party.” Microsoft didn’t immediately respond to a request for comment.
Since BlueKeep was publicly announced on May 14, the security industry has prodded users to patch with mixed results: As of a count last month somewhere between 730,000 and 800,000 computers remained vulnerable to BlueKeep. Rob Graham, a security researcher and founder of Errata Security, built a scanner to measure the number of machines vulnerable to BlueKeep in May and initially found nearly a million vulnerable machines. He now estimates that the number of machines vulnerable to the new RDP bugs is likely in the same ballpark. “It’s starting all over again,” Graham says.
Graham points out, however, that a setting called Network-Level Authentication on Windows machines block the new set of bugs from being exploited. In his previous scans, he found a total of 1.2 million Windows computers that had that setting enabled. But it’s not clear which versions of Windows those computers are running, or how many other machines don’t have NLA turned on.
The good news is that Windows offers autoupdates by default; those with that feature enabled should be covered soon, if not already. Anyone who has that turned off, though, should turn on NLA now, and download a patch against the new RDP bugs here.
When BlueKeep first appeared, security researchers and even Microsoft itself warned that it could be integrated into a widespread worm within just weeks that might be as serious as WannaCry or NotPetya, as malicious hackers moved faster than the vast number of vulnerable users who needed to patch. Three months have since passed with no worm in sight, although more stealthy hackers may already be hacking RDP in secret, targeted attacks. The absence of the expected worm, some researchers say, is due to restraint on the part of the security research community, which largely abstained from publicly releasing proof-of-concept hacking tools that exploit BlueKeep. Also, few details have become public about how exactly BlueKeep works, and building a reliable intrusion based on it appears to be surprisingly difficult.
Exploiting DejaBlue might be marginally easier than BlueKeep, says Hutchins, who says coding a BlueKeep exploit took him close to a week of full-time work. The hard part, he says, was manipulating a computer’s memory so that the RDP bug allows the hacker to run their own code instead of crashing the computer. When DejaBlue crashes a computer, Hutchins says, it merely crashes the RDP service on the target device rather than the whole machine, allowing a hacker with an unreliable exploit to use it more stealthily. “Bluekeep required some kind of specialized knowledge,” Hutchins says. “This seems like it might have a larger group of people capable of writing an exploit.”
DejaBlue might be patched more quickly than BlueKeep was, notes Hutchins, since users with newer versions of Windows also tend to patch more reliably. Hutchins also says that after predicting a BlueKeep worm’s arrival well before today, he’s going to hold off on any more speculation. “It’s entirely possible a worm for this might be more likely, but we can’t really predict what people are going to do,” Hutchins says. “The bad guys are going to do what the bad guys are going to do.”