It’s not every day that the U.S National Security Agency urges you to update your computer.
Three weeks ago, a critical Windows security vulnerability known as BlueKeep was revealed and fixed. In that short time, Microsoft has repeatedly begged users of older Windows versions to make sure their machines are up to date.
The company even released fixes for Windows XP, Server 2003, and Vista—a slate of unsupported operating systems that usually don’t get much attention.
Now, it’s an American intelligence agency echoing Microsoft.
“Recent warnings by Microsoft stressed the importance of installing patches to address a protocol vulnerability in older versions of Windows,” the NSA advisory read.
“Microsoft has warned that this flaw is potentially ‘wormable,’ meaning it could spread without user interaction across the internet. We have seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw.”
Here’s NSA’s Rob Joyce on Twitter:
— Rob Joyce (@RGB_Lights) June 4, 2019
In addition to its more famous offensive mission of global electronic surveillance, the NSA is also tasked with defending U.S. networks. The NSA’s Cybersecurity Requirement Center authored the advisory, which listed out impacted systems and directions for mitigation.
Microsoft’s warning compares BlueKeep to WannaCry, the notorious 2017 ransomware worm allegedly developed by North Korea that infected hundreds of thousands of computers and cause millions of dollars in damage.
Although BlueKeep affects mostly older Windows versions, there are millions of old, unsupported Windows machines still out there—and, believe it or not, still being used in important places. It’s not unheard of for an American energy company, for instance, to have a Windows XP machine somewhere on the network.
That’s when using an old machine becomes a vulnerability to critical infrastructure. The Defence Department is also famous for its use of ancient Windows machines.
“Although Microsoft has issued a patch, potentially millions of machines are still vulnerable,” the NSA wrote.
“This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability. For example, the vulnerability could be exploited to conduct denial of service attacks,” it added.
“It is likely only a matter of time before remote exploitation tools are widely available for this vulnerability. NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.”
Microsoft’s Simon Pope urged anyone with an old Windows machine to update:
Just a reminder. Go patch your systems. We're not out of the woods yet. The likelihood of a worm is still high — we're only 15 days after Update Tuesday. There's still plenty of time for it to surface. I hope I'm wrong but the consequences could be devastating if it happens. https://t.co/JaQHcEkhZS
— Simon Pope (@skjpope) May 30, 2019
It’s almost certain that we’ll see malware exploiting this vulnerability at some point. In addition to the NSA’s concerns, the U.S. cybersecurity firm McAfee and exploit sales company Zerodium each independently said last month that they’d seen the flaw exploited.
It’s been about three weeks since BlueKeep was fixed. It took two months for WannaCry to be unleashed around the world. Following reports last week of around a million still-vulnerable machines, NSA wrote Tuesday that “potentially millions of machines are still vulnerable.”
Cybersecurity experts will be keeping their eyes open for months. So buckle up, this one’s not even close to over.