A major security flaw known as BlueKeep is plaguing millions of Windows machines and could result in a significant, widespread cyber attack. Microsoft has issued multiple warnings about the flaw, and this week, in an incredibly rare step, the U.S. National Security Agency (NSA) published a security advisory urging people to update their machines to defend against exploits. The NSA's decision to chime in is telling of just how serious the situation is — and suggests the agency may be learning from past mistakes.
In 2017, a security vulnerability known as EternalBlue was discovered in Windows machines and led to the widespread ransomware attack known as WannaCry. It resulted in well over 200,000 computers being infected. Affected machines were rendered unusable, with all files encrypted by the virus until victims agreed to pay a ransom in bitcoin. It's believed that the attack extorted more than $130,000 from people and businesses who found themselves locked out of their computers.
What is significant to note about WannaCry is that it was spread using an exploit developed by the NSA. The government agency is believed to have used EternalBlue for its own purposes but lost control of the code when a hacking group known as the Shadow Brokers managed to get their hands on it. It wasn't until the code was already in the hands of malicious actors that the NSA finally disclosed the security flaw to Microsoft. The company issued a security patch for it, but many people failed to update and were left vulnerable when WannaCry was launched just a month later.
The NSA issuing its own warning about BlueKeep suggests that the agency may see the potential for a similar style of attack if action isn't taken quickly. "It is likely only a matter of time before remote exploitation code is widely available for this vulnerability," the NSA said in its advisory.
If you have a Windows machine, there is a chance that you are at risk. Here's everything you need to know about BlueKeep and how to protect yourself.
What is BlueKeep, exactly?
Officially, BlueKeep is identified as a Remote Desktop Services Remote Code Execution Vulnerability. In more plain terms, though, it is a security vulnerability present in Windows that can be exploited remotely (without physical access to a machine). It is also considered to be "wormable," which means it can self-replicate and infect multiple machines on a network. Microsoft has determined BlueKeep to be a critical vulnerability, meaning it is serious and needs to be addressed immediately.
Who is at risk?
Because of its "wormable" capabilities, businesses are particularly good targets. It can be difficult for large organizations to widely implement security patches in a short period of time, leaving many machines on the same network vulnerable to the same type of attack. Businesses are also often notoriously slow in updating their machines and adverse to leaving behind old systems, which can come back to bite them in these types of situations.
That said, individuals running vulnerable versions of Windows aren't immune to a potential attack. A malicious actor attempting to exploit BlueKeep will likely be happy to hit any target they can and will take whatever they can get, whether that be sensitive files or bitcoin from a ransom.
Has BlueKeep been exploited yet?
Yes, it is believed that BlueKeep has been exploited. A demo of a potential exploit has been posted on GitHub and security researchers from firms including Zerodium and McAfee claim to have successfully exploited the vulnerability in proof-of-concept attacks.
What versions of Windows are vulnerable?
If you're running Windows 8, 8.1 or 10, you don't need to patch. Your machine should be secure — though you should turn on automatic updates to ensure you are always getting the most recent security patches.
Machines running Windows 2003, Windows XP, Windows 7, Windows Server 2008 R2 and Windows Server 2008 are all at risk.
While those operating systems are all a decade old or more, you would be surprised to learn just how many people still use them. A report from Errata Security found that more than one million internet-connected machines are running a version of Windows that is vulnerable to BlueKeep.
How do I protect my machine?
Windows has issued patches to address BlueKeep, including taking the nearly unprecedented step of issuing patches for versions of its operating system that it no longer supports.
If you have a machine running Windows 7, Windows Server 2008 R2 or Windows Server 2008 and have automatic updates enabled, you should already be protected. Assuming your machine has been online since Microsoft issued its patch on May 14, the patch should have been downloaded and installed automatically. If you don't have automatic updates, you can find the appropriate patch from the Microsoft Security Update Guide. Download either the "monthly rollup" of all available updates or the "security only" patch for the version of Windows running on your system and install it.
If you have a computer running Windows 2003 or Windows XP, your machine is no longer supported by Microsoft. Have no fear, the company has still issued a patch that can be downloaded and installed manually. Download the appropriate update from the Microsoft Update Catalog to protect your machine. That said, the best defense is to, if possible, update to a version of Windows that is still receiving active support from Microsoft.