If the idea of someone running Windows XP in 2019 makes you laugh, I urge you to maintain that blissful naïveté. Just leave now.
Are they gone? OK, so, Windows XP, Vista, and the rest of those old and unsupported operating systems are still extremely real — and they’re everywhere.
The ancient software is still active in important places, such as the US Defence Department and inside the nation’s critical infrastructure. For those of you still handling old Windows machines, Microsoft has a serious message: Update as soon as possible.
Microsoft is warning that a recently patched vulnerability known as BlueKeep could have consequences as bad as WannaCry, the 2017 ransomware worm allegedly developed by North Korea that infected hundreds of thousands of computers.
Here’s Microsoft’s Simon Pope:
Just a reminder. Go patch your systems. We're not out of the woods yet. The likelihood of a worm is still high — we're only 15 days after Update Tuesday. There's still plenty of time for it to surface. I hope I'm wrong but the consequences could be devastating if it happens. https://t.co/JaQHcEkhZS
— Simon Pope (@skjpope) May 30, 2019
BlueKeep and WannaCry are similar in that they’re vulnerabilities in Remote Desktop Services, so they allow an attacker execute code remotely on a target computer. The BlueKeep vulnerability, rated a 9.8 out of 10 in severity, is so serious that Windows took the rare step of issuing patches for old and normally unsupported Windows versions including XP, 2003 and Vista.
Windows 8 and 10 are not impacted by BlueKeep, but millions of older Windows machines are still used by countless businesses and individuals around the world — sometimes even including in critical infrastructure.
The company is worried that malware utilising the BlueKeep vulnerability is “wormable”, which means that it “could propagate from vulnerable computer to vulnerable computer,” according to a Microsoft blog post published on Thursday.
“Microsoft is confident that an exploit exists for this vulnerability, and if recent reports are accurate, nearly one million computers connected directly to the internet are still vulnerable to CVE-2019-0708. Many more within corporate networks may also be vulnerable,” Microsoft’s Simon Pope wrote.
Exploits exist. The cybersecurity firm McAfee says researchers there developed an exploit for the flaw. The exploit sales company Zerodium “confirmed exploitability” of the flaw as well.
“It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise,” Microsoft’s Pope wrote.
“This scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed.”
It’s been two weeks since the fix to BlueKeep was released. It took two months from the patch for MS17-010 until the WannaCry malware exploited that vulnerability and spread around the world. The fact that the last two weeks have been quiet is no guarantee going forward.
For giant organisations and companies, reality is rarely as simple as “patch now”. Important computers can be deemed too crucial for downtime. Or maybe there is not enough money and resources to maintain a smart patch schedule. If that’s the case, admins should turn off RDS (and probably consider doing that anyway unless it’s necessary for you).
The reasons for slow updates are myriad, and what it means is that even weeks after a patch, over a million machines can remain vulnerable to critical vulnerabilities. That’s why hackers rarely have to come up with their own sexy new vulnerabilities and exploits — there are almost always countless out-of-date computers that can be targeted by old vulnerabilities that leave the doors wide open for attackers.
Zero-day vulnerabilities get the headlines, but it’s usually day one and much later on when the real damage happens.